Sync with upstream (#5)

giantswarm · Jul 13, 2023 · 9998bb9 · 9998bb9
1 parent 73bba91
commit 9998bb9
Show file tree

Hide file tree

Showing 33 changed files with 2,374 additions and 93 deletions.
diff --git a/.abs/main.yaml b/.abs/main.yaml
@@ -1,4 +1,4 @@
 replace-chart-version-with-git: true
 generate-metadata: true
-chart-dir: ./helm/teleport-kube-agent-app
+chart-dir: ./helm/teleport-kube-agent
 destination: ./build
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -11,7 +11,7 @@ workflows:
           name: "package and push teleport-kube-agent-app chart"
           app_catalog: "giantswarm-playground-catalog"
           app_catalog_test: "giantswarm-playground-test-catalog"
-          chart: "teleport-kube-agent-app"
+          chart: "teleport-kube-agent"
           # Trigger job on git tag.
           filters:
             tags:

diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+
+.DS_Store
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixes
 - Update Chart.yaml to [fix this](https://app.circleci.com/pipelines/github/giantswarm/teleport-kube-agent-app/1/workflows/e58da8df-838e-4118-9411-522ed1dec2ec/jobs/1)
 
+### Added
+- Sync with upstream chart
+
 ## [0.1.0] - 2023-06-28
 
 ### Added

diff --git a/helm/teleport-kube-agent-app/templates/_helpers.tpl b/helm/teleport-kube-agent-app/templates/_helpers.tpl
diff --git a/helm/teleport-kube-agent-app/values.schema.json b/helm/teleport-kube-agent-app/values.schema.json
diff --git a/helm/teleport-kube-agent-app/values.yaml b/helm/teleport-kube-agent-app/values.yaml
diff --git a/helm/teleport-kube-agent-app/Chart.yaml → helm/teleport-kube-agent/Chart.yaml b/helm/teleport-kube-agent-app/Chart.yaml → helm/teleport-kube-agent/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 0.0.1
+appVersion: 13.1.0
 
