helm: Make auth type configurable

docs/pages/kubernetes-access/helm/reference.mdx

@@ -50,6 +50,7 @@ This reference details available values for the `teleport-cluster` chart.
   If you are not using ACME certificates, you may also need to accept insecure warnings in your browser to view the page successfully.
 </Admonition>
 
+
 ## `kubeClusterName`
 
 | Type | Default value | Required? | `teleport.yaml` equivalent | Can be used in `custom` mode? |
@@ -58,6 +59,15 @@ This reference details available values for the `teleport-cluster` chart.
 
 `kubeClusterName` sets the name used for the Kubernetes cluster. This name will be shown to Teleport users connecting to the cluster.
 
+## `authenticationType`
+
+| Type | Default value | Required? | `teleport.yaml` equivalent | Can be used in `custom` mode? |
+| - | - | - | - | - |
+| `string` | `local` | Yes | `auth_service.authentication.type` | ❌ |
+
+`authenticationType` controls the authentication scheme used by Teleport. Possible values are `local` and `github` for OSS, plus `oidc`, `saml`, and `false` for Enterprise.
+
+
 ## `enterprise`
 
 | Type | Default value | Can be used in `custom` mode? |

examples/chart/teleport-cluster/README.md

@@ -33,6 +33,7 @@ secret `license` in the chart namespace.
 | Name                      | Description                                                                 | Default                                                | Required |
 |---------------------------|-----------------------------------------------------------------------------|--------------------------------------------------------|----------|
 | `clusterName`             | Teleport cluster name (must be an FQDN)                                     |                                                        | yes      |
+| `authenticationType`      | Type of authentication to use (`local`, `github`, ...)                      | `local`                                                | no       |
 | `teleportVersionOverride` | Teleport version                                                            | Current stable version                                 | no       |
 | `image`                   | OSS Docker image                                                            | `quay.io/gravitational/teleport`                       | no       |
 | `enterpriseImage`         | Enterprise Docker image                                                     | `quay.io/gravitational/teleport-ent`                   | no       |

examples/chart/teleport-cluster/templates/config.yaml

@@ -38,6 +38,8 @@ data:
   {{- if .Values.enterprise }}
       license_file: '/var/lib/license/license.pem'
   {{- end }}
+      authentication:
+        type: {{ required "authenticationType is required in chart values" .Values.authenticationType }}
     kubernetes_service:
       enabled: true
       listen_addr: 0.0.0.0:3027

examples/chart/teleport-cluster/values.schema.json

@@ -3,6 +3,7 @@
     "type": "object",
     "required": [
         "clusterName",
+        "authenticationType",
         "enterprise",
         "podSecurityPolicy",
         "labels",
@@ -26,6 +27,11 @@
             "type": "string",
             "default": ""
         },
+        "authenticationType": {
+            "$id": "#/properties/authenticationType",
+            "type": "string",
+            "default": "local"
+        },
         "teleportVersionOverride": {
             "$id": "#/properties/teleportVersionOverride",
             "type": "string",

examples/chart/teleport-cluster/values.yaml

@@ -18,6 +18,10 @@ kubeClusterName: ""
 # Version of teleport image, if different from chart version in Chart.yaml.
 teleportVersionOverride: ""
 
+# Default authentication type. Possible values are 'local' and 'github' for OSS, plus 'oidc', 'saml', and 'false' for Enterprise.
+# 'false' is required for FedRAMP / FIPS; see https://gravitational.com/teleport/docs/enterprise/ssh-kubernetes-fedramp/
+authenticationType: local
+
 # ACME is a protocol for getting Web X.509 certificates
 # Note: ACME can only be used for single-instance clusters. It is not suitable for use in HA configurations.
 # Setting acme to 'true' enables the ACME protocol and will attempt to get a free TLS certificate from Let's Encrypt.