diff --git a/docs/pages/reference/helm-reference/teleport-kube-agent.mdx b/docs/pages/reference/helm-reference/teleport-kube-agent.mdx index cdf134b95f76f..ef61afd630610 100644 --- a/docs/pages/reference/helm-reference/teleport-kube-agent.mdx +++ b/docs/pages/reference/helm-reference/teleport-kube-agent.mdx @@ -771,6 +771,26 @@ This can be used for joining a Teleport instance to a Teleport cluster which doe One option might be to use Teleport's built-in [ACME support](./teleport-cluster.mdx#acme) or enable [cert-manager support](./teleport-cluster.mdx#highavailabilitycertmanager). +## `teleportConfig` + +`teleportConfig` contains YAML teleport configuration to pass to the Teleport pods. +The configuration will be merged with the chart-generated configuration +and will take precedence in case of conflict. + +See the [Teleport Configuration Reference](../config.mdx) for the list of supported fields. + +```yaml +teleportConfig: + app_service: + debug_app: true + discovery_service: + enabled: true + azure: + - types: ["aks"] + tags: + "*":"*" +``` + ## `tls` ### `existingCASecretName` diff --git a/examples/chart/teleport-kube-agent/templates/_config.tpl b/examples/chart/teleport-kube-agent/templates/_config.tpl new file mode 100644 index 0000000000000..dfd0d7a3ff0cf --- /dev/null +++ b/examples/chart/teleport-kube-agent/templates/_config.tpl @@ -0,0 +1,121 @@ +{{- define "teleport-kube-agent.config" -}} +{{- $logLevel := (coalesce .Values.logLevel .Values.log.level "INFO") -}} +{{- if .Values.teleportVersionOverride -}} + {{- $_ := set . "teleportVersion" .Values.teleportVersionOverride -}} +{{- else -}} + {{- $_ := set . "teleportVersion" .Chart.Version -}} +{{- end -}} +{{- if (ge (semver .teleportVersion).Major 11) }} +version: v3 +{{- end }} +teleport: + join_params: + method: "{{ .Values.joinParams.method }}" + token_name: "/etc/teleport-secrets/auth-token" + {{- if (ge (semver .teleportVersion).Major 11) }} + proxy_server: {{ required "proxyAddr is required in chart values" .Values.proxyAddr }} + {{- else }} + auth_servers: ["{{ required "proxyAddr is required in chart values" .Values.proxyAddr }}"] + {{- end }} + {{- if .Values.caPin }} + ca_pin: {{- toYaml .Values.caPin | nindent 8 }} + {{- end }} + log: + severity: {{ $logLevel }} + output: {{ .Values.log.output }} + format: + output: {{ .Values.log.format }} + extra_fields: {{ .Values.log.extraFields | toJson }} + +kubernetes_service: + {{- if or (contains "kube" (.Values.roles | toString)) (empty .Values.roles) }} + enabled: true + kube_cluster_name: {{ required "kubeClusterName is required in chart values when kube role is enabled, see README" .Values.kubeClusterName }} + {{- if .Values.labels }} + labels: {{- toYaml .Values.labels | nindent 8 }} + {{- end }} + {{- else }} + enabled: false + {{- end }} + +app_service: + {{- if contains "app" (.Values.roles | toString) }} + enabled: true + {{- if not (or (.Values.apps) (.Values.appResources)) }} + {{- fail "at least one of 'apps' and 'appResources' is required in chart values when app role is enabled, see README" }} + {{- end }} + {{- if .Values.apps }} + {{- range $app := .Values.apps }} + {{- if not (hasKey $app "name") }} + {{- fail "'name' is required for all 'apps' in chart values when app role is enabled, see README" }} + {{- end }} + {{- if not (hasKey $app "uri") }} + {{- fail "'uri' is required for all 'apps' in chart values when app role is enabled, see README" }} + {{- end }} + {{- end }} + apps: + {{- toYaml .Values.apps | nindent 8 }} + {{- end }} + {{- if .Values.appResources }} + resources: + {{- toYaml .Values.appResources | nindent 8 }} + {{- end }} + {{- else }} + enabled: false + {{- end }} + +db_service: + {{- if contains "db" (.Values.roles | toString) }} + enabled: true + {{- if not (or (.Values.awsDatabases) (.Values.azureDatabases) (.Values.databases) (.Values.databaseResources)) }} + {{- fail "at least one of 'awsDatabases', 'azureDatabases', 'databases' or 'databaseResources' is required in chart values when db role is enabled, see README" }} + {{- end }} + {{- if .Values.awsDatabases }} + aws: + {{- range $awsDb := .Values.awsDatabases }} + {{- if not (hasKey $awsDb "types") }} + {{- fail "'types' is required for all 'awsDatabases' in chart values when key is set and db role is enabled, see README" }} + {{- end }} + {{- if not (hasKey $awsDb "regions") }} + {{- fail "'regions' is required for all 'awsDatabases' in chart values when key is set and db role is enabled, see README" }} + {{- end }} + {{- if not (hasKey $awsDb "tags") }} + {{- fail "'tags' is required for all 'awsDatabases' in chart values when