generated from giantswarm/template-app
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
33 changed files
with
2,374 additions
and
93 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
replace-chart-version-with-git: true | ||
generate-metadata: true | ||
chart-dir: ./helm/teleport-kube-agent-app | ||
chart-dir: ./helm/teleport-kube-agent | ||
destination: ./build |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
|
||
.DS_Store |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
2 changes: 1 addition & 1 deletion
2
helm/teleport-kube-agent-app/Chart.yaml → helm/teleport-kube-agent/Chart.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
apiVersion: v2 | ||
appVersion: 0.0.1 | ||
appVersion: 13.1.0 | ||
|
||
name: teleport-kube-agent | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
proxyAddr: "teleport.demo.gaws.gigantic.io:443" | ||
authToken: "test" | ||
kubeClusterName: "test" | ||
roles: "kube" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
{{- if and .Values.podSecurityPolicy.enabled (semverCompare "<1.23.0-0" .Capabilities.KubeVersion.Version) }} | ||
SECURITY WARNING: Kubernetes 1.25 removes PodSecurityPolicy support and Helm | ||
doesn't support upgrading from 1.24 to 1.25 with PSPs enabled. Since version 12 | ||
the `teleport-cluster` chart doesn't deploy PSPs on Kubernetes 1.23 or older. | ||
Instead, we recommend you to configure Pod Security AdmissionControllers for | ||
the namespace "{{.Release.Namespace}}" by adding the label | ||
`pod-security.kubernetes.io/enforce: baseline` on the namespace resource. | ||
|
||
See https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/ | ||
|
||
To remove this warning, explicitly set "podSecurityPolicy.enabled=false". | ||
{{- end }} | ||
|
||
{{- if .Values.teleportVersionOverride }} | ||
|
||
DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version. | ||
This chart is designed to run Teleport version {{ .Chart.AppVersion }}. | ||
You will face compatibility issues trying to run a different Teleport version with it. | ||
|
||
If you want to run Teleport version {{.Values.teleportVersionOverride}}, | ||
you should use `helm --version {{.Values.teleportVersionOverride}}` instead. | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,116 @@ | ||
{{- define "teleport-kube-agent.config" -}} | ||
{{- $logLevel := (coalesce .Values.logLevel .Values.log.level "INFO") -}} | ||
{{- if (ge (include "teleport-kube-agent.version" . | semver).Major 11) }} | ||
version: v3 | ||
{{- end }} | ||
teleport: | ||
join_params: | ||
method: "{{ .Values.joinParams.method }}" | ||
token_name: "/etc/teleport-secrets/auth-token" | ||
{{- if (ge (include "teleport-kube-agent.version" . | semver).Major 11) }} | ||
proxy_server: {{ required "proxyAddr is required in chart values" .Values.proxyAddr }} | ||
{{- else }} | ||
auth_servers: ["{{ required "proxyAddr is required in chart values" .Values.proxyAddr }}"] | ||
{{- end }} | ||
{{- if .Values.caPin }} | ||
ca_pin: {{- toYaml .Values.caPin | nindent 8 }} | ||
{{- end }} | ||
log: | ||
severity: {{ $logLevel }} | ||
output: {{ .Values.log.output }} | ||
format: | ||
output: {{ .Values.log.format }} | ||
extra_fields: {{ .Values.log.extraFields | toJson }} | ||
|
||
kubernetes_service: | ||
{{- if or (contains "kube" (.Values.roles | toString)) (empty .Values.roles) }} | ||
enabled: true | ||
kube_cluster_name: {{ required "kubeClusterName is required in chart values when kube role is enabled, see README" .Values.kubeClusterName }} | ||
{{- if .Values.labels }} | ||
