Update Helm release teleport-kube-agent to v16

helm/teleport-kube-agent/Chart.yaml

@@ -1,17 +1,9 @@
 apiVersion: v2
-name: teleport-kube-agent
-appVersion: 15.1.9
-version: [[ .Version ]]
+appVersion: 16.0.1
 description: Teleport provides a secure SSH, Kubernetes, database and application
   remote access solution that doesn't get in the way.
-icon: https://s.giantswarm.io/app-icons/teleport/1/light.png
-type: application
-sources:
-- https://github.com/gravitational/teleport
+icon: https://goteleport.com/static/teleport-symbol-bimi.svg
 keywords:
 - Teleport
-annotations:
-  application.giantswarm.io/team: bigmac
-maintainers:
-  - name: giantswarm/team-bigmac
-    email: team-bigmac@giantswarm.io
+name: teleport-kube-agent
+version: 16.0.1

helm/teleport-kube-agent/templates/_config.tpl

@@ -128,6 +128,16 @@ discovery_service:
   enabled: false
 {{- end }}
 
+jamf_service:
+  {{- if contains "jamf" (.Values.roles | toString) }}
+  enabled: true
+  api_endpoint: {{ required "jamfApiEndpoint is required in chart values when jamf role is enabled, see README" .Values.jamfApiEndpoint }}
+  client_id: {{ required "jamfClientId is required in chart values when jamf role is enabled, see README" .Values.jamfClientId }}
+  client_secret_file: "/etc/teleport-jamf-api-credentials/credential"
+  {{- else }}
+  enabled: false
+  {{- end }}
+
 auth_service:
   enabled: false
 ssh_service:

helm/teleport-kube-agent/templates/_helpers.tpl

@@ -33,26 +33,18 @@ if serviceAccount is not defined or serviceAccount.name is empty, use .Release.N
 {{- if .Values.teleportVersionOverride -}}
   {{- .Values.teleportVersionOverride -}}
 {{- else -}}
-  {{- .Chart.AppVersion -}}
+  {{- .Chart.Version -}}
 {{- end -}}
 {{- end -}}
 
 {{- define "teleport-kube-agent.baseImage" -}}
 {{- if .Values.enterprise -}}
   {{- .Values.enterpriseImage -}}
 {{- else -}}
-  {{- .Values.image.repository -}}
+  {{- .Values.image -}}
 {{- end -}}
 {{- end -}}
 
 {{- define "teleport-kube-agent.image" -}}
 {{ include "teleport-kube-agent.baseImage" . }}:{{ include "teleport-kube-agent.version" . }}
 {{- end -}}
-
-{{- define "registry" }}
-{{- $registry := .Values.image.registry -}}
-{{- if and .Values.global (and .Values.global.image .Values.global.image.registry) -}}
-{{- $registry = .Values.global.image.registry -}}
-{{- end -}}
-{{- printf "%s" $registry -}}
-{{- end -}}

helm/teleport-kube-agent/templates/delete_hook.yaml

@@ -84,7 +84,7 @@ spec:
                 fieldPath: metadata.namespace
           - name: RELEASE_NAME
             value: {{ .Release.Name }}
-        image: '{{ include "registry" . }}/{{ .Values.image.repository }}:{{ include "teleport-kube-agent.version" . }}'
+        image: {{ include "teleport-kube-agent.image" . | quote }}
         {{- if .Values.imagePullPolicy }}
         imagePullPolicy: {{ toYaml .Values.imagePullPolicy }}
         {{- end }}

helm/teleport-kube-agent/templates/deployment.yaml

@@ -111,6 +111,11 @@ spec:
           name: "teleport-tls-ca"
           readOnly: true
           {{- end }}
+          {{- if contains "jamf" (.Values.roles | toString) }}
+        - mountPath: /etc/teleport-jamf-api-credentials
+          name: "jamf-api-credentials"
+          readOnly: true
+          {{- end }}
   {{- if .Values.extraVolumeMounts }}
     {{- toYaml .Values.extraVolumeMounts | nindent 8 }}
   {{- end }}
@@ -121,7 +126,7 @@ spec:
       {{- end }}
       containers:
       - name: "teleport"
-        image: '{{ include "registry" . }}/{{ .Values.image.repository }}:{{ include "teleport-kube-agent.version" . }}'
+        image: {{ include "teleport-kube-agent.image" . | quote }}
         {{- if .Values.imagePullPolicy }}
         imagePullPolicy: {{ toYaml .Values.imagePullPolicy }}
         {{- end }}
@@ -192,6 +197,11 @@ spec:
           name: "teleport-tls-ca"
           readOnly: true
           {{- end }}
+          {{- if contains "jamf" (.Values.roles | toString) }}
+        - mountPath: /etc/teleport-jamf-api-credentials
+          name: "jamf-api-credentials"
+          readOnly: true
+          {{- end }}
 {{- if .Values.extraVolumeMounts }}
   {{- toYaml .Values.extraVolumeMounts | nindent 8 }}
 {{- end }}
@@ -214,6 +224,11 @@ spec:
         secret:
           secretName: {{ .Values.tls.existingCASecretName }}
       {{- end }}
+      {{- if contains "jamf" (.Values.roles | toString) }}
+      - name: "jamf-api-credentials"
+        secret:
+          secretName: {{ .Values.jamfCredentialsSecret.name }}
+      {{- end }}
 {{- if .Values.extraVolumes }}
   {{- toYaml .Values.extraVolumes | nindent 6 }}
 {{- end }}