key is set and db role is enabled, see README" }} + {{- end }} + {{- end }} + {{- toYaml .Values.awsDatabases | nindent 6 }} + {{- end }} + {{- if .Values.azureDatabases }} + azure: + {{- toYaml .Values.azureDatabases | nindent 6 }} + {{- end}} + {{- if .Values.databases }} + databases: + {{- range $db := .Values.databases }} + {{- if not (hasKey $db "name") }} + {{- fail "'name' is required for all 'databases' in chart values when db role is enabled, see README" }} + {{- end }} + {{- if not (hasKey $db "uri") }} + {{- fail "'uri' is required for all 'databases' is required in chart values when db role is enabled, see README" }} + {{- end }} + {{- if not (hasKey $db "protocol") }} + {{- fail "'protocol' is required for all 'databases' in chart values when db role is enabled, see README" }} + {{- end }} + {{- end }} + {{- toYaml .Values.databases | nindent 6 }} + {{- end }} + {{- if .Values.databaseResources }} + resources: + {{- toYaml .Values.databaseResources | nindent 6 }} + {{- end }} +{{- else }} + enabled: false +{{- end }} + +auth_service: + enabled: false +ssh_service: + enabled: false +proxy_service: + enabled: false +{{- end -}} diff --git a/examples/chart/teleport-kube-agent/templates/config.yaml b/examples/chart/teleport-kube-agent/templates/config.yaml index 3c6552c25bf7b..d97ebaed567ca 100644 --- a/examples/chart/teleport-kube-agent/templates/config.yaml +++ b/examples/chart/teleport-kube-agent/templates/config.yaml @@ -1,9 +1,3 @@ -{{- $logLevel := (coalesce .Values.logLevel .Values.log.level "INFO") -}} -{{- if .Values.teleportVersionOverride -}} - {{- $_ := set . "teleportVersion" .Values.teleportVersionOverride -}} -{{- else -}} - {{- $_ := set . "teleportVersion" .Chart.Version -}} -{{- end -}} apiVersion: v1 kind: ConfigMap metadata: @@ -19,116 +13,4 @@ metadata: {{- end }} data: teleport.yaml: | - {{- if (ge (semver .teleportVersion).Major 11) }} - version: v3 - {{- end }} - teleport: - join_params: - method: "{{ .Values.joinParams.method }}" - token_name: "/etc/teleport-secrets/auth-token" - {{- if (ge (semver .teleportVersion).Major 11) }} - proxy_server: {{ required "proxyAddr is required in chart values" .Values.proxyAddr }} - {{- else }} - auth_servers: ["{{ required "proxyAddr is required in chart values" .Values.proxyAddr }}"] - {{- end }} - {{- if .Values.caPin }} - ca_pin: {{- toYaml .Values.caPin | nindent 8 }} - {{- end }} - log: - severity: {{ $logLevel }} - output: {{ .Values.log.output }} - format: - output: {{ .Values.log.format }} - extra_fields: {{ .Values.log.extraFields | toJson }} - - kubernetes_service: - {{- if or (contains "kube" (.Values.roles | toString)) (empty .Values.roles) }} - enabled: true - kube_cluster_name: {{ required "kubeClusterName is required in chart values when kube role is enabled, see README" .Values.kubeClusterName }} - {{- if .Values.labels }} - labels: {{- toYaml .Values.labels | nindent 8 }} - {{- end }} - {{- else }} - enabled: false - {{- end }} - - app_service: - {{- if contains "app" (.Values.roles | toString) }} - enabled: true - {{- if not (or (.Values.apps) (.Values.appResources)) }} - {{- fail "at least one of 'apps' and 'appResources' is required in chart values when app role is enabled, see README" }} - {{- end }} - {{- if .Values.apps }} - {{- range $app := .Values.apps }} - {{- if not (hasKey $app "name") }} - {{- fail "'name' is required for all 'apps' in chart values when app role is enabled, see README" }} - {{- end }} - {{- if not (hasKey $app "uri") }} - {{- fail "'uri' is required for all 'apps' in chart values when app role is enabled, see README" }} - {{- end }} - {{- end }} - apps: - {{- toYaml .Values.apps | nindent 8 }} - {{- end }} - {{- if .Values.appResources }} - resources: - {{- toYaml .Values.appResources | nindent 8 }} - {{- end }} - {{- else }} - enabled: false - {{- end }} - - db_service: - {{- if contains "db" (.Values.roles | toString) }} - enabled: true - {{- if not (or (.Values.awsDatabases) (.Values.azureDatabases) (.Values.databases) (.Values.databaseResources)) }} - {{- fail "at least one of 'awsDatabases', 'azureDatabases', 'databases' or 'databaseResources' is required in chart values when db role is enabled, see README" }} - {{- end }} - {{- if .Values.awsDatabases }} - aws: - {{- range $awsDb := .Values.awsDatabases }} - {{- if not (hasKey $awsDb "types") }} - {{- fail "'types' is required for all 'awsDatabases' in chart values when key is set and db role is enabled, see README" }} - {{- end }} - {{- if not (hasKey $awsDb "regions") }} - {{- fail "'regions' is required for all 'awsDatabases' in chart values when key is set and db