labels: {{- toYaml .Values.labels | nindent 8 }} | ||
{{- end }} | ||
{{- else }} | ||
enabled: false | ||
{{- end }} | ||
|
||
app_service: | ||
{{- if contains "app" (.Values.roles | toString) }} | ||
enabled: true | ||
{{- if not (or (.Values.apps) (.Values.appResources)) }} | ||
{{- fail "at least one of 'apps' and 'appResources' is required in chart values when app role is enabled, see README" }} | ||
{{- end }} | ||
{{- if .Values.apps }} | ||
{{- range $app := .Values.apps }} | ||
{{- if not (hasKey $app "name") }} | ||
{{- fail "'name' is required for all 'apps' in chart values when app role is enabled, see README" }} | ||
{{- end }} | ||
{{- if not (hasKey $app "uri") }} | ||
{{- fail "'uri' is required for all 'apps' in chart values when app role is enabled, see README" }} | ||
{{- end }} | ||
{{- end }} | ||
apps: | ||
{{- toYaml .Values.apps | nindent 8 }} | ||
{{- end }} | ||
{{- if .Values.appResources }} | ||
resources: | ||
{{- toYaml .Values.appResources | nindent 8 }} | ||
{{- end }} | ||
{{- else }} | ||
enabled: false | ||
{{- end }} | ||
|
||
db_service: | ||
{{- if contains "db" (.Values.roles | toString) }} | ||
enabled: true | ||
{{- if not (or (.Values.awsDatabases) (.Values.azureDatabases) (.Values.databases) (.Values.databaseResources)) }} | ||
{{- fail "at least one of 'awsDatabases', 'azureDatabases', 'databases' or 'databaseResources' is required in chart values when db role is enabled, see README" }} | ||
{{- end }} | ||
{{- if .Values.awsDatabases }} | ||
aws: | ||
{{- range $awsDb := .Values.awsDatabases }} | ||
{{- if not (hasKey $awsDb "types") }} | ||
{{- fail "'types' is required for all 'awsDatabases' in chart values when key is set and db role is enabled, see README" }} | ||
{{- end }} | ||
{{- if not (hasKey $awsDb "regions") }} | ||
{{- fail "'regions' is required for all 'awsDatabases' in chart values when key is set and db role is enabled, see README" }} | ||
{{- end }} | ||
{{- if not (hasKey $awsDb "tags") }} | ||
{{- fail "'tags' is required for all 'awsDatabases' in chart values when key is set and db role is enabled, see README" }} | ||
{{- end }} | ||
{{- end }} | ||
{{- toYaml .Values.awsDatabases | nindent 6 }} | ||
{{- end }} | ||
{{- if .Values.azureDatabases }} | ||
azure: | ||
{{- toYaml .Values.azureDatabases | nindent 6 }} | ||
{{- end}} | ||
{{- if .Values.databases }} | ||
databases: | ||
{{- range $db := .Values.databases }} | ||
{{- if not (hasKey $db "name") }} | ||
{{- fail "'name' is required for all 'databases' in chart values when db role is enabled, see README" }} | ||
{{- end }} | ||
{{- if not (hasKey $db "uri") }} | ||
{{- fail "'uri' is required for all 'databases' is required in chart values when db role is enabled, see README" }} | ||
{{- end }} | ||
{{- if not (hasKey $db "protocol") }} | ||
{{- fail "'protocol' is required for all 'databases' in chart values when db role is enabled, see README" }} | ||
{{- end }} | ||
{{- end }} | ||
{{- toYaml .Values.databases | nindent 6 }} | ||
{{- end }} | ||
{{- if .Values.databaseResources }} | ||
resources: | ||
{{- toYaml .Values.databaseResources | nindent 6 }} | ||
{{- end }} | ||
{{- else }} | ||
enabled: false | ||
{{- end }} | ||
|
||
auth_service: | ||
enabled: false | ||
ssh_service: | ||
enabled: false | ||
proxy_service: | ||
enabled: false | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
{{- define "teleport.kube.agent.isUpgrade" -}} | ||
{{- /* Checks if action is an upgrade from an old release that didn't support Secret storage */}} | ||
{{- if .Release.IsUpgrade }} | ||