 name: teleport-kube-agent
 

diff --git a/helm/teleport-kube-agent/ci/ci-values.yaml b/helm/teleport-kube-agent/ci/ci-values.yaml
@@ -0,0 +1,4 @@
+proxyAddr: "teleport.demo.gaws.gigantic.io:443"
+authToken: "test"
+kubeClusterName: "test"
+roles: "kube"
diff --git a/helm/teleport-kube-agent/templates/NOTES.txt b/helm/teleport-kube-agent/templates/NOTES.txt
@@ -0,0 +1,22 @@
+{{- if and .Values.podSecurityPolicy.enabled (semverCompare "<1.23.0-0" .Capabilities.KubeVersion.Version) }}
+SECURITY WARNING: Kubernetes 1.25 removes PodSecurityPolicy support and Helm
+doesn't support upgrading from 1.24 to 1.25 with PSPs enabled. Since version 12
+the `teleport-cluster` chart doesn't deploy PSPs on Kubernetes 1.23 or older.
+Instead, we recommend you to configure Pod Security AdmissionControllers for
+the namespace "{{.Release.Namespace}}" by adding the label
+`pod-security.kubernetes.io/enforce: baseline` on the namespace resource.
+
+See https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/
+
+To remove this warning, explicitly set "podSecurityPolicy.enabled=false".
+{{- end }}
+
+{{- if .Values.teleportVersionOverride }}
+
+DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version.
+This chart is designed to run Teleport version {{ .Chart.AppVersion }}.
+You will face compatibility issues trying to run a different Teleport version with it.
+
+If you want to run Teleport version {{.Values.teleportVersionOverride}},
+you should use `helm --version {{.Values.teleportVersionOverride}}` instead.
+{{- end }}
diff --git a/helm/teleport-kube-agent/templates/_config.tpl b/helm/teleport-kube-agent/templates/_config.tpl
@@ -0,0 +1,116 @@
+{{- define "teleport-kube-agent.config" -}}
+{{- $logLevel := (coalesce .Values.logLevel .Values.log.level "INFO") -}}
+{{- if (ge (include "teleport-kube-agent.version" . | semver).Major 11) }}
+version: v3
+{{- end }}
+teleport:
+  join_params:
+    method: "{{ .Values.joinParams.method }}"
+    token_name: "/etc/teleport-secrets/auth-token"
+  {{- if (ge (include "teleport-kube-agent.version" . | semver).Major 11) }}
+  proxy_server: {{ required "proxyAddr is required in chart values" .Values.proxyAddr }}
+  {{- else }}
+  auth_servers: ["{{ required "proxyAddr is required in chart values" .Values.proxyAddr }}"]
+  {{- end }}
+  {{- if .Values.caPin }}
+  ca_pin: {{- toYaml .Values.caPin | nindent 8 }}
+  {{- end }}
+  log:
+    severity: {{ $logLevel }}
+    output: {{ .Values.log.output }}
+    format:
+      output: {{ .Values.log.format }}
+      extra_fields: {{ .Values.log.extraFields | toJson }}
+
+kubernetes_service:
+  {{- if or (contains "kube" (.Values.roles | toString)) (empty .Values.roles) }}
+  enabled: true
+  kube_cluster_name: {{ required "kubeClusterName is required in chart values when kube role is enabled, see README" .Values.kubeClusterName }}
+    {{- if .Values.labels }}
+  labels: {{- toYaml .Values.labels | nindent 8 }}
+    {{- end }}
+  {{- else }}
+  enabled: false
+  {{- end }}
+
+app_service:
+  {{- if contains "app" (.Values.roles | toString) }}
+  enabled: true
+  {{- if not (or (.Values.apps) (.Values.appResources)) }}
+    {{- fail "at least one of 'apps' and 'appResources' is required in chart values when app role is enabled, see README" }}
+  {{- end }}
+  {{- if .Values.apps }}
+    {{- range $app := .Values.apps }}
+      {{- if not (hasKey $app "name") }}
+        {{- fail "'name' is required for all 'apps' in chart values when app role is enabled, see README" }}
+      {{- end }}
+      {{- if not (hasKey $app "uri") }}
+        {{- fail "'uri' is required for all 'apps' in chart values when app role is enabled, see README" }}
+      {{- end }}
+    {{- end }}
+  apps:
+    {{- toYaml .Values.apps | nindent 8 }}
+  {{- end }}
+  {{- if .Values.appResources }}
+  resources:
+    {{- toYaml .Values.appResources | nindent 8 }}
+  {{- end }}
+  {{- else }}
+  enabled: false
+  {{- end }}
+
+db_service:
+  {{- if contains "db" (.Values.roles | toString) }}
+  enabled: true
+  {{- if not (or (.Values.awsDatabases) (.Values.azureDatabases) (.Values.databases) (.Values.databaseResources)) }}
+    {{- fail "at least one of 'awsDatabases', 'azureDatabases', 'databases' or 'databaseResources' is required in chart values when db role is enabled, see README" }}
+  {{- end }}
+  {{- if .Values.awsDatabases }}
+  aws:
+    {{- range $awsDb := .Values.awsDatabases }}
+      {{- if not (hasKey $awsDb "types") }}
+        {{- fail "'types' is required for all 'awsDatabases' in chart values when key is set and db role is enabled, see README" }}
+      {{- end }}
+      {{- if not (hasKey $awsDb "regions") }}
+        {{- fail "'regions' is required for all 'awsDatabases' in chart values when key is set and db role is enabled, see README" }}
+      {{- end }}
+      {{- if not (hasKey $awsDb "tags") }}