role is enabled, see README" }} - {{- end }} - {{- if not (hasKey $awsDb "tags") }} - {{- fail "'tags' is required for all 'awsDatabases' in chart values when key is set and db role is enabled, see README" }} - {{- end }} - {{- end }} - {{- toYaml .Values.awsDatabases | nindent 6 }} - {{- end }} - {{- if .Values.azureDatabases }} - azure: - {{- toYaml .Values.azureDatabases | nindent 6 }} - {{- end}} - {{- if .Values.databases }} - databases: - {{- range $db := .Values.databases }} - {{- if not (hasKey $db "name") }} - {{- fail "'name' is required for all 'databases' in chart values when db role is enabled, see README" }} - {{- end }} - {{- if not (hasKey $db "uri") }} - {{- fail "'uri' is required for all 'databases' is required in chart values when db role is enabled, see README" }} - {{- end }} - {{- if not (hasKey $db "protocol") }} - {{- fail "'protocol' is required for all 'databases' in chart values when db role is enabled, see README" }} - {{- end }} - {{- end }} - {{- toYaml .Values.databases | nindent 6 }} - {{- end }} - {{- if .Values.databaseResources }} - resources: - {{- toYaml .Values.databaseResources | nindent 6 }} - {{- end }} - {{- else }} - enabled: false - {{- end }} - - auth_service: - enabled: false - ssh_service: - enabled: false - proxy_service: - enabled: false + {{- mustMergeOverwrite (include "teleport-kube-agent.config" . | fromYaml) .Values.teleportConfig | toYaml | nindent 4 -}} diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap index 1070bb0f6bf71..3585d3b17a8ed 100644 --- a/examples/chart/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap +++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap @@ -2,36 +2,36 @@ does not generate a config for clusterrole.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -40,36 +40,36 @@ does not generate a config for pdb.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster-name - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -78,36 +78,36 @@ matches snapshot and tests for annotations.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: annotations: @@ -119,36 +119,36 @@ matches snapshot and tests for extra-labels.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: labels: @@ -160,36 +160,36 @@ matches snapshot for affinity.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -198,49 +198,49 @@ matches snapshot for all-v6.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster-name - labels: - cluster: testing - + teleport.yaml: |- app_service: - enabled: true apps: - - labels: - environment: test - name: grafana - uri: http://localhost:3000 - - db_service: + - labels: + environment: test + name: grafana + uri: http://localhost:3000 enabled: true + auth_service: + enabled: false + db_service: databases: - labels: database: staging name: aurora protocol: postgres uri: postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432 - - auth_service: + enabled: true + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name + labels: + cluster: testing + proxy_service: enabled: false ssh_service: enabled: false - proxy_service: - enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: annotations: @@ -252,28 +252,12 @@ matches snapshot for aws-databases.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: false - + teleport.yaml: |- app_service: enabled: false - + auth_service: + enabled: false db_service: - enabled: true aws: - regions: - us-east-1 @@ -287,13 +271,29 @@ matches snapshot for aws-databases.yaml: env: development types: - rds - - auth_service: - enabled: false - ssh_service: + enabled: true + kubernetes_service: enabled: false proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -302,28 +302,12 @@ matches snapshot for azure-databases.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: false - + teleport.yaml: |- app_service: enabled: false - + auth_service: + enabled: false db_service: - enabled: true azure: - tags: '*': '*' @@ -346,13 +330,29 @@ matches snapshot for azure-databases.yaml: origin: alice types: - mysql - - auth_service: - enabled: false - ssh_service: + enabled: true + kubernetes_service: enabled: false proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -361,36 +361,36 @@ matches snapshot for backwards-compatibility.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster-name - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -399,38 +399,38 @@ matches snapshot for ca-pin.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - ca_pin: - - sha256:7e12c17c20d9cb504bbcb3f0236be3f446861f1396dcbb44425fe28ec1c108f1 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + ca_pin: + - sha256:7e12c17c20d9cb504bbcb3f0236be3f446861f1396dcbb44425fe28ec1c108f1 + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -439,41 +439,41 @@ matches snapshot for db.