From 470bd61dc422735722b470c3eac4a8e4a737714d Mon Sep 17 00:00:00 2001 From: Gus Luxton Date: Tue, 29 Sep 2020 09:43:52 -0300 Subject: [PATCH] Remove unused teleport-demo chart (#4387) --- .gitmodules | 3 - examples/chart/teleport-demo/.gitignore | 3 - examples/chart/teleport-demo/.helmignore | 5 - examples/chart/teleport-demo/Chart.yaml | 14 - examples/chart/teleport-demo/README.md | 122 ------ .../chart/teleport-demo/docker/build-all.sh | 15 - .../docker/cloudflare-agent/Dockerfile | 24 -- .../docker/cloudflare-agent/build.sh | 15 - .../rootfs/scripts/cloudflare-agent.sh | 211 ---------- .../docker/namespace-cleaner/Dockerfile | 19 - .../docker/namespace-cleaner/build.sh | 15 - .../rootfs/scripts/namespace-cleaner.sh | 27 -- .../docker/teleport-ent/Dockerfile | 6 - .../docker/teleport-ent/build.sh | 15 - .../teleport-ent/rootfs/scripts/teleport.sh | 65 ---- .../rootfs/usr/bin/teleport-add-oidc | 7 - .../rootfs/usr/bin/teleport-add-roles | 11 - .../usr/bin/teleport-replace-node-join-token | 14 - ...teleport-replace-trustedcluster-join-token | 12 - .../usr/bin/teleport-trustedcluster-join | 7 - .../docker/teleport-sidecar/Dockerfile | 21 - .../docker/teleport-sidecar/build.sh | 15 - .../rootfs/scripts/publish-tokens-hourly.sh | 8 - .../rootfs/usr/bin/teleport-publish-tokens | 61 --- examples/chart/teleport-demo/gke-init.sh | 5 - examples/chart/teleport-demo/secrets | 1 - .../chart/teleport-demo/templates/NOTES.txt | 72 ---- .../teleport-demo/templates/auth-config.yaml | 285 -------------- .../templates/auth-statefulset.yaml | 328 ---------------- .../templates/cloudflare-agent-job.yaml | 265 ------------- .../templates/generic/_helpers.tpl | 98 ----- .../templates/generic/clusterrole.yaml | 133 ------- .../templates/generic/clusterrolebinding.yaml | 63 --- .../templates/generic/namespace.yaml | 70 ---- .../teleport-demo/templates/generic/pv.yaml | 45 --- .../teleport-demo/templates/generic/pvc.yaml | 57 --- .../templates/generic/secret.yaml | 119 ------ .../templates/generic/service.yaml | 69 ---- .../templates/generic/serviceaccount.yaml | 51 --- .../templates/generic/teleport-k8s.yaml | 124 ------ .../teleport-demo/templates/node-config.yaml | 85 ---- .../templates/node-statefulset.yaml | 227 ----------- examples/chart/teleport-demo/values.yaml | 364 ------------------ 43 files changed, 3176 deletions(-) delete mode 100644 examples/chart/teleport-demo/.gitignore delete mode 100644 examples/chart/teleport-demo/.helmignore delete mode 100644 examples/chart/teleport-demo/Chart.yaml delete mode 100644 examples/chart/teleport-demo/README.md delete mode 100755 examples/chart/teleport-demo/docker/build-all.sh delete mode 100644 examples/chart/teleport-demo/docker/cloudflare-agent/Dockerfile delete mode 100755 examples/chart/teleport-demo/docker/cloudflare-agent/build.sh delete mode 100755 examples/chart/teleport-demo/docker/cloudflare-agent/rootfs/scripts/cloudflare-agent.sh delete mode 100644 examples/chart/teleport-demo/docker/namespace-cleaner/Dockerfile delete mode 100755 examples/chart/teleport-demo/docker/namespace-cleaner/build.sh delete mode 100755 examples/chart/teleport-demo/docker/namespace-cleaner/rootfs/scripts/namespace-cleaner.sh delete mode 100644 examples/chart/teleport-demo/docker/teleport-ent/Dockerfile delete mode 100755 examples/chart/teleport-demo/docker/teleport-ent/build.sh delete mode 100755 examples/chart/teleport-demo/docker/teleport-ent/rootfs/scripts/teleport.sh delete mode 100755 examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-add-oidc delete mode 100755 examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-add-roles delete mode 100755 examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-replace-node-join-token delete mode 100755 examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-replace-trustedcluster-join-token delete mode 100755 examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-trustedcluster-join delete mode 100644 examples/chart/teleport-demo/docker/teleport-sidecar/Dockerfile delete mode 100755 examples/chart/teleport-demo/docker/teleport-sidecar/build.sh delete mode 100755 examples/chart/teleport-demo/docker/teleport-sidecar/rootfs/scripts/publish-tokens-hourly.sh delete mode 100755 examples/chart/teleport-demo/docker/teleport-sidecar/rootfs/usr/bin/teleport-publish-tokens delete mode 100755 examples/chart/teleport-demo/gke-init.sh delete mode 160000 examples/chart/teleport-demo/secrets delete mode 100644 examples/chart/teleport-demo/templates/NOTES.txt delete mode 100644 examples/chart/teleport-demo/templates/auth-config.yaml delete mode 100644 examples/chart/teleport-demo/templates/auth-statefulset.yaml delete mode 100644 examples/chart/teleport-demo/templates/cloudflare-agent-job.yaml