Update Helm release teleport-kube-agent to v15.4.3

helm/teleport-kube-agent/Chart.yaml

@@ -1,17 +1,9 @@
 apiVersion: v2
-name: teleport-kube-agent
-appVersion: 15.1.9
-version: [[ .Version ]]
+appVersion: 15.4.3
 description: Teleport provides a secure SSH, Kubernetes, database and application
   remote access solution that doesn't get in the way.
-icon: https://s.giantswarm.io/app-icons/teleport/1/light.png
-type: application
-sources:
-- https://github.com/gravitational/teleport
+icon: https://goteleport.com/static/teleport-symbol-bimi.svg
 keywords:
 - Teleport
-annotations:
-  application.giantswarm.io/team: bigmac
-maintainers:
-  - name: giantswarm/team-bigmac
-    email: team-bigmac@giantswarm.io
+name: teleport-kube-agent
+version: 15.4.3

helm/teleport-kube-agent/templates/_helpers.tpl

@@ -33,15 +33,15 @@ if serviceAccount is not defined or serviceAccount.name is empty, use .Release.N
 {{- if .Values.teleportVersionOverride -}}
   {{- .Values.teleportVersionOverride -}}
 {{- else -}}
-  {{- .Chart.AppVersion -}}
+  {{- .Chart.Version -}}
 {{- end -}}
 {{- end -}}
 
 {{- define "teleport-kube-agent.baseImage" -}}
 {{- if .Values.enterprise -}}
   {{- .Values.enterpriseImage -}}
 {{- else -}}
-  {{- .Values.image.repository -}}
+  {{- .Values.image -}}
 {{- end -}}
 {{- end -}}
 

helm/teleport-kube-agent/templates/hook.yaml

@@ -79,7 +79,7 @@ spec:
 {{- end }}
       containers:
       - name: post-install-job
-        image: alpine/k8s:1.30.0
+        image: alpine/k8s:1.26.0
         command:
         - sh
         - "-c"

helm/teleport-kube-agent/templates/pdb.yaml

@@ -2,7 +2,7 @@
 {{- if .Capabilities.APIVersions.Has "policy/v1" }}
 apiVersion: policy/v1
 {{- else }}
-apiVersion: policy/v1
+apiVersion: policy/v1beta1
 {{- end }}
 kind: PodDisruptionBudget
 metadata:

helm/teleport-kube-agent/templates/psp.yaml

@@ -2,7 +2,7 @@
   We must remove them before 1.25 to ensure the Helm state doesn't corrupt. As this is a breaking change, this
   only applies to v12+ charts. v11 and below will only show a warning from the NOTES.txt.
   Users must use PSAs instead (beta in 1.23, GA in 1.25). The "teleport-cluster" chart runs in "baseline" mode */}}
-{{- if and (not .Values.global.podSecurityStandards.enforced) .Values.podSecurityPolicy.enabled (semverCompare "<1.25.0" .Capabilities.KubeVersion.Version) -}}
+{{- if and .Values.podSecurityPolicy.enabled (semverCompare "<1.23.0-0" .Capabilities.KubeVersion.Version) -}}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:

helm/teleport-kube-agent/templates/role.yaml

@@ -11,4 +11,4 @@ rules:
 - apiGroups: [""]
   # objects is "secrets"
   resources: ["secrets"]
-  verbs: ["create", "get", "update","patch"]
+  verbs: ["create", "get", "update", "patch"]

helm/teleport-kube-agent/templates/statefulset.yaml

@@ -126,21 +126,6 @@ spec:
         imagePullPolicy: {{ toYaml .Values.imagePullPolicy }}
         {{- end }}
         env:
-          {{- $proxy := deepCopy .Values.cluster.proxy |  mustMerge .Values.proxy }}
-          {{- if and $proxy.noProxy $proxy.http $proxy.https }}
-          - name: NO_PROXY
-            value: {{ $proxy.noProxy }}
-          - name: no_proxy
-            value: {{ $proxy.noProxy }}
-          - name: HTTP_PROXY
-            value: {{ $proxy.http }}
-          - name: http_proxy
-            value: {{ $proxy.http }}
-          - name: HTTPS_PROXY
-            value: {{ $proxy.https }}
-          - name: https_proxy
-            value: {{ $proxy.https }}
-          {{- end }}        
           # This variable is set for telemetry purposes.
           # Telemetry is opt-in and controlled at the auth level.
           - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT

helm/teleport-kube-agent/values.schema.json

@@ -2,7 +2,6 @@
     "$schema": "http://json-schema.org/draft-07/schema",
     "type": "object",
     "required": [
-        "global",
         "proxyAddr",
         "roles",
         "joinParams",
@@ -38,34 +37,9 @@
         "initContainers",
         "resources",
         "tolerations",
-        "probeTimeoutSeconds",
-        "proxy",
-        "cluster"
+        "probeTimeoutSeconds"
     ],
     "properties": {
-        "global": {
-            "$id": "#/properties/global",
-            "type": "object",
-            "required": [
-                "podSecurityStandards"
-            ],
-            "properties": {
-                "podSecurityStandards": {
-                    "$id": "#/properties/global/properties/podSecurityStandards",
-                    "type": "object",
-                    "required": [
-                        "enforced"
-                    ],
-                    "properties": {
-                        "enforced": {
-                            "$id": "#/properties/global/properties/podSecurityStandards/properties/enforced",
-                            "type": "boolean",
-                            "default": false
-                        }
-                    }
-                }
-            }
-        },
         "authToken": {
             "$id": "#/properties/authToken",
             "type": "string",
@@ -368,14 +342,8 @@
         },
         "image": {
             "$id": "#/properties/image",
-            "type": "object",
-            "properties": {
-                "repository": {
-                    "$id": "#/properties/image/repository",
-                    "type": "string",
-                    "default": "public.ecr.aws/gravitational/teleport-distroless"
-                }
-            }
+            "type": "string",
+            "default": "public.ecr.aws/gravitational/teleport-distroless"
         },
         "enterpriseImage": {
             "$id": "#/properties/enterpriseImage",
@@ -390,7 +358,7 @@
         "replicaCount": {
             "$id": "#/properties/replicaCount",
             "type": "integer",
-            "default": 2
+            "default": 1
         },
         "clusterRoleName": {
             "$id": "#/properties/clusterRoleName",
@@ -432,7 +400,7 @@
                         "enabled": {
                             "$id": "#/properties/highAvailability/properties/podDisruptionBudget/properties/enabled",
                             "type": "boolean",
-                            "default": true
+                            "default": false
                         },
                         "minAvailable": {
                             "$id": "#/properties/highAvailability/properties/podDisruptionBudget/properties/minAvailable",
@@ -771,41 +739,6 @@
                 },
                 "additionalProperties": false
             }
-        },
-        "proxy": {
-            "$id": "#/properties/proxy",
-            "type": "object",
-            "properties": {
-                "http": {
-                    "type": ["null", "string"]
-                },
-                "https": {
-                    "type": ["null", "string"]
-                },
-                "noProxy": {
-                    "type": ["null", "string"]
-                }
-            }       
-        },
-        "cluster": {
-            "$id": "#/properties/cluster",
-            "type": "object",
-            "properties": {
-                "proxy": {
-                    "type": "object",
-                    "properties": {
-                        "http": {
-                            "type": ["null", "string"]
-                        },
-                        "https": {
-                            "type": ["null", "string"]
-                        },
-                        "noProxy": {
-                            "type": ["null", "string"]
-                        }
-                    }
-                }
-            }           
         }
     }
 }

helm/teleport-kube-agent/values.yaml

@@ -2,10 +2,6 @@
 # Values that must always be provided by the user.
 ################################################################
 
-global:
-  podSecurityStandards:
-    enforced: false
-
 # roles(string) -- is a comma-separated list of services which will be enabled
 # when running the `teleport-kube-agent` chart.
 #
@@ -176,7 +172,7 @@ appResources: []
 # awsDatabases(list) -- configures AWS database auto-discovery.
 #
 # <Admonition type="note" title="IAM roles">
-#   For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../../database-access/guides/rds.mdx#step-36-create-iam-policies-for-teleport).
+#   For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../../database-access/enroll-aws-databases/rds.mdx#step-36-create-iam-policies-for-teleport).
 #   After configuring a role, you can use an `eks.amazonaws.com/role-arn` annotation with the `annotations.serviceAccount` value to associate it with the service account and grant permissions:
 #
 #   ```yaml
@@ -216,7 +212,7 @@ awsDatabases: []
 
 # azureDatabases(list) -- configures Azure database auto-discovery.
 # <Admonition type="note" title="Azure IAM">
-#   For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the [database documentation](../../../database-access/guides/azure-postgres-mysql.mdx#step-46-configure-iam-permissions-for-teleport).
+#   For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the [database documentation](../../../database-access/enroll-azure-databases/azure-postgres-mysql.mdx#step-35-configure-iam-permissions-for-teleport).
 #
 #   After configuring a service principal with appropriate IAM permissions, you must pass credentials to the pods.
 #   The easiest way is to use an Azure client secret.
@@ -388,6 +384,10 @@ databaseResources: []
 # documentation](../../../auto-discovery/kubernetes-applications/architecture.mdx)
 # for more details.
 #
+# <Admonition type="note">
+# The Discovery mechanism ignores Kubernetes services running in the `kube-system` and
+# `kube-public` namespaces.
+# </Admonition>
 # The default value will try to discover all apps running in Kubernetes.
 # The discovery can be restricted through this value. For example:
 #
@@ -596,6 +596,33 @@ updater:
   # binary.
   extraArgs: []
 
