Adding annotations to the serviceAccount definition

examples/chart/teleport/HIGHAVAILABILITY.md

@@ -52,7 +52,8 @@ A high availability deployment of Teleport will typically have at least 2 proxy
   # High availability configuration with proxy and auth servers. No SSH configured service.
   proxyCount: 2
   authCount: 2
-  authServiceType: ClusterIP
+  authService:
+    type: ClusterIP
   auth_public_address: auth.example.com
 ```
 2. Set the connection for the proxies to connect to the auth service in the config section. The auth service is available at the Kubernetes service name and the public address setting.  So if you deploy an app named `myexample` then the auth service will be available in the Cluster at `myexampleauth` in addition to the public address.

examples/chart/teleport/templates/service.yaml

@@ -5,14 +5,18 @@ metadata:
   labels:
 {{ include "teleport.labels" . | indent 4 }}
 {{- if .Values.service.labels }}
-{{ toYaml .Values.service.annotations | indent 4 }}
+{{ toYaml .Values.service.labels | indent 4 }}
 {{- end }}
 {{- if .Values.service.annotations }}
   annotations:
 {{ toYaml .Values.service.annotations | indent 4 }}
 {{- end }}
 spec:
   type: {{ .Values.service.type }}
+{{- if and .Values.service.loadBalancerSourceRanges (eq .Values.service.type "LoadBalancer") }}
+  loadBalancerSourceRanges:
+{{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }}
+{{- end }}    
   ports:
 {{- range $key, $value := .Values.service.ports }}
 {{ if  or (not $.Values.config.highAvailability) (and ($.Values.config.highAvailability) (not (eq $key "authssh")))   }}
@@ -35,22 +39,26 @@ metadata:
   name: {{ template "teleport.fullname" . }}auth
   labels:
 {{ include "teleport.labels" . | indent 4 }}
-{{- if .Values.service.labels }}
-{{ toYaml .Values.service.annotations | indent 4 }}
+{{- if .Values.config.authService.labels }}
+{{ toYaml .Values.config.config.authService.labels | indent 4 }}
 {{- end }}
-{{- if .Values.service.annotations }}
+{{- if .Values.config.authService.annotations }}
   annotations:
-{{ toYaml .Values.service.annotations | indent 4 }}
+{{ toYaml .Values.config.authService.annotations | indent 4 }}
 {{- end }}
 spec:
-  type: {{ .Values.config.authServiceType }}
+  type: {{ .Values.config.authService.type }}
+{{- if and .Values.config.authService.loadBalancerSourceRanges (eq .Values.config.authService.type "LoadBalancer") }}
+  loadBalancerSourceRanges:
+{{ toYaml .Values.config.authService.loadBalancerSourceRanges | indent 4 }}
+{{- end }}    
   ports:
     - name: authssh
       port: {{ .Values.ports.authssh.containerPort }}
       targetPort: {{ .Values.ports.authssh.containerPort }}
       protocol: TCP
-{{- if and (semverCompare ">=1.7-0" .Capabilities.KubeVersion.GitVersion) (.Values.service.externalTrafficPolicy) }}
-  externalTrafficPolicy: "{{ .Values.service.externalTrafficPolicy }}"
+{{- if and (semverCompare ">=1.7-0" .Capabilities.KubeVersion.GitVersion) (.Values.config.authService.externalTrafficPolicy) }}
+  externalTrafficPolicy: "{{ .Values.config.authService.externalTrafficPolicy }}"
 {{- end }}
   selector:
     app: {{ template "teleport.name" . }}

examples/chart/teleport/templates/serviceaccount.yaml

@@ -5,4 +5,8 @@ metadata:
   name: {{ template "teleport.serviceAccountName" . }}
   labels:
 {{ include "teleport.labels" . | indent 4 }}
+{{- if .Values.serviceAccount.annotations -}}
+  annotations:
+{{ .Values.serviceAccount.annotations | indent 4 }}
+{{- end -}}
 {{- end -}}

examples/chart/teleport/values.yaml

@@ -52,8 +52,13 @@ config:
   # High availability configuration with proxy and auth servers. No configured SSH service.
   proxyCount: 2
   authCount: 2
-  authServiceType: ClusterIP
   auth_public_address: auth.example.com
+  authService:
+    type: ClusterIP
+    labels: {}
+    annotations: {}
+    externalTrafficPolicy: ""
+    loadBalancerSourceRanges: []
 
 # Set for proxies in high availability, single proxy and ssh service only deployments
 # auth_service_connection:
@@ -188,6 +193,7 @@ service:
   annotations: {}
   ## Ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer
   externalTrafficPolicy: ""
+  loadBalancerSourceRanges: []
 
   ## See https://github.com/kubernetes-incubator/external-dns/blob/master/docs/tutorials/aws-sd.md#verify-that-externaldns-works-service-example
   # Set something like the below in order to instruct external-dns to create a Route53 record set for your ELB on AWS:
@@ -273,6 +279,7 @@ serviceAccount:
   # The name of the ServiceAccount to use.
   # If not set and create is true, a name is generated using the fullname template
   name:
+  annotations: {}
 
 persistence:
   enabled: false