diff --git a/helm/teleport-kube-agent/Chart.yaml b/helm/teleport-kube-agent/Chart.yaml index b40195e..1d68a6e 100644 --- a/helm/teleport-kube-agent/Chart.yaml +++ b/helm/teleport-kube-agent/Chart.yaml @@ -1,17 +1,9 @@ apiVersion: v2 -name: teleport-kube-agent -appVersion: 15.1.9 -version: [[ .Version ]] +appVersion: 16.0.1 description: Teleport provides a secure SSH, Kubernetes, database and application remote access solution that doesn't get in the way. -icon: https://s.giantswarm.io/app-icons/teleport/1/light.png -type: application -sources: -- https://github.com/gravitational/teleport +icon: https://goteleport.com/static/teleport-symbol-bimi.svg keywords: - Teleport -annotations: - application.giantswarm.io/team: bigmac -maintainers: - - name: giantswarm/team-bigmac - email: team-bigmac@giantswarm.io +name: teleport-kube-agent +version: 16.0.1 diff --git a/helm/teleport-kube-agent/ci/ci-values.yaml b/helm/teleport-kube-agent/ci/ci-values.yaml deleted file mode 100644 index 2579ac1..0000000 --- a/helm/teleport-kube-agent/ci/ci-values.yaml +++ /dev/null @@ -1,4 +0,0 @@ -proxyAddr: "teleport.demo.gaws.gigantic.io:443" -authToken: "test" -kubeClusterName: "test" -roles: "kube" diff --git a/helm/teleport-kube-agent/templates/_config.tpl b/helm/teleport-kube-agent/templates/_config.tpl index 565e809..adb708d 100644 --- a/helm/teleport-kube-agent/templates/_config.tpl +++ b/helm/teleport-kube-agent/templates/_config.tpl @@ -128,6 +128,16 @@ discovery_service: enabled: false {{- end }} +jamf_service: + {{- if contains "jamf" (.Values.roles | toString) }} + enabled: true + api_endpoint: {{ required "jamfApiEndpoint is required in chart values when jamf role is enabled, see README" .Values.jamfApiEndpoint }} + client_id: {{ required "jamfClientId is required in chart values when jamf role is enabled, see README" .Values.jamfClientId }} + client_secret_file: "/etc/teleport-jamf-api-credentials/credential" + {{- else }} + enabled: false + {{- end }} + auth_service: enabled: false ssh_service: diff --git a/helm/teleport-kube-agent/templates/_helpers.tpl b/helm/teleport-kube-agent/templates/_helpers.tpl index 2ef4c56..3e00e27 100644 --- a/helm/teleport-kube-agent/templates/_helpers.tpl +++ b/helm/teleport-kube-agent/templates/_helpers.tpl @@ -33,7 +33,7 @@ if serviceAccount is not defined or serviceAccount.name is empty, use .Release.N {{- if .Values.teleportVersionOverride -}} {{- .Values.teleportVersionOverride -}} {{- else -}} - {{- .Chart.AppVersion -}} + {{- .Chart.Version -}} {{- end -}} {{- end -}} @@ -41,18 +41,10 @@ if serviceAccount is not defined or serviceAccount.name is empty, use .Release.N {{- if .Values.enterprise -}} {{- .Values.enterpriseImage -}} {{- else -}} - {{- .Values.image.repository -}} + {{- .Values.image -}} {{- end -}} {{- end -}} {{- define "teleport-kube-agent.image" -}} {{ include "teleport-kube-agent.baseImage" . }}:{{ include "teleport-kube-agent.version" . }} {{- end -}} - -{{- define "registry" }} -{{- $registry := .Values.image.registry -}} -{{- if and .Values.global (and .Values.global.image .Values.global.image.registry) -}} -{{- $registry = .Values.global.image.registry -}} -{{- end -}} -{{- printf "%s" $registry -}} -{{- end -}} diff --git a/helm/teleport-kube-agent/templates/delete_hook.yaml b/helm/teleport-kube-agent/templates/delete_hook.yaml index e989580..eb2c17d 100644 --- a/helm/teleport-kube-agent/templates/delete_hook.yaml +++ b/helm/teleport-kube-agent/templates/delete_hook.yaml @@ -84,7 +84,7 @@ spec: fieldPath: metadata.namespace - name: RELEASE_NAME value: {{ .Release.Name }} - image: '{{ include "registry" . }}/{{ .Values.image.repository }}:{{ include "teleport-kube-agent.version" . }}' + image: {{ include "teleport-kube-agent.image" . | quote }} {{- if .Values.imagePullPolicy }} imagePullPolicy: {{ toYaml .Values.imagePullPolicy }} {{- end }} diff --git a/helm/teleport-kube-agent/templates/deployment.yaml b/helm/teleport-kube-agent/templates/deployment.yaml index 1a66fe4..43f3172 100644 --- a/helm/teleport-kube-agent/templates/deployment.yaml +++ b/helm/teleport-kube-agent/templates/deployment.yaml @@ -111,6 +111,11 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} + {{- if