helm/teleport-kube-agent/templates/hook.yaml

@@ -79,7 +79,7 @@ spec:
 {{- end }}
       containers:
       - name: post-install-job
-        image: alpine/k8s:1.30.0
+        image: alpine/k8s:1.26.0
         command:
         - sh
         - "-c"

helm/teleport-kube-agent/templates/pdb.yaml

@@ -2,7 +2,7 @@
 {{- if .Capabilities.APIVersions.Has "policy/v1" }}
 apiVersion: policy/v1
 {{- else }}
-apiVersion: policy/v1
+apiVersion: policy/v1beta1
 {{- end }}
 kind: PodDisruptionBudget
 metadata:

helm/teleport-kube-agent/templates/psp.yaml

@@ -2,7 +2,7 @@
   We must remove them before 1.25 to ensure the Helm state doesn't corrupt. As this is a breaking change, this
   only applies to v12+ charts. v11 and below will only show a warning from the NOTES.txt.
   Users must use PSAs instead (beta in 1.23, GA in 1.25). The "teleport-cluster" chart runs in "baseline" mode */}}
-{{- if and (not .Values.global.podSecurityStandards.enforced) .Values.podSecurityPolicy.enabled (semverCompare "<1.25.0" .Capabilities.KubeVersion.Version) -}}
+{{- if and .Values.podSecurityPolicy.enabled (semverCompare "<1.23.0-0" .Capabilities.KubeVersion.Version) -}}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:

helm/teleport-kube-agent/templates/role.yaml

@@ -11,4 +11,4 @@ rules:
 - apiGroups: [""]
   # objects is "secrets"
   resources: ["secrets"]
-  verbs: ["create", "get", "update","patch"]
+  verbs: ["create", "get", "update", "patch"]

helm/teleport-kube-agent/templates/secret.yaml

@@ -17,3 +17,23 @@ stringData:
   auth-token: |
     {{ coalesce .Values.joinParams.tokenName .Values.authToken }}
 {{- end}}
+
+{{- if and (contains "jamf" (.Values.roles | toString)) .Values.jamfCredentialsSecret.create }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.jamfCredentialsSecret.name }}
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.extraLabels.secret }}
+  labels:
+  {{- toYaml .Values.extraLabels.secret | nindent 4 }}
+  {{- end }}
+  {{- if .Values.annotations.secret }}
+  annotations:
+  {{- toYaml .Values.annotations.secret | nindent 4 }}
+  {{- end }}
+type: Opaque
+stringData:
+  credential: {{ required "jamfClientSecret is required in chart values when jamf role is enabled, see README" .Values.jamfClientSecret }}
+{{- end}}

helm/teleport-kube-agent/templates/statefulset.yaml

@@ -107,6 +107,11 @@ spec:
           name: "teleport-tls-ca"
           readOnly: true
           {{- end }}
+          {{- if contains "jamf" (.Values.roles | toString) }}
+        - mountPath: /etc/teleport-jamf-api-credentials
+          name: "jamf-api-credentials"
+          readOnly: true
+          {{- end }}
   {{- if .Values.extraVolumeMounts }}
     {{- toYaml .Values.extraVolumeMounts | nindent 8 }}
   {{- end }}
@@ -121,26 +126,11 @@ spec:
       {{- end }}
       containers:
       - name: "teleport"
-        image: '{{ include "registry" . }}/{{ .Values.image.repository }}:{{ include "teleport-kube-agent.version" . }}'
+        image: {{ include "teleport-kube-agent.image" . | quote }}
         {{- if .Values.imagePullPolicy }}
         imagePullPolicy: {{ toYaml .Values.imagePullPolicy }}
         {{- end }}
         env:
-          {{- $proxy := deepCopy .Values.cluster.proxy |  mustMerge .Values.proxy }}
-          {{- if and $proxy.noProxy $proxy.http $proxy.https }}
-          - name: NO_PROXY
-            value: {{ $proxy.noProxy }}
-          - name: no_proxy
-            value: {{ $proxy.noProxy }}
-          - name: HTTP_PROXY
-            value: {{ $proxy.http }}
-          - name: http_proxy
-            value: {{ $proxy.http }}
-          - name: HTTPS_PROXY
-            value: {{ $proxy.https }}
-          - name: https_proxy
-            value: {{ $proxy.https }}
-          {{- end }}        
           # This variable is set for telemetry purposes.
           # Telemetry is opt-in and controlled at the auth level.
           - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
@@ -222,6 +212,11 @@ spec:
           name: "teleport-tls-ca"
           readOnly: true
 {{- end }}
+{{- if contains "jamf" (.Values.roles | toString) }}
+        - mountPath: /etc/teleport-jamf-api-credentials
+          name: "jamf-api-credentials"
+          readOnly: true
+{{- end }}
 {{- if .Values.extraVolumeMounts }}
   {{- toYaml .Values.extraVolumeMounts | nindent 8 }}
 {{- end }}
@@ -244,6 +239,11 @@ spec:
         secret:
           secretName: {{ .Values.tls.existingCASecretName }}
 {{- end }}
+{{- if contains "jamf" (.Values.roles | toString) }}
+      - name: "jamf-api-credentials"
+        secret:
+          secretName: {{ .Values.jamfCredentialsSecret.name }}
+{{- end }}
 {{- if .Values.extraVolumes }}
   {{- toYaml .Values.extraVolumes | nindent 6 }}
 {{- end }}