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: false - + teleport.yaml: |- app_service: enabled: false - + auth_service: + enabled: false db_service: - enabled: true databases: - labels: database: staging name: aurora protocol: postgres uri: postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432 - - auth_service: - enabled: false - ssh_service: + enabled: true + kubernetes_service: enabled: false proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -482,38 +482,38 @@ matches snapshot for dynamic-app.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: false - + teleport.yaml: |- app_service: enabled: true resources: - - labels: - '*': '*' - - db_service: - enabled: false - + - labels: + '*': '*' auth_service: enabled: false - ssh_service: + db_service: + enabled: false + kubernetes_service: enabled: false proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -522,38 +522,38 @@ matches snapshot for dynamic-db.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: false - + teleport.yaml: |- app_service: enabled: false - + auth_service: + enabled: false db_service: enabled: true resources: - labels: '*': '*' - - auth_service: - enabled: false - ssh_service: + kubernetes_service: enabled: false proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -562,36 +562,36 @@ matches snapshot for imagepullsecrets.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -600,36 +600,36 @@ matches snapshot for initcontainers.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -638,36 +638,36 @@ matches snapshot for join-params-iam.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "iam" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster-name - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: iam + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -676,74 +676,74 @@ matches snapshot for join-params-token.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster-name - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name proxy_service: enabled: false - kind: ConfigMap - metadata: - name: RELEASE-NAME - namespace: NAMESPACE -matches snapshot for log-basic.yaml: - 1: | - apiVersion: v1 - data: - teleport.yaml: | - version: v3 + ssh_service: + enabled: false teleport: join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 + method: token + token_name: /etc/teleport-secrets/auth-token log: - severity: INFO - output: stderr format: - output: json - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster-name - + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for log-basic.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: json + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -752,36 +752,36 @@ matches snapshot for log-extra.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: DEBUG - output: /var/lib/teleport/test.log - format: - output: json - extra_fields: ["level","timestamp","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster-name - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - level + - timestamp + - component + - caller + output: json + output: /var/lib/teleport/test.log + severity: DEBUG + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -790,36 +790,36 @@ matches snapshot for log-legacy.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: DEBUG - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster-name - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: DEBUG + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -828,36 +828,36 @@ matches snapshot for node-selector.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster-name - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -866,36 +866,36 @@ matches snapshot for pdb.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: DEBUG - output: /var/lib/teleport/test.log - format: - output: json - extra_fields: ["level","timestamp","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster-name - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - level + - timestamp + - component + - caller + output: json + output: /var/lib/teleport/test.log + severity: DEBUG + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -904,36 +904,36 @@ matches snapshot for resources.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -942,36 +942,36 @@ matches snapshot for stateful.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster-name - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -980,36 +980,36 @@ matches snapshot for tolerations.