contains "jamf" (.Values.roles | toString) }} + - mountPath: /etc/teleport-jamf-api-credentials + name: "jamf-api-credentials" + readOnly: true + {{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} @@ -121,7 +126,7 @@ spec: {{- end }} containers: - name: "teleport" - image: '{{ include "registry" . }}/{{ .Values.image.repository }}:{{ include "teleport-kube-agent.version" . }}' + image: {{ include "teleport-kube-agent.image" . | quote }} {{- if .Values.imagePullPolicy }} imagePullPolicy: {{ toYaml .Values.imagePullPolicy }} {{- end }} @@ -192,6 +197,11 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} + {{- if contains "jamf" (.Values.roles | toString) }} + - mountPath: /etc/teleport-jamf-api-credentials + name: "jamf-api-credentials" + readOnly: true + {{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} @@ -214,6 +224,11 @@ spec: secret: secretName: {{ .Values.tls.existingCASecretName }} {{- end }} + {{- if contains "jamf" (.Values.roles | toString) }} + - name: "jamf-api-credentials" + secret: + secretName: {{ .Values.jamfCredentialsSecret.name }} + {{- end }} {{- if .Values.extraVolumes }} {{- toYaml .Values.extraVolumes | nindent 6 }} {{- end }} diff --git a/helm/teleport-kube-agent/templates/hook.yaml b/helm/teleport-kube-agent/templates/hook.yaml index 0495eef..e6d7de5 100644 --- a/helm/teleport-kube-agent/templates/hook.yaml +++ b/helm/teleport-kube-agent/templates/hook.yaml @@ -79,7 +79,7 @@ spec: {{- end }} containers: - name: post-install-job - image: alpine/k8s:1.30.0 + image: alpine/k8s:1.26.0 command: - sh - "-c" diff --git a/helm/teleport-kube-agent/templates/networkpolicy.yaml b/helm/teleport-kube-agent/templates/networkpolicy.yaml deleted file mode 100644 index 9dd8b40..0000000 --- a/helm/teleport-kube-agent/templates/networkpolicy.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ .Release.Name }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Release.Name }} -spec: - egress: - - {} - ingress: - - {} - podSelector: - matchLabels: - app: {{ .Release.Name }} - policyTypes: - - Egress - - Ingress diff --git a/helm/teleport-kube-agent/templates/pdb.yaml b/helm/teleport-kube-agent/templates/pdb.yaml index e0571f1..6b6e17a 100644 --- a/helm/teleport-kube-agent/templates/pdb.yaml +++ b/helm/teleport-kube-agent/templates/pdb.yaml @@ -2,7 +2,7 @@ {{- if .Capabilities.APIVersions.Has "policy/v1" }} apiVersion: policy/v1 {{- else }} -apiVersion: policy/v1 +apiVersion: policy/v1beta1 {{- end }} kind: PodDisruptionBudget metadata: diff --git a/helm/teleport-kube-agent/templates/psp.yaml b/helm/teleport-kube-agent/templates/psp.yaml index aa3578c..bdf8b10 100644 --- a/helm/teleport-kube-agent/templates/psp.yaml +++ b/helm/teleport-kube-agent/templates/psp.yaml @@ -2,7 +2,7 @@ We must remove them before 1.25 to ensure the Helm state doesn't corrupt. As this is a breaking change, this only applies to v12+ charts. v11 and below will only show a warning from the NOTES.txt. Users must use PSAs instead (beta in 1.23, GA in 1.25). The "teleport-cluster" chart runs in "baseline" mode */}} -{{- if and (not .Values.global.podSecurityStandards.enforced) .Values.podSecurityPolicy.enabled (semverCompare "<1.25.0" .Capabilities.KubeVersion.Version) -}} +{{- if and .Values.podSecurityPolicy.enabled (semverCompare "<1.23.0-0" .Capabilities.KubeVersion.Version) -}} apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: diff --git a/helm/teleport-kube-agent/templates/role.yaml b/helm/teleport-kube-agent/templates/role.yaml index 9cffd88..22b53a1 100644 --- a/helm/teleport-kube-agent/templates/role.yaml +++ b/helm/teleport-kube-agent/templates/role.yaml @@ -11,4 +11,4 @@ rules: - apiGroups: [""] # objects is "secrets" resources: ["secrets"] - verbs: ["create", "get", "update","patch"] \ No newline at end of file + verbs: ["create", "get", "update", "patch"] diff --git a/helm/teleport-kube-agent/templates/secret.yaml b/helm/teleport-kube-agent/templates/secret.yaml index 0b23ec1..3489968 100644 --- a/helm/teleport-kube-agent/templates/secret.yaml +++ b/helm/teleport-kube-agent/templates/secret.yaml @@ -17,3 +17,23 @@ stringData: auth-token: | {{ coalesce .Values.joinParams.tokenName .Values.authToken }} {{- end}} + +{{- if and (contains "jamf" (.Values.roles | toString)) .Values.jamfCredentialsSecret.create }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.jamfCredentialsSecret.name }} + namespace: {{ .Release.Namespace }} + {{- if .Values.extraLabels.secret }} + labels: + {{- toYaml .Values.extraLabels.secret | nindent 4 }} + {{- end }} + {{- if .Values.annotations.secret }} + annotations: + {{- toYaml .Values.annotations.secret | nindent 4 }} + {{- end }} +type: Opaque +stringData: + credential: {{ required "jamfClientSecret is required in chart values when jamf role is enabled, see README" .Values.jamfClientSecret }} +{{- end}} diff --git a/helm/teleport-kube-agent/templates/statefulset.yaml b/helm/teleport-kube-agent/templates/statefulset.yaml index 81ba51e..1df3dcd 100644 --- a/helm/teleport-kube-agent/templates/statefulset.yaml +++ b/helm/teleport-kube-agent/templates/statefulset.yaml @@ -107,6 +107,11 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} + {{- if contains "jamf" (.Values.roles | toString) }} + - mountPath: /etc/teleport-jamf-api-credentials + name: "jamf-api-credentials" + readOnly: true + {{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} @@ -121,26 +126,11 @@ spec: {{- end }} containers: - name: "teleport" - image: '{{ include "registry" . }}/{{ .Values.image.repository }}:{{ include "teleport-kube-agent.version" . }}' + image: {{ include "teleport-kube-agent.image" . | quote }} {{- if .Values.imagePullPolicy }} imagePullPolicy: {{ toYaml .Values.imagePullPolicy }} {{- end }} env: - {{- $proxy := deepCopy .Values.cluster.proxy | mustMerge .Values.proxy }} - {{- if and $proxy.noProxy $proxy.http $proxy.https }} - - name: NO_PROXY - value: {{ $proxy.noProxy }} - - name: no_proxy - value: {{ $proxy.noProxy }} - - name: HTTP_PROXY - value: {{ $proxy.http }} - - name: http_proxy - value: {{ $proxy.http }} - - name: HTTPS_PROXY - value: {{ $proxy.https }} - - name: https_proxy - value: {{ $proxy.https }} - {{- end }} # This variable is set for telemetry purposes. # Telemetry is opt-in and controlled at the auth level. - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT @@ -222,6 +212,11 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} +{{- if contains "jamf" (.Values.roles | toString) }} + - mountPath: /etc/teleport-jamf-api-credentials + name: "jamf-api-credentials" + readOnly: true +{{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} @@ -244,6 +239,11 @@ spec: secret: secretName: {{ .Values.tls.existingCASecretName }} {{- end }} +{{- if contains "jamf" (.Values.roles | toString) }} + - name: "jamf-api-credentials" + secret: + secretName: {{ .Values.jamfCredentialsSecret.name }} +{{- end }} {{- if .Values.extraVolumes }} {{- toYaml .Values.extraVolumes | nindent 6 }} {{- end }} diff --git a/helm/teleport-kube-agent/values.schema.json b/helm/teleport-kube-agent/values.schema.json index 9326acb..33e9fdc 100644 --- a/helm/teleport-kube-agent/values.schema.json +++ b/helm/teleport-kube-agent/values.schema.json @@ -2,7 +2,6 @@ "$schema": "http://json-schema.org/draft-07/schema", "type": "object", "required": [ - "global", "proxyAddr", "roles", "joinParams", @@ -38,34 +37,9 @@ "initContainers", "resources", "tolerations", - "probeTimeoutSeconds", - "proxy", - "cluster" + "probeTimeoutSeconds" ], "properties": { - "global": { - "$id": "#/properties/global", - "type": "object", - "required": [ - "podSecurityStandards" - ], - "properties": { - "podSecurityStandards": { - "$id": "#/properties/global/properties/podSecurityStandards", - "type": "object", - "required": [ - "enforced" - ], - "properties": { - "enforced": { - "$id": "#/properties/global/properties/podSecurityStandards/properties/enforced", - "type": "boolean", - "default": false - } - } - } - } - }, "authToken": { "$id": "#/properties/authToken", "type": "string", @@ -368,19 +342,8 @@ }, "image": { "$id": "#/properties/image", - "type": "object", - "properties": { - "registry": { - "$id": "#/properties/image/registry", - "type": "string", - "default": "public.ecr.aws" - }, - "repository": { - "$id": "#/properties/image/repository", - "type": "string", - "default": "gravitational/teleport-distroless" - } - } + "type": "string", + "default": "public.ecr.aws/gravitational/teleport-distroless" }, "enterpriseImage": { "$id": "#/properties/enterpriseImage", @@ -395,7 +358,7 @@ "replicaCount": { "$id": "#/properties/replicaCount", "type": "integer", - "default": 2 + "default": 1 }, "clusterRoleName": { "$id": "#/properties/clusterRoleName", @@ -437,7 +400,7 @@ "enabled": { "$id": "#/properties/highAvailability/properties/podDisruptionBudget/properties/enabled", "type": "boolean", - "default": true + "default": false }, "minAvailable": { "$id": "#/properties/highAvailability/properties/podDisruptionBudget/properties/minAvailable", @@ -777,40 +740,38 @@ "additionalProperties": false } }, - "proxy": { - "$id": "#/properties/proxy", + "jamfCredentialsSecret": { + "$id": "#/properties/jamfCredentialsSecret", "type": "object", + "required": ["create", "name"], "properties": { - "http": { - "type": ["null", "string"] + "create": { + "$id": "#/properties/jamfCredentialsSecret/create", + "type": "boolean", + "default": true }, - "https": { - "type": ["null", "string"] + "name": { + "$id": "#/properties/jamfCredentialsSecret/name", + "type": "string", + "default": "teleport-jamf-api-credentials" }, - "noProxy": { - "type": ["null", "string"] - } - } + "additionalProperties": false + } }, - "cluster": { - "$id": "#/properties/cluster", - "type": "object", - "properties": { - "proxy": { - "type": "object", - "properties": { - "http": { - "type": ["null", "string"] - }, - "https": { - "type": ["null", "string"] - }, - "noProxy": { - "type": ["null", "string"] - } - } - } - } + "jamfApiEndpoint": { + "$id": "#/properties/jamfApiEndpoint", + "type": "string", + "default": "" + }, + "jamfClientId": { + "$id": "#/properties/jamfClientId", + "type": "string", + "default": "" + }, + "jamfClientSecret": { + "$id": "#/properties/jamfSecret", + "type": "string", + "default": "" } } } diff --git a/helm/teleport-kube-agent/values.yaml b/helm/teleport-kube-agent/values.yaml index d42872c..d0ea5a4 100644 --- a/helm/teleport-kube-agent/values.yaml +++ b/helm/teleport-kube-agent/values.yaml @@ -2,12 +2,6 @@ # Values that must always be provided by the user. ################################################################ -global: - podSecurityStandards: - enforced: false - - image: - registry: "" # roles(string) -- is a comma-separated list of services which will be enabled # when running the `teleport-kube-agent` chart. # @@ -17,6 +11,7 @@ global: # | Teleport Application service | `app` | [`apps`](#apps) or [`appResources`](#appresources) | # | Teleport Database service | `db` | [`databases`](#databases) or [`databaseResources`](#databaseresources) | # | Teleport Discovery service | `discovery` | [`kubeClusterName`](#kubeclustername) | +# | Teleport Jamf service | `jamf` | [`jamfApiEndpoint`](#jamfapiendpoint), [`jamfClientId`](#jamfclientid) | # # For example: # ```yaml @@ -178,7 +173,7 @@ appResources: [] # awsDatabases(list) -- configures AWS database auto-discovery. # # -# For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../../database-access/guides/rds.mdx#step-36-create-iam-policies-for-teleport). +# For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../../database-access/enroll-aws-databases/rds.mdx#step-36-create-iam-policies-for-teleport). # After configuring a role, you can use an `eks.amazonaws.com/role-arn` annotation with the `annotations.serviceAccount` value to associate it with the service account and grant permissions: # # ```yaml @@ -218,7 +213,7 @@ awsDatabases: [] # azureDatabases(list) -- configures Azure database auto-discovery. # -# For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the [database documentation](../../../database-access/guides/azure-postgres-mysql.mdx#step-46-configure-iam-permissions-for-teleport). +# For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the [database documentation](../../../database-access/enroll-azure-databases/azure-postgres-mysql.mdx#step-35-configure-iam-permissions-for-teleport). # # After configuring a service principal with appropriate IAM permissions, you must pass credentials to the pods. # The easiest way is to use an Azure