{{- $deployment := (lookup "apps/v1" "Deployment" .Release.Namespace .Release.Name ) -}} | ||
{{- if ($deployment) }} | ||
true | ||
{{- else if .Values.unitTestUpgrade }} | ||
true | ||
{{- end }} | ||
{{- end }} | ||
{{- end -}} | ||
{{/* | ||
Create the name of the service account to use | ||
if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name | ||
*/}} | ||
{{- define "teleport-kube-agent.serviceAccountName" -}} | ||
{{- coalesce .Values.serviceAccount.name .Values.serviceAccountName .Release.Name -}} | ||
{{- end -}} | ||
{{/* | ||
Create the name of the service account to use for the post-delete hook | ||
if serviceAccount is not defined or serviceAccount.name is empty, use .Release.Name-delete-hook | ||
*/}} | ||
{{- define "teleport-kube-agent.deleteHookServiceAccountName" -}} | ||
{{- coalesce .Values.serviceAccount.name .Values.serviceAccountName (printf "%s-delete-hook" .Release.Name) -}} | ||
{{- end -}} | ||
{{- define "teleport-kube-agent.version" -}} | ||
{{- if .Values.teleportVersionOverride -}} | ||
{{- .Values.teleportVersionOverride -}} | ||
{{- else -}} | ||
{{- .Chart.Version -}} | ||
{{- end -}} | ||
{{- end -}} | ||
{{- define "teleport-kube-agent.baseImage" -}} | ||
{{- if .Values.enterprise -}} | ||
{{- .Values.enterpriseImage -}} | ||
{{- else -}} | ||
{{- .Values.image -}} | ||
{{- end -}} | ||
{{- end -}} | ||
{{- define "teleport-kube-agent.image" -}} | ||
{{ include "teleport-kube-agent.baseImage" . }}:{{ include "teleport-kube-agent.version" . }} | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
{{- if .Values.rbac.create -}} | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRole | ||
metadata: | ||
name: {{ .Values.clusterRoleName | default .Release.Name }} | ||
{{- if .Values.extraLabels.clusterRole }} | ||
labels: | ||
{{- toYaml .Values.extraLabels.clusterRole | nindent 4 }} | ||
{{- end }} | ||
rules: | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- users | ||
- groups | ||
- serviceaccounts | ||
verbs: | ||
- impersonate | ||
- apiGroups: | ||
- "" | ||
resources: | ||
- pods | ||
verbs: | ||
- get | ||
- apiGroups: | ||
- "authorization.k8s.io" | ||
resources: | ||
- selfsubjectaccessreviews | ||
verbs: | ||
- create | ||
{{- end -}} |
18 changes: 18 additions & 0 deletions
18
helm/teleport-kube-agent/templates/clusterrolebinding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
{{- if .Values.rbac.create -}} | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: {{ .Values.clusterRoleBindingName | default .Release.Name }} | ||
{{- if .Values.extraLabels.clusterRoleBinding }} | ||
labels: | ||
{{- toYaml .Values.extraLabels.clusterRoleBinding | nindent 4 }} | ||
{{- end }} | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: {{ .Values.clusterRoleName | default .Release.Name }} | ||
subjects: | ||
- kind: ServiceAccount | ||
name: {{ template "teleport-kube-agent.serviceAccountName" . }} | ||
namespace: {{ .Release.Namespace }} | ||
{{- end -}} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: {{ .Release.Name }} | ||
namespace: {{ .Release.Namespace }} | ||
{{- if .Values.extraLabels.config }} | ||
labels: | ||
{{- toYaml .Values.extraLabels.config | nindent 4 }} | ||
{{- end }} | ||
{{- if .Values.annotations.config }} | ||
annotations: | ||
{{- toYaml .Values.annotations.config | nindent 4 }} | ||
{{- end }} | ||
data: | ||
teleport.yaml: | | ||
{{- mustMergeOverwrite (include "teleport-kube-agent.config" . | fromYaml) .Values.teleportConfig | toYaml | nindent 4 -}} |
Oops, something went wrong.