delete mode 100644 examples/chart/teleport-demo/templates/generic/_helpers.tpl delete mode 100644 examples/chart/teleport-demo/templates/generic/clusterrole.yaml delete mode 100644 examples/chart/teleport-demo/templates/generic/clusterrolebinding.yaml delete mode 100644 examples/chart/teleport-demo/templates/generic/namespace.yaml delete mode 100644 examples/chart/teleport-demo/templates/generic/pv.yaml delete mode 100644 examples/chart/teleport-demo/templates/generic/pvc.yaml delete mode 100644 examples/chart/teleport-demo/templates/generic/secret.yaml delete mode 100644 examples/chart/teleport-demo/templates/generic/service.yaml delete mode 100644 examples/chart/teleport-demo/templates/generic/serviceaccount.yaml delete mode 100644 examples/chart/teleport-demo/templates/generic/teleport-k8s.yaml delete mode 100644 examples/chart/teleport-demo/templates/node-config.yaml delete mode 100644 examples/chart/teleport-demo/templates/node-statefulset.yaml delete mode 100644 examples/chart/teleport-demo/values.yaml diff --git a/.gitmodules b/.gitmodules index 29277f434f2fb..20a220b3f5155 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,9 +1,6 @@ [submodule "e"] path = e url = git@github.com:gravitational/teleport.e.git -[submodule "examples/chart/teleport-demo/secrets"] - path = examples/chart/teleport-demo/secrets - url = git@github.com:gravitational/ops.git [submodule "webassets"] path = webassets url = https://github.com/gravitational/webassets.git diff --git a/examples/chart/teleport-demo/.gitignore b/examples/chart/teleport-demo/.gitignore deleted file mode 100644 index b9390ae36592e..0000000000000 --- a/examples/chart/teleport-demo/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -license/ -secrets*.yaml -secrets*.yaml.dec diff --git a/examples/chart/teleport-demo/.helmignore b/examples/chart/teleport-demo/.helmignore deleted file mode 100644 index a8582a3a54cd4..0000000000000 --- a/examples/chart/teleport-demo/.helmignore +++ /dev/null @@ -1,5 +0,0 @@ -*~ -*.pem -scripts -pki -secrets \ No newline at end of file diff --git a/examples/chart/teleport-demo/Chart.yaml b/examples/chart/teleport-demo/Chart.yaml deleted file mode 100644 index f1d9b5c9308ec..0000000000000 --- a/examples/chart/teleport-demo/Chart.yaml +++ /dev/null @@ -1,14 +0,0 @@ -name: teleport-demo -version: 0.0.5 -description: Teleport Enterprise -keywords: - - Teleport Enterprise -tillerVersion: ">=2.8.0" -kubeVersion: ">=1.10.0-0" -home: https://github.com/gravitational/teleport -sources: - - https://github.com/gravitational/teleport -maintainers: - - name: Gus Luxton - email: gus@gravitational.com - url: https://github.com/webvictim diff --git a/examples/chart/teleport-demo/README.md b/examples/chart/teleport-demo/README.md deleted file mode 100644 index 50ddd377384f3..0000000000000 --- a/examples/chart/teleport-demo/README.md +++ /dev/null @@ -1,122 +0,0 @@ -# Teleport on Kubernetes - -[Gravitational Teleport](https://github.com/gravitational/teleport) is a modern SSH/Kubernetes API proxy server for -remotely accessing clusters of Linux containers and servers via SSH, HTTPS, or Kubernetes API. - -This configuration is quite a Gravitational-specific deployment but should show a good amount of reusability for other -savvy admins. - -## Introduction - -This chart deploys Teleport components to your cluster using various Kubernetes primitives. - -It supports a few key features: -- A configurable number of nodes per cluster (n) -- One 'main' cluster with nodes in its own Kubernetes namespace -- Any amount of different-named trusted clusters with nodes, each in their own Kubernetes namespace - - These clusters are automatically linked to 'main' as trusted clusters -- OIDC authentication via Auth0 -- DNS records pointing to a Kubernetes LoadBalancer for each cluster, set up on a configurable Cloudflare domain -- LetsEncrypt certificates automatically provisioned, configured and renewed for each cluster via certbot-dns-cloudflare -- Secrets encrypted using sops and a key from GKE - -See the comments in the default `values.yaml` and also the [Teleport documentation](https://gravitational.com/teleport/docs/quickstart) for more options. - -## Prerequisites - -- Kubernetes 1.10+ -- [sops](https://github.com/mozilla/sops) -- [helm-secrets](https://github.com/futuresimple/helm-secrets) -- [gcloud SDK](https://cloud.google.com/sdk/docs/downloads-interactive) - - ```curl https://sdk.cloud.google.com | bash``` for a simple install -- Secrets stored in secrets.yaml and encrypted with sops - - Teleport Enterprise license - - Email address and API key for a Cloudflare account that controls the domain you wish to use - - Client ID and client secret for a configured Auth0 application - -## Installing the chart - -First, check whether there's already a tag for the version of Teleport you want to use in GCR: - -```bash -$ gcloud auth login -$ gcloud container images list-tags gcr.io/kubeadm-167321/teleport-ent --filter="tags:4.2.2" # replace 4.2.2 with the Teleport version you want -DIGEST TAGS TIMESTAMP -e2ff7a110d2c 4.2.2 2020-02-13T16:59:29 -``` - -You can also list all avaliable tags with `gcloud container images list-tags gcr.io/kubeadm-167321/teleport-ent`. - -If there isn't already a tag for the version of Teleport you're looking to use, you can build and push the Docker images for the specified version to GCR: - -```bash -$ cd examples/chart/teleport-demo/docker -$ gcloud auth configure-docker -$ ./build-all.sh 4.2.2 # replace 4.2.2 with the Teleport version you want to build and push -``` - -Make sure that you have access to the key for sops encryption: - -```bash -$ gcloud auth application-default login -$ gcloud config set project kubeadm-167321 -$ gcloud kms keys list --location global --keyring teleport-sops -NAME PURPOSE LABELS PRIMARY_ID PRIMARY_STATE -projects/kubeadm-167321/locations/global/keyRings/teleport-sops/cryptoKeys/teleport-sops-key ENCRYPT_DECRYPT 1 ENABLED -``` - -kubectl needs to know about your cluster - for GKE you can use something like this: - -```bash -$ gcloud container clusters get-credentials --zone --project -$ ./gke-init.sh -``` - -Make sure that you have updated the submodule containing the secrets. When prompted to authenticate, use a -personal access token rather than a password: - -```bash -$ git pull --recurse-submodules -``` - -To install the chart with the release name `teleportdemo` and Teleport version 4.2.2, run: - -```bash -$ helm secrets install --name teleportdemo -f secrets/sops/teleport-demo/secrets.yaml ./ --set teleportVersion=4.2.2 -``` - -Once the chart is installed successfully, Helm will output a section titled NOTES containing the URL to access the main -cluster's web UI, along with some example `tsh` commands based on your installation. - -You can show these notes again in future with the `helm status ` command - e.g. `helm status teleportdemo` - -## Deleting the chart - -If you named the chart `teleportdemo`: - -```bash -$ helm delete --purge teleportdemo -``` - -Namespaces will automatically be deleted once the cluster is shut down. If a deployment fails for some reason and you find you can't delete it with the command above, try skipping the post-delete hooks like this: - -```bash -$ helm delete --purge --no-hooks teleportdemo -``` - -## Recreating this without access to secrets - -If you're looking to use/modify this code and don't have access to the repo containing the sops-encrypted secrets, -here's the sections you'll need to ensure you have in your `secrets.yaml` or equivalent file: - -```yaml -secrets: - auth0: - client_id: - client_secret: - cloudflare: - api_key: - email: - license: | - -``` diff --git a/examples/chart/teleport-demo/docker/build-all.sh b/examples/chart/teleport-demo/docker/build-all.sh deleted file mode 100755 index 3ed3bc2a7c8fd..0000000000000 --- a/examples/chart/teleport-demo/docker/build-all.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bash -set -e -VERSION=3.2.0 -if [[ "$1" != "" ]]; then - VERSION=$1 - shift -fi -set -e -for f in *; do - if [[ -d $f ]]; then - pushd $f - ./build.sh ${VERSION} "$@" - popd - fi -done \ No newline at end of file diff --git a/examples/chart/teleport-demo/docker/cloudflare-agent/Dockerfile b/examples/chart/teleport-demo/docker/cloudflare-agent/Dockerfile deleted file mode 100644 index a8bd62c390d33..0000000000000 --- a/examples/chart/teleport-demo/docker/cloudflare-agent/Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -ARG TELEPORT_VERSION -FROM quay.io/gravitational/debian-grande:buster - -ARG KUBECTL_VERSION="v1.12.5" -ARG CURL_OPTS="-L --retry 100 --retry-delay 0 --connect-timeout 10 --max-time 300" - -# Update packages -ENV DEBIAN_FRONTEND noninteractive -RUN apt-get update && \ - apt-get -y install curl jq python3 python3-pip python3-setuptools && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists/* /var/cache/apt - -# install kubectl -RUN curl ${CURL_OPTS} https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl --output /usr/local/bin/kubectl && \ - chmod +x /usr/local/bin/kubectl - -# Install certbot to get/rotate certificates, add certbot-dns-cloudflare for registration -RUN pip3 install wheel && \ - pip3 install certbot certbot-dns-cloudflare - -COPY rootfs/ / - -ENTRYPOINT ["/usr/bin/dumb-init", "/scripts/cloudflare-agent.sh"] \ No newline at end of file diff --git a/examples/chart/teleport-demo/docker/cloudflare-agent/build.sh b/examples/chart/teleport-demo/docker/cloudflare-agent/build.sh deleted file mode 100755 index d7c3bb1c6c46e..0000000000000 --- a/examples/chart/teleport-demo/docker/cloudflare-agent/build.