client secret. @@ -390,6 +385,10 @@ databaseResources: [] # documentation](../../../auto-discovery/kubernetes-applications/architecture.mdx) # for more details. # +# +# The Discovery mechanism ignores Kubernetes services running in the `kube-system` and +# `kube-public` namespaces. +# # The default value will try to discover all apps running in Kubernetes. # The discovery can be restricted through this value. For example: # @@ -410,6 +409,61 @@ kubernetesDiscovery: labels: "*": "*" +################################################################ +# Values that must be provided if Jamf service is enabled. +################################################################ + +# jamfApiEndpoint(string) -- sets the Jamf Pro API endpoint used for Jamf service. +# Example: "https://yourtenant.jamfcloud.com/api". +# +# This setting is required if the chart `roles` contains `jamf`. +jamfApiEndpoint: "" + +# jamfClientId(string) -- sets the Jamf Pro API Client ID used for Jamf service. +# +# This setting is required if the chart `roles` contains `jamf`. +jamfClientId: "" + +# jamfClientSecret(string) -- sets the Jamf Pro API client secret used for Jamf service. +# +# This setting is required if the chart `roles` contains `jamf` and `jamfCredentialsSecret.create` is set to `true`. +# If you provide your own Kubernetes Secret, this setting can remain unset. +jamfClientSecret: "" + +# jamfCredentialsSecret -- manages the Kubernetes Secret containing the Jamf API credentials (either Jamf client secret or password). +jamfCredentialsSecret: + # jamfCredentialsSecret.create(bool) -- controls whether the chart creates the + # Kubernetes `Secret` containing the Jamf Pro API Client Secret. + # If false, you must create a Kubernetes Secret with the configured name in + # the Helm release namespace. + create: true + # jamfCredentialsSecret.name(string) -- is the name of the Kubernetes Secret + # containing the Jamf Pro API Client Secret used by the chart. + # + # If `jamfCredentialsSecret.create` is `false`, the chart will not attempt to create the secret itself. + # Instead, it will read the value from an existing Kubernetes Secret. `jamfCredentialsSecret.name` + # configures the name of this secret. This allows you to configure this secret externally and avoid having a plaintext + # Jamf Pro API Client Secret stored in your Teleport chart values. + # + # To create your own Kubernetes Secret containing Jamf Pro API Client Secret, run the command: + # + # ```code + # $ kubectl --namespace teleport create secret generic my-jamf-secret --from-literal=credential= + # ``` + # + # + # The key used for the Jamf Pro API Client Secret inside the secret must be `credential`, as in the command above. + # + # + # For example: + # + # ```yaml + # jamfCredentialsSecret: + # create: false + # name: my-jamf-secret + # ``` + name: teleport-jamf-api-credentials + ################################################################ # Values that you may need to change. ################################################################ @@ -598,6 +652,33 @@ updater: # binary. extraArgs: [] + # updater.extraVolumes(list) -- contains extra volumes to mount into the Updater pods. + # See [the Kubernetes volume documentation](https://kubernetes.io/docs/concepts/storage/volumes/) + # for more details. + # + # For example: + # ```yaml + # updater: + # extraVolumes: + # - name: myvolume + # secret: + # secretName: testSecret + # ``` + extraVolumes: [] + + # updater.extraVolumeMounts(list) -- contains extra volumes mounts for the updater. + # See [the Kubernetes volume documentation](https://kubernetes.io/docs/concepts/storage/volumes/) + # for more details. + # + # For example: + # ```yaml + # updater: + # extraVolumesMounts: + # - name: myvolume + # mountPath: /path/on/host + # ``` + extraVolumeMounts: [] + # existingDataVolume(string) -- is the name of an existing Kubernetes Persistent # Volume that should be mounted at `/var/lib/teleport`. # @@ -678,7 +759,7 @@ highAvailability: # (via [`authToken`](#authToken), [`joinParams`](#joinParams), or [`joinTokenSecret`](#joinTokenSecret)) # is still valid. Each replica has its own identity and needs to join the