+        {{- fail "'tags' is required for all 'awsDatabases' in chart values when key is set and db role is enabled, see README" }}
+      {{- end }}
+    {{- end }}
+    {{- toYaml .Values.awsDatabases | nindent 6 }}
+  {{- end }}
+  {{- if .Values.azureDatabases }}
+  azure:
+    {{- toYaml .Values.azureDatabases | nindent 6 }}
+  {{- end}}
+  {{- if .Values.databases }}
+  databases:
+    {{- range $db := .Values.databases }}
+      {{- if not (hasKey $db "name") }}
+        {{- fail "'name' is required for all 'databases' in chart values when db role is enabled, see README" }}
+      {{- end }}
+      {{- if not (hasKey $db "uri") }}
+        {{- fail "'uri' is required for all 'databases' is required in chart values when db role is enabled, see README" }}
+      {{- end }}
+      {{- if not (hasKey $db "protocol") }}
+        {{- fail "'protocol' is required for all 'databases' in chart values when db role is enabled, see README" }}
+      {{- end }}
+    {{- end }}
+    {{- toYaml .Values.databases | nindent 6 }}
+  {{- end }}
+  {{- if .Values.databaseResources }}
+  resources:
+    {{- toYaml .Values.databaseResources | nindent 6 }}
+  {{- end }}
+{{- else }}
+  enabled: false
+{{- end }}
+
+auth_service:
+  enabled: false
+ssh_service:
+  enabled: false
+proxy_service:
+  enabled: false
+{{- end -}}
diff --git a/helm/teleport-kube-agent/templates/_helpers.tpl b/helm/teleport-kube-agent/templates/_helpers.tpl
@@ -0,0 +1,46 @@
+{{- define "teleport.kube.agent.isUpgrade" -}}
+{{- /* Checks if action is an upgrade from an old release that didn't support Secret storage */}}
+{{- if .Release.IsUpgrade }}
+  {{- $deployment := (lookup "apps/v1" "Deployment"  .Release.Namespace .Release.Name ) -}}
+  {{- if ($deployment) }}
+true
+  {{- else if .Values.unitTestUpgrade }}
+true
+  {{- end }}
+{{- end }}
+{{- end -}}
+{{/*
+Create the name of the service account to use
+if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name
+*/}}
+{{- define "teleport-kube-agent.serviceAccountName" -}}
+{{- coalesce .Values.serviceAccount.name .Values.serviceAccountName .Release.Name -}}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use for the post-delete hook
+if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name-delete-hook
+*/}}
+{{- define "teleport-kube-agent.deleteHookServiceAccountName" -}}
+{{- coalesce .Values.serviceAccount.name .Values.serviceAccountName (printf "%s-delete-hook" .Release.Name) -}}
+{{- end -}}
+
+{{- define "teleport-kube-agent.version" -}}
+{{- if .Values.teleportVersionOverride -}}
+  {{- .Values.teleportVersionOverride -}}
+{{- else -}}
+  {{- .Chart.Version -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "teleport-kube-agent.baseImage" -}}
+{{- if .Values.enterprise -}}
+  {{- .Values.enterpriseImage -}}
+{{- else -}}
+  {{- .Values.image -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "teleport-kube-agent.image" -}}
+{{ include "teleport-kube-agent.baseImage" . }}:{{ include "teleport-kube-agent.version" . }}
+{{- end -}}
diff --git a/helm/teleport-kube-agent/templates/clusterrole.yaml b/helm/teleport-kube-agent/templates/clusterrole.yaml
@@ -0,0 +1,31 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.clusterRoleName | default .Release.Name }}
+{{- if .Values.extraLabels.clusterRole }}
+  labels:
+  {{- toYaml .Values.extraLabels.clusterRole | nindent 4 }}
+{{- end }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - users
+  - groups
+  - serviceaccounts
+  verbs:
+  - impersonate
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+- apiGroups:
+  - "authorization.k8s.io"
+  resources:
+  - selfsubjectaccessreviews
+  verbs:
+  - create
+{{- end -}}
diff --git a/helm/teleport-kube-agent/templates/clusterrolebinding.yaml b/helm/teleport-kube-agent/templates/clusterrolebinding.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Values.clusterRoleBindingName | default .Release.Name }}
+{{- if .Values.extraLabels.clusterRoleBinding }}
+  labels:
+  {{- toYaml .Values.extraLabels.clusterRoleBinding | nindent 4 }}
+{{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.clusterRoleName | default .Release.Name }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "teleport-kube-agent.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end -}}
diff --git a/helm/teleport-kube-agent/templates/config.yaml b/helm/teleport-kube-agent/templates/config.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}
+  namespace: {{ .Release.Namespace }}
+{{- if .Values.extraLabels.config }}
+  labels:
+  {{- toYaml .Values.extraLabels.config | nindent 4 }}
+{{- end }}
+  {{- if .Values.annotations.config }}
+  annotations:
+    {{- toYaml .Values.annotations.config | nindent 4 }}
+  {{- end }}
+data:
+  teleport.yaml: |
+    {{- mustMergeOverwrite (include "teleport-kube-agent.config" . | fromYaml) .Values.teleportConfig | toYaml | nindent 4 -}}