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bash -set -e -VERSION=3.2.0 -if [[ "$1" != "" ]]; then - VERSION=$1 - shift -fi -docker pull quay.io/gravitational/debian-grande:buster -docker build --pull \ - -t gcr.io/kubeadm-167321/cloudflare-agent:${VERSION} \ - -t gcr.io/kubeadm-167321/cloudflare-agent:latest \ - --cache-from quay.io/gravitational/debian-grande:buster,gcr.io/kubeadm-167321/cloudflare-agent:latest \ - . $* -docker push gcr.io/kubeadm-167321/cloudflare-agent:${VERSION} -docker push gcr.io/kubeadm-167321/cloudflare-agent:latest diff --git a/examples/chart/teleport-demo/docker/cloudflare-agent/rootfs/scripts/cloudflare-agent.sh b/examples/chart/teleport-demo/docker/cloudflare-agent/rootfs/scripts/cloudflare-agent.sh deleted file mode 100755 index 692fd6edd1349..0000000000000 --- a/examples/chart/teleport-demo/docker/cloudflare-agent/rootfs/scripts/cloudflare-agent.sh +++ /dev/null @@ -1,211 +0,0 @@ -#!/usr/bin/env bash -set -e -# if you set DEBUG in the kubernetes environment variables, it must be a string "true" rather than a boolean true -if [[ "${DEBUG}" == true ]]; then - set -x -fi - -function cloudflareagent_log() { - echo "[cloudflare-agent] $*" -} - -function process_record() { - local RUN_MODE="$1" - local REGISTER_DOMAIN="$2" - local DNS_RECORD_CONTENT="$3" - - if [[ "${DEBUG}" == "true" ]]; then - cloudflareagent_log "register_record()" - cloudflareagent_log "RUN_MODE: ${RUN_MODE}" - cloudflareagent_log "REGISTER_DOMAIN: ${REGISTER_DOMAIN}" - cloudflareagent_log "DNS_RECORD_CONTENT: ${DNS_RECORD_CONTENT}" - cloudflareagent_log "---" - fi - - if [[ "${REGISTER_DOMAIN}" == "" ]]; then - cloudflareagent_log "Domain to register not provided, exiting with error" - exit 4 - fi - - if [[ "${RUN_MODE}" == "create" ]] && [[ "${DNS_RECORD_CONTENT}" == "" ]]; then - cloudflareagent_log "Running in create mode and record content not provided, exiting with error" - exit 5 - fi - - # look up zone ID for provided domain - ZONE_ID=$(curl -s -H "Content-Type: application/json" -H "X-Auth-Key: ${API_KEY}" -H "X-Auth-Email: ${EMAIL}" -X GET "https://api.cloudflare.com/client/v${API_VERSION}/zones?name=${CLOUDFLARE_DOMAIN}" | jq -r '.result[].id') - # exit if we can't get it - if [[ "${ZONE_ID}" == "null" || "${ZONE_ID}" == "" ]]; then - if [[ "${RUN_MODE}" == "create" ]]; then - cloudflareagent_log "[create] Couldn't get Cloudflare Zone ID for '${CLOUDFLARE_DOMAIN}' with the provided credentials - exiting with error" - exit 1 - elif [[ "${RUN_MODE}" == "delete" ]]; then - cloudflareagent_log "[delete] Couldn't get Cloudflare Zone ID for '${CLOUDFLARE_DOMAIN}' with the provided credentials - exiting" - return - fi - fi - - # look up record ID - RECORD_ID=$(curl -s -H "Content-Type: application/json" -H "X-Auth-Key: ${API_KEY}" -H "X-Auth-Email: ${EMAIL}" -X GET "https://api.cloudflare.com/client/v${API_VERSION}/zones/${ZONE_ID}/dns_records?name=${REGISTER_DOMAIN}" | jq -r '.result[].id') - # if it doesn't exist, create/delete a new record - if [[ "${RECORD_ID}" == "null" || "${RECORD_ID}" == "" ]]; then - if [[ "${RUN_MODE}" == "create" ]]; then - cloudflareagent_log "[create] Couldn't get Cloudflare DNS record ID for '${REGISTER_DOMAIN}' within zone '${ZONE_ID}' - creating new record" - # create record - CREATED_RECORD_ID=$(curl -s -H "Content-Type: application/json" -H "X-Auth-Key: ${API_KEY}" -H "X-Auth-Email: ${EMAIL}" --data ${DNS_RECORD_CONTENT} -X POST "https://api.cloudflare.com/client/v${API_VERSION}/zones/${ZONE_ID}/dns_records" | jq -r '.result.id') - # check response - if [[ "${CREATED_RECORD_ID}" == "null" || "${CREATED_RECORD_ID}" == "" ]]; then - cloudflareagent_log "Couldn't create Cloudflare DNS record for '${REGISTER_DOMAIN}' under '${ZONE_ID}' - exiting with error" - exit 2 - else - cloudflareagent_log "Created Cloudflare DNS record ID '${CREATED_RECORD_ID}' for '${REGISTER_DOMAIN}' under '${ZONE_ID}'" - fi - elif [[ "${RUN_MODE}" == "delete" ]]; then - cloudflareagent_log "[delete] Couldn't get Cloudflare DNS record ID for '${REGISTER_DOMAIN}' within zone '${ZONE_ID}' - exiting" - fi - # if it does exist, update/delete the existing record - else - if [[ "${RUN_MODE}" == "create" ]]; then - cloudflareagent_log "[create] Got Cloudflare DNS record ID '${RECORD_ID}' for '${REGISTER_DOMAIN}' - updating record" - # update record - UPDATED_RECORD_ID=$(curl -s -H "Content-Type: application/json" -H "X-Auth-Key: ${API_KEY}" -H "X-Auth-Email: ${EMAIL}" --data ${DNS_RECORD_CONTENT} -X PUT "https://api.cloudflare.com/client/v${API_VERSION}/zones/${ZONE_ID}/dns_records/${RECORD_ID}" | jq -r '.result.id') - # check response - if [[ "${UPDATED_RECORD_ID}" == "null" || "${UPDATED_RECORD_ID}" == "" ]]; then - cloudflareagent_log "Couldn't update Cloudflare DNS record for '${REGISTER_DOMAIN}' under '${ZONE_ID}' - exiting with error" - exit 3 - else - cloudflareagent_log "Updated Cloudflare DNS record ID '${UPDATED_RECORD_ID}' for '${REGISTER_DOMAIN}' under '${ZONE_ID}'" - fi - elif [[ "${RUN_MODE}" == "delete" ]]; then - cloudflareagent_log "[delete] Got Cloudflare DNS record ID '${RECORD_ID}' for '${REGISTER_DOMAIN}' - deleting record" - # update record - UPDATED_RECORD_ID=$(curl -s -H "Content-Type: application/json" -H "X-Auth-Key: ${API_KEY}" -H "X-Auth-Email: ${EMAIL}" -X DELETE "https://api.cloudflare.com/client/v${API_VERSION}/zones/${ZONE_ID}/dns_records/${RECORD_ID}" | jq -r '.result.id') - # check response - if [[ "${UPDATED_RECORD_ID}" == "null" || "${UPDATED_RECORD_ID}" == "" ]]; then - cloudflareagent_log "Couldn't delete Cloudflare DNS record for '${REGISTER_DOMAIN}' under '${ZONE_ID}' - exiting" - else - cloudflareagent_log "Deleted Cloudflare DNS record ID '${UPDATED_RECORD_ID}' for '${REGISTER_DOMAIN}' under '${ZONE_ID}'" - fi - fi - fi -} - -# default to creation mode if the MODE variable isn't set (to ensure container compatibility with older installations) -if [[ "${MODE}" == "" ]]; then - MODE="create" -fi - -API_KEY=$(cat /etc/cloudflare/api_key) -EMAIL=$(cat /etc/cloudflare/email) -DOMAIN_TO_REGISTER="${CLUSTER_NAME}.${CLOUDFLARE_DOMAIN}" - -if [[ "${MODE}" == "create" ]]; then - TLS_ENABLED=$(cat /etc/teleport-tls/enabled) - LETSENCRYPT_ENABLED=$(cat /etc/teleport-tls/letsencrypt-enabled) -fi - -if [[ "${DEBUG}" == true ]]; then - cloudflareagent_log "Mode: ${MODE}" - cloudflareagent_log "Cluster name: ${CLUSTER_NAME}" - cloudflareagent_log "Cluster type: ${CLUSTER_TYPE}" - cloudflareagent_log "Service name: ${SERVICE_NAME}" - cloudflareagent_log "Domain: ${CLOUDFLARE_DOMAIN}" - cloudflareagent_log "Register: ${DOMAIN_TO_REGISTER}" - cloudflareagent_log "Cloudflare TTL: ${CLOUDFLARE_TTL}" - cloudflareagent_log "---" - cloudflareagent_log "TLS enabled: ${TLS_ENABLED}" - cloudflareagent_log "Letsencrypt enabled: ${LETSENCRYPT_ENABLED}" - cloudflareagent_log "Letsencrypt email address: ${LETSENCRYPT_EMAIL}" - cloudflareagent_log "---" -fi - -# if this is the main cluster, we also create a wildcard record so that kubernetes proxy forwarding from Teleport 3.2 will work -# (we don't do this any more as of Teleport 4.1) -WILDCARD_DOMAIN_TO_REGISTER="" -#if [[ "${CLUSTER_TYPE}" == "primary" ]]; then -# WILDCARD_DOMAIN_TO_REGISTER="*.${DOMAIN_TO_REGISTER}" -#fi - -if [[ "${MODE}" == "create" ]]; then - SERVICE_TYPE=$(kubectl get service ${SERVICE_NAME} -o jsonpath='{.spec.type}') - if [[ "${SERVICE_TYPE}" != "LoadBalancer" ]]; then - cloudflareagent_log "Service '${SERVICE_NAME}' is not using 'LoadBalancer', it's using '${SERVICE_TYPE}'" - cloudflareagent_log "This process doesn't need to run so is exiting with success" - exit 0 - fi - - EXTERNAL_IP="" - while [ -z "${EXTERNAL_IP}" ]; do - cloudflareagent_log "Waiting for external IP address for '${SERVICE_NAME}'..." - EXTERNAL_IP=$(kubectl get service ${SERVICE_NAME} --template="{{ range .status.loadBalancer.ingress }}{{ .ip }}{{ end }}") - [ -z "${EXTERNAL_IP}" ] && sleep 10 - done - cloudflareagent_log "External IP for '${SERVICE_NAME}' is ready" - cloudflareagent_log "${EXTERNAL_IP}" - - # set TTL if provided - if not, omit it so cloudflare uses auto - if [[ "${CLOUDFLARE_TTL}" != "" ]]; then - RECORD_CONTENT="{\"type\":\"A\",\"name\":\"${DOMAIN_TO_REGISTER}\",\"content\":\"${EXTERNAL_IP}\",\"proxied\":false,\"ttl\":${CLOUDFLARE_TTL}}" - if [[ "${WILDCARD_DOMAIN_TO_REGISTER}" != "" ]]; then - WILDCARD_RECORD_CONTENT="{\"type\":\"A\",\"name\":\"${WILDCARD_DOMAIN_TO_REGISTER}\",\"content\":\"${EXTERNAL_IP}\",\"proxied\":false,\"ttl\":${CLOUDFLARE_TTL}}" - fi - else - RECORD_CONTENT="{\"type\":\"A\",\"name\":\"${DOMAIN_TO_REGISTER}\",\"content\":\"${EXTERNAL_IP}\",\"proxied\":false}" - if [[ "${WILDCARD_DOMAIN_TO_REGISTER}" != "" ]]; then - WILDCARD_RECORD_CONTENT="{\"type\":\"A\",\"name\":\"${WILDCARD_DOMAIN_TO_REGISTER}\",\"content\":\"${EXTERNAL_IP}\",\"proxied\":false}" - fi - fi - - # do registration - process_record create "${DOMAIN_TO_REGISTER}" "${RECORD_CONTENT}" - # we don't register wildcards any more (they're not needed as of Teleport 4,1) - #if [[ "${WILDCARD_DOMAIN_TO_REGISTER}" != "" ]]; then - # process_record create "${WILDCARD_DOMAIN_TO_REGISTER}" "${WILDCARD_RECORD_CONTENT}" - #fi - # wait 10 seconds for DNS propagation - sleep 10 - - # run certbot if TLS is enabled and letsencrypt is enabled - if [[ "${TLS_ENABLED}" == "true" ]] && [[ "${LETSENCRYPT_ENABLED}" == "true" ]]; then - cloudflareagent_log "TLS/Letsencrypt enabled, running certbot" - # create certbot.ini file - cat >/tmp/cloudflare-credentials-certbot.ini < 0 ]]; do - cloudflareagent_log "Attempts remaining: ${RETRIES}" - # don't exit on error for this command - certbot certonly -n --agree-tos --email ${LETSENCRYPT_EMAIL} --dns-cloudflare --dns-cloudflare-credentials /tmp/cloudflare-credentials-certbot.ini -d ${DOMAIN_TO_REGISTER} || true - if [ $? -ne 0 ]; then - cloudflareagent_log "Attempt failed" - ((RETRIES--)) - else - cloudflareagent_log "Attempt successful" - CERTBOT_DONE=true - fi - done - else - cloudflareagent_log "TLS/Letsencrypt not enabled, exiting" - exit 0 - fi - - # keep container running in a loop, attempt to renew certificates once a day and then update kubernetes secrets with changed certificates/key - while true; do - date - certbot renew - kubectl --namespace ${NAMESPACE} create secret generic tls-web --from-file=/etc/letsencrypt/live/${DOMAIN_TO_REGISTER}/fullchain.pem --from-file=/etc/letsencrypt/live/${DOMAIN_TO_REGISTER}/privkey.pem --dry-run -o yaml | kubectl apply -f - - # wait a day - sleep 86400 - done -elif [[ "${MODE}" == "delete" ]]; then - # do deletion - process_record delete "${DOMAIN_TO_REGISTER}" - # we don't need/add wildcard records as of Teleport 4.1, so they don't need to be deleted - #if [[ "${WILDCARD_DOMAIN_TO_REGISTER}" != "" ]]; then - # process_record delete "${WILDCARD_DOMAIN_TO_REGISTER}" - #fi -fi \ No newline at end of file diff --git a/examples/chart/teleport-demo/docker/namespace-cleaner/Dockerfile b/examples/chart/teleport-demo/docker/namespace-cleaner/Dockerfile deleted file mode 100644 index 788107acbdbd4..0000000000000 --- a/examples/chart/teleport-demo/docker/namespace-cleaner/Dockerfile +++ /dev/null @@ -1,19 +0,0 @@ -FROM quay.io/gravitational/debian-grande:buster - -ARG KUBECTL_VERSION="v1.12.5" -ARG CURL_OPTS="-L --retry 100 --retry-delay 0 --connect-timeout 10 --max-time 300" - -# Update packages -ENV DEBIAN_FRONTEND noninteractive -RUN apt-get update && \ - apt-get -y install curl && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists/* /var/cache/apt - -# install kubectl -RUN curl ${CURL_OPTS} https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl --output /usr/local/bin/kubectl && \ - chmod +x /usr/local/bin/kubectl - -COPY rootfs/ / - -ENTRYPOINT ["/usr/bin/dumb-init", "/scripts/namespace-cleaner.sh"] \ No newline at end of file diff --git a/examples/chart/teleport-demo/docker/namespace-cleaner/build.sh b/examples/chart/teleport-demo/docker/namespace-cleaner/build.sh deleted file mode 100755 index be2a266a18c2f..0000000000000 --- a/examples/chart/teleport-demo/docker/namespace-cleaner/build.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bash -set -e -VERSION=3.2.0 -if [[ "$1" != "" ]]; then - VERSION=$1 - shift -fi -docker pull quay.io/gravitational/debian-grande:buster -docker build --pull \ - -t gcr.io/kubeadm-167321/namespace-cleaner:${VERSION} \ - -t gcr.io/kubeadm-167321/namespace-cleaner:latest \ - --cache-from quay.io/gravitational/debian-grande:buster,gcr.io/kubeadm-167321/namespace-cleaner:latest \ - . $* -docker push gcr.io/kubeadm-167321/namespace-cleaner:${VERSION} -docker push gcr.io/kubeadm-167321/namespace-cleaner:latest diff --git a/examples/chart/teleport-demo/docker/namespace-cleaner/rootfs/scripts/namespace-cleaner.sh b/examples/chart/teleport-demo/docker/namespace-cleaner/rootfs/scripts/namespace-cleaner.sh deleted file mode 100755 index a263596bbb9fe..0000000000000 --- a/examples/chart/teleport-demo/docker/namespace-cleaner/rootfs/scripts/namespace-cleaner.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bash -# This script takes a space-separated list of namespaces which should be deleted by kubectl after the helm chart is gone -set -e - -function namespacecleaner_log() { - echo "[namespace-cleaner] $*" -} - -# handle the case where no arguments are provided -if [[ $# -eq 0 ]]; then - namespacecleaner_log "No namespaces passed as command-line arguments, exiting" - exit 0 -# parse arguments on command line -else - namespacecleaner_log "Arguments: '$@'" - while [[ $# -gt 0 ]]; do - arg="$1" - namespacecleaner_log "Processing '${arg}'" - # handle colon separated namespace:secret - NAMESPACE=${arg} - kubectl delete namespace ${NAMESPACE} --wait || true - shift - done -fi - -namespacecleaner_log "Done - exiting" -exit 0 \ No newline at end of file diff --git a/examples/chart/teleport-demo/docker/teleport-ent/Dockerfile b/examples/chart/teleport-demo/docker/teleport-ent/Dockerfile deleted file mode 100644 index 482b5ece5e8c9..0000000000000 --- a/examples/chart/teleport-demo/docker/teleport-ent/Dockerfile +++ /dev/null @@ -1,6 +0,0 @@ -ARG TELEPORT_VERSION -FROM quay.io/gravitational/teleport-ent:${TELEPORT_VERSION} - -COPY rootfs/ / - -ENTRYPOINT ["/usr/bin/dumb-init", "/scripts/teleport.sh"] \ No newline at end of file diff --git a/examples/chart/teleport-demo/docker/teleport-ent/build.sh b/examples/chart/teleport-demo/docker/teleport-ent/build.sh deleted file mode 100755 index 7e02ff1735766..0000000000000 --- a/examples/chart/teleport-demo/docker/teleport-ent/build.