+  # updater.extraVolumes(list) -- contains extra volumes to mount into the Updater pods.
+  # See [the Kubernetes volume documentation](https://kubernetes.io/docs/concepts/storage/volumes/)
+  # for more details.
+  #
+  # For example:
+  # ```yaml
+  # updater:
+  #   extraVolumes:
+  #   - name: myvolume
+  #     secret:
+  #       secretName: testSecret
+  # ```
+  extraVolumes: []
+
+  # updater.extraVolumeMounts(list) -- contains extra volumes mounts for the updater.
+  # See [the Kubernetes volume documentation](https://kubernetes.io/docs/concepts/storage/volumes/)
+  # for more details.
+  #
+  # For example:
+  # ```yaml
+  # updater:
+  #   extraVolumesMounts:
+  #   - name: myvolume
+  #     mountPath: /path/on/host
+  # ```
+  extraVolumeMounts: []
+
 # existingDataVolume(string) -- is the name of an existing Kubernetes Persistent
 # Volume that should be mounted at `/var/lib/teleport`.
 #
@@ -676,7 +703,7 @@ highAvailability:
   # (via [`authToken`](#authToken), [`joinParams`](#joinParams), or [`joinTokenSecret`](#joinTokenSecret))
   # is still valid. Each replica has its own identity and needs to join the Teleport
   # cluster on its first startup.
-  replicaCount: 2
+  replicaCount: 1
 
   # highAvailability.requireAntiAffinity(bool) -- configures Kubernetes `requiredDuringSchedulingIgnoredDuringExecution`
   # to require that multiple Teleport pods must not be scheduled on the same physical host.
@@ -701,7 +728,7 @@ highAvailability:
   podDisruptionBudget:
     # highAvailability.podDisruptionBudget.enabled(bool) -- makes the chart create
     # a Kubernetes PodDisruptionBudget for the agent pods.
-    enabled: true
+    enabled: false
 
     # highAvailability.podDisruptionBudget.minAvailable(int) -- is the minimum
     # available pod specified on the PodDisruptionBudget.
@@ -798,8 +825,7 @@ adminClusterRoleBinding:
 # This setting only takes effect when [`enterprise`](#enterprise) is `false`.
 # When running an enterprise version, you must use
 # [`enterpriseImage`](#enterpriseImage) instead.
-image:
-  repository: gsoci.azurecr.io/giantswarm/teleport-distroless
+image: public.ecr.aws/gravitational/teleport-distroless
 
 # enterpriseImage(string) -- sets the container image used for Teleport Enterprise
 # agent pods created by the chart.
@@ -975,14 +1001,7 @@ log:
 # affinity(object) -- sets the affinities for any pods created by the chart.
 # See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
 # for more details.
-affinity:
-  nodeAffinity:
-    preferredDuringSchedulingIgnoredDuringExecution:
-    - preference:
-        matchExpressions:
-        - key: node-role.kubernetes.io/control-plane
-          operator: Exists
-      weight: 10
+affinity: {}
 
 # dnsConfig(object) -- contains custom Pod DNS Configuration for the agent pods.
 # This value is useful if you need to reduce the DNS load: set "ndots" to 0 and
@@ -1216,26 +1235,8 @@ priorityClassName: ""
 # tolerations(list) -- sets the tolerations for any pods created by the chart.
 # See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/)
 # for more details.
-tolerations:
-  - effect: NoSchedule
-    key: node-role.kubernetes.io/control-plane
-  - effect: NoSchedule
-    key: node.cluster.x-k8s.io/uninitialized
-    operator: "Exists"
+tolerations: []
 
 # probeTimeoutSeconds(int) -- sets the timeout for the readiness and liveness probes
 # https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
 probeTimeoutSeconds: 1
-
-# set the HTTP_PROXY, HTTPS_PROXY and NO_PROXY variable
-proxy:
-  noProxy:
-  http:
-  https:
-cluster:
-  # is getting overwritten by the top level proxy if set
-  # These values are generated via cluster-apps-operator
-  proxy:
-    noProxy:
-    http:
-    https:

vendir.lock.yml

@@ -2,8 +2,8 @@ apiVersion: vendir.k14s.io/v1alpha1
 directories:
 - contents:
   - helmChart:
-      appVersion: 15.1.9
-      version: 15.1.9
+      appVersion: 15.4.3
+      version: 15.4.3
     path: teleport-kube-agent
   path: helm
 kind: LockConfig