Teleport # cluster on its first startup. - replicaCount: 2 + replicaCount: 1 # highAvailability.requireAntiAffinity(bool) -- configures Kubernetes `requiredDuringSchedulingIgnoredDuringExecution` # to require that multiple Teleport pods must not be scheduled on the same physical host. @@ -703,7 +784,7 @@ highAvailability: podDisruptionBudget: # highAvailability.podDisruptionBudget.enabled(bool) -- makes the chart create # a Kubernetes PodDisruptionBudget for the agent pods. - enabled: true + enabled: false # highAvailability.podDisruptionBudget.minAvailable(int) -- is the minimum # available pod specified on the PodDisruptionBudget. @@ -800,9 +881,7 @@ adminClusterRoleBinding: # This setting only takes effect when [`enterprise`](#enterprise) is `false`. # When running an enterprise version, you must use # [`enterpriseImage`](#enterpriseImage) instead. -image: - registry: ®istry gsoci.azurecr.io - repository: giantswarm/teleport-distroless +image: public.ecr.aws/gravitational/teleport-distroless # enterpriseImage(string) -- sets the container image used for Teleport Enterprise # agent pods created by the chart. @@ -978,14 +1057,7 @@ log: # affinity(object) -- sets the affinities for any pods created by the chart. # See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) # for more details. -affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - preference: - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists - weight: 10 +affinity: {} # dnsConfig(object) -- contains custom Pod DNS Configuration for the agent pods. # This value is useful if you need to reduce the DNS load: set "ndots" to 0 and @@ -1178,29 +1250,37 @@ resources: {} # See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) # for more details. # +# The default value is compatible with [the restricted PSS](https://kubernetes.io/docs/concepts/security/pod-security-standards/). +# # To unset the security context, set it to `null` or `~`. initSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault # securityContext(object) -- sets the container security context for any pods created by the chart. # See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) # for more details. # +# The default value is compatible with [the restricted PSS](https://kubernetes.io/docs/concepts/security/pod-security-standards/). +# # To unset the security context, set it to `null` or `~`. securityContext: allowPrivilegeEscalation: false capabilities: drop: - - all + - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 9807 + seccompProfile: + type: RuntimeDefault # podSecurityContext(object) -- sets the pod security context for any pods created by the chart. # See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) @@ -1219,26 +1299,8 @@ priorityClassName: "" # tolerations(list) -- sets the tolerations for any pods created by the chart. # See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) # for more details. -tolerations: - - effect: NoSchedule - key: node-role.kubernetes.io/control-plane - - effect: NoSchedule - key: node.cluster.x-k8s.io/uninitialized - operator: "Exists" +tolerations: [] # probeTimeoutSeconds(int) -- sets the timeout for the readiness and liveness probes # https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ probeTimeoutSeconds: 1 - -# set the HTTP_PROXY, HTTPS_PROXY and NO_PROXY variable -proxy: - noProxy: - http: - https: -cluster: - # is getting overwritten by the top level proxy if set - # These values are generated via cluster-apps-operator - proxy: - noProxy: - http: - https: diff --git a/vendir.lock.yml b/vendir.lock.yml index f8f15d5..d87c194 100644 --- a/vendir.lock.yml +++ b/vendir.lock.yml @@ -2,8 +2,8 @@ apiVersion: vendir.k14s.io/v1alpha1 directories: - contents: - helmChart: - appVersion: 15.1.9 - version: 15.1.9 + appVersion: 16.0.1 + version: 16.0.1 path: teleport-kube-agent path: helm kind: LockConfig diff --git a/vendir.yml b/vendir.yml index 9ec0548..5766f13 100644 --- a/vendir.yml +++ b/vendir.yml @@ -6,7 +6,7 @@ directories: - path: teleport-kube-agent helmChart: name: "teleport-kube-agent" - version: "15.1.9" + version: "16.0.1" repository: url: https://charts.releases.teleport.dev newRootPath: .