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bash -set -e -VERSION=3.2.0 -if [[ "$1" != "" ]]; then - VERSION=$1 - shift -fi -docker build --pull \ - -t gcr.io/kubeadm-167321/teleport-ent:${VERSION} \ - -t gcr.io/kubeadm-167321/teleport-ent:latest \ - --cache-from gcr.io/kubeadm-167321/teleport-ent:latest \ - --build-arg TELEPORT_VERSION=${VERSION} \ - . $* -docker push gcr.io/kubeadm-167321/teleport-ent:${VERSION} -docker push gcr.io/kubeadm-167321/teleport-ent:latest diff --git a/examples/chart/teleport-demo/docker/teleport-ent/rootfs/scripts/teleport.sh b/examples/chart/teleport-demo/docker/teleport-ent/rootfs/scripts/teleport.sh deleted file mode 100755 index e8ee5cbe9257a..0000000000000 --- a/examples/chart/teleport-demo/docker/teleport-ent/rootfs/scripts/teleport.sh +++ /dev/null @@ -1,65 +0,0 @@ -#!/usr/bin/env bash - -echo "CLUSTER_TYPE: ${CLUSTER_TYPE}" -echo "ROLE: ${ROLE}" -echo "ARGS: $@" -echo "---" - -# copy read only config version to /tmp for editing -cp /etc/teleport/teleport.yaml /tmp/teleport.yaml - -# replace node join token in /tmp/teleport.yaml with version from k8s secret -if [[ "${ROLE}" == "node" ]]; then - /usr/bin/teleport-replace-node-join-token -fi - -# start teleport daemon -# run in background to keep executing this script -# expose diagnostic endpoints on port 54321 for kubernetes liveness/ready checks -teleport start --diag-addr=0.0.0.0:54321 -c /tmp/teleport.yaml "$@" & - -# add roles to auth servers -if [[ "${ROLE}" == "auth" ]]; then - ROLES_DONE=false - while [[ "${ROLES_DONE}" != "true" ]]; do - /usr/bin/teleport-add-roles - if [ $? -eq 0 ]; then - ROLES_DONE=true - else - sleep 2 - fi - done -fi - -# add OIDC connector to auth servers -if [[ "${ROLE}" == "auth" ]]; then - OIDC_DONE=false - while [[ "${OIDC_DONE}" != "true" ]]; do - /usr/bin/teleport-add-oidc - if [ $? -eq 0 ]; then - OIDC_DONE=true - else - sleep 2 - fi - done -fi - -# add trusted cluster YAML -if [[ "${ROLE}" == "auth" ]] && [[ "${CLUSTER_TYPE}" == "secondary" ]]; then - TRUSTEDCLUSTER_DONE=false - while [[ "${TRUSTEDCLUSTER_DONE}" != "true" ]]; do - /usr/bin/teleport-replace-trustedcluster-join-token - if [ $? -eq 0 ]; then - /usr/bin/teleport-trustedcluster-join - if [ $? -eq 0 ]; then - TRUSTEDCLUSTER_DONE=true - else - sleep 5 - fi - else - sleep 5 - fi - done -fi - -tail -F /dev/null # keep the container running when teleport isn't the root process \ No newline at end of file diff --git a/examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-add-oidc b/examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-add-oidc deleted file mode 100755 index 3f685b19905ee..0000000000000 --- a/examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-add-oidc +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env bash -set -e -TCTL=/usr/local/bin/tctl -# only run when we have an OIDC YAML descriptor -if [ -f /etc/teleport/oidc.yaml ]; then - ${TCTL} create -f /etc/teleport/oidc.yaml -fi \ No newline at end of file diff --git a/examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-add-roles b/examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-add-roles deleted file mode 100755 index e4d75a1c37461..0000000000000 --- a/examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-add-roles +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env bash -set -e -TCTL=/usr/local/bin/tctl -# only run when we have an admin role descriptor -if [ -f /etc/teleport/admin-role.yaml ]; then - ${TCTL} create -f /etc/teleport/admin-role.yaml -fi -# only run when we have a clusteradmin role descriptor -if [ -f /etc/teleport/clusteradmin-role.yaml ]; then - ${TCTL} create -f /etc/teleport/clusteradmin-role.yaml -fi \ No newline at end of file diff --git a/examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-replace-node-join-token b/examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-replace-node-join-token deleted file mode 100755 index 8fc8a2fe0eedf..0000000000000 --- a/examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-replace-node-join-token +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bash -set -e -if [ ! -f /var/lib/tokens/node/join-token ]; then - echo "Join token is not present, exiting with error" - exit 1 -fi -if [ ! -f /var/lib/tokens/ca-pin/hash ]; then - echo "CA pin hash is not present, exiting with error" - exit 1 -fi -NODE_JOIN_TOKEN=$(cat /var/lib/tokens/node/join-token) -CA_PIN_HASH=$(cat /var/lib/tokens/ca-pin/hash) -sed -i "s/NODE_JOIN_TOKEN_PLACEHOLDER/${NODE_JOIN_TOKEN}/g" /tmp/teleport.yaml -sed -i "s/CA_PIN_HASH_PLACEHOLDER/${CA_PIN_HASH}/g" /tmp/teleport.yaml \ No newline at end of file diff --git a/examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-replace-trustedcluster-join-token b/examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-replace-trustedcluster-join-token deleted file mode 100755 index 0e93c848af6b7..0000000000000 --- a/examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-replace-trustedcluster-join-token +++ /dev/null @@ -1,12 +0,0 @@ -#!/usr/bin/env bash -set -e -if [ ! -f /var/lib/teleport/primary-trustedcluster-join-token ]; then - echo "Primary trusted cluster join token is not present, exiting with error" - exit 1 -fi -# only run when we have a trusted cluster YAML descriptor -if [ -f /etc/teleport/trusted_cluster.yaml ]; then - TRUSTEDCLUSTER_JOIN_TOKEN=$(cat /var/lib/teleport/primary-trustedcluster-join-token) - cp /etc/teleport/trusted_cluster.yaml /tmp/trusted_cluster.yaml - sed -i "s/TRUSTEDCLUSTER_JOIN_TOKEN_PLACEHOLDER/${TRUSTEDCLUSTER_JOIN_TOKEN}/g" /tmp/trusted_cluster.yaml -fi \ No newline at end of file diff --git a/examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-trustedcluster-join b/examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-trustedcluster-join deleted file mode 100755 index 9120b7f467437..0000000000000 --- a/examples/chart/teleport-demo/docker/teleport-ent/rootfs/usr/bin/teleport-trustedcluster-join +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env bash -set -e -TCTL=/usr/local/bin/tctl -# only run when we have a modified trusted cluster YAML descriptor -if [ -f /tmp/trusted_cluster.yaml ]; then - ${TCTL} create -f /tmp/trusted_cluster.yaml -fi \ No newline at end of file diff --git a/examples/chart/teleport-demo/docker/teleport-sidecar/Dockerfile b/examples/chart/teleport-demo/docker/teleport-sidecar/Dockerfile deleted file mode 100644 index 6e19c9166e7ee..0000000000000 --- a/examples/chart/teleport-demo/docker/teleport-sidecar/Dockerfile +++ /dev/null @@ -1,21 +0,0 @@ -ARG TELEPORT_VERSION -FROM quay.io/gravitational/teleport-ent:${TELEPORT_VERSION} - -ARG KUBECTL_VERSION="v1.12.5" -ARG CURL_OPTS="-L --retry 100 --retry-delay 0 --connect-timeout 10 --max-time 300" - -# Update packages -ENV DEBIAN_FRONTEND noninteractive -RUN apt-get update && \ - apt-get -y install curl uuid openssl && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists/* /var/cache/apt - -# install kubectl -RUN curl ${CURL_OPTS} https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl --output /usr/local/bin/kubectl && \ - chmod +x /usr/local/bin/kubectl - -COPY rootfs/ / - -ENTRYPOINT ["/usr/bin/dumb-init"] -CMD ["/scripts/publish-tokens-hourly.sh"] \ No newline at end of file diff --git a/examples/chart/teleport-demo/docker/teleport-sidecar/build.sh b/examples/chart/teleport-demo/docker/teleport-sidecar/build.sh deleted file mode 100755 index 55267e75a95d9..0000000000000 --- a/examples/chart/teleport-demo/docker/teleport-sidecar/build.sh +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/env bash -set -e -VERSION=3.2.0 -if [[ "$1" != "" ]]; then - VERSION=$1 - shift -fi -docker build --pull \ - -t gcr.io/kubeadm-167321/teleport-sidecar:${VERSION} \ - -t gcr.io/kubeadm-167321/teleport-sidecar:latest \ - --cache-from gcr.io/kubeadm-167321/teleport-sidecar:latest \ - --build-arg TELEPORT_VERSION=${VERSION} \ - . $* -docker push gcr.io/kubeadm-167321/teleport-sidecar:${VERSION} -docker push gcr.io/kubeadm-167321/teleport-sidecar:latest \ No newline at end of file diff --git a/examples/chart/teleport-demo/docker/teleport-sidecar/rootfs/scripts/publish-tokens-hourly.sh b/examples/chart/teleport-demo/docker/teleport-sidecar/rootfs/scripts/publish-tokens-hourly.sh deleted file mode 100755 index 3efb2a914b678..0000000000000 --- a/examples/chart/teleport-demo/docker/teleport-sidecar/rootfs/scripts/publish-tokens-hourly.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/env bash -set -e -# run at startup, then every hour after that -while true; do - date - /usr/bin/teleport-publish-tokens - sleep 3600 -done \ No newline at end of file diff --git a/examples/chart/teleport-demo/docker/teleport-sidecar/rootfs/usr/bin/teleport-publish-tokens b/examples/chart/teleport-demo/docker/teleport-sidecar/rootfs/usr/bin/teleport-publish-tokens deleted file mode 100755 index c04a535ba9bdb..0000000000000 --- a/examples/chart/teleport-demo/docker/teleport-sidecar/rootfs/usr/bin/teleport-publish-tokens +++ /dev/null @@ -1,61 +0,0 @@ -#!/usr/bin/env bash -# This script