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -1018,35 +1018,36 @@ matches snapshot for v10.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - auth_servers: ["proxy.example.com:3080"] - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster-name - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + auth_servers: + - proxy.example.com:3080 + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO kind: ConfigMap metadata: name: RELEASE-NAME @@ -1055,36 +1056,36 @@ matches snapshot for v11.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster-name - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster-name proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME @@ -1093,36 +1094,36 @@ matches snapshot for volumes.yaml: 1: | apiVersion: v1 data: - teleport.yaml: | - version: v3 - teleport: - join_params: - method: "token" - token_name: "/etc/teleport-secrets/auth-token" - proxy_server: proxy.example.com:3080 - log: - severity: INFO - output: stderr - format: - output: text - extra_fields: ["timestamp","level","component","caller"] - - kubernetes_service: - enabled: true - kube_cluster_name: test-kube-cluster - + teleport.yaml: |- app_service: enabled: false - - db_service: - enabled: false - auth_service: enabled: false - ssh_service: + db_service: enabled: false + kubernetes_service: + enabled: true + kube_cluster_name: test-kube-cluster proxy_service: enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 kind: ConfigMap metadata: name: RELEASE-NAME diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap index 1677d581ce053..4b0a167c2fe4e 100644 --- a/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap +++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap @@ -18,7 +18,7 @@ sets Deployment annotations when specified if action is Upgrade: template: metadata: annotations: - checksum/config: 69e263080e9c222718c7fb92180c7367832071d7efd51e9bd6dcdb6326e6f9a8 + checksum/config: 80088923d2d7ce4344db0f2174d29d7cfb2d599424adfabf6f6818a9434794ca kubernetes.io/pod: test-annotation kubernetes.io/pod-different: 4 labels: @@ -86,7 +86,7 @@ sets Deployment labels when specified if action is Upgrade: template: metadata: annotations: - checksum/config: f472b546dffe5369ea3263c8ee806e71ff2782c951b6f8233835606d17eeae12 + checksum/config: db49feab9b174f73188febc30d2b01d27b16e5a76b586c6e87e6e62eb43620a2 labels: app: RELEASE-NAME app.kubernetes.io/name: teleport-kube-agent diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap index 8e3b3f3a46c81..2eb60eb6b8cef 100644 --- a/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap +++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap @@ -150,7 +150,7 @@ sets StatefulSet labels when specified: template: metadata: annotations: - checksum/config: f472b546dffe5369ea3263c8ee806e71ff2782c951b6f8233835606d17eeae12 + checksum/config: db49feab9b174f73188febc30d2b01d27b16e5a76b586c6e87e6e62eb43620a2 labels: app: RELEASE-NAME app.kubernetes.io/name: teleport-kube-agent @@ -381,7 +381,7 @@ should add volumeClaimTemplate for data volume when using StatefulSet and is Fre template: metadata: annotations: - checksum/config: e27f29eb5c0cc5b62b13090c391cfaec6c1bb5a66c9f5ec01654d0571767087e + checksum/config: 6e010c147e8d81d244e7aafdcee7e652cdb4d5640fb7f14d0e1ebb7832f943a5 labels: app: RELEASE-NAME spec: diff --git a/examples/chart/teleport-kube-agent/values.schema.json b/examples/chart/teleport-kube-agent/values.schema.json index 14e2dcae014ed..c47c45758b8b0 100644 --- a/examples/chart/teleport-kube-agent/values.schema.json +++ b/examples/chart/teleport-kube-agent/values.schema.json @@ -14,6 +14,7 @@ "databaseResources", "teleportVersionOverride", "insecureSkipProxyTLSVerify", + "teleportConfig", "existingDataVolume", "podSecurityPolicy", "labels", @@ -243,6 +244,11 @@ "type": "boolean", "default": false }, + "teleportConfig": { + "$id": "#/properties/teleportConfig", + "type": "object", + "default": {} + }, "tls": { "$id": "#/properties/tls", "type": "object", diff --git a/examples/chart/teleport-kube-agent/values.yaml b/examples/chart/teleport-kube-agent/values.yaml index 6f41cb6069a69..a688a719e4c64 100644 --- a/examples/chart/teleport-kube-agent/values.yaml +++ b/examples/chart/teleport-kube-agent/values.yaml @@ -118,6 +118,11 @@ caPin: [] # certificate. insecureSkipProxyTLSVerify: false +# teleportConfig contains additional teleport configuration +# The configuration will be merged with the chart-generated configuration +# and will take precedence in case of conflict +teleportConfig: {} + # Settings for mounting your own TLS material in the agent pod. # The agent does not expose a TLS server, so this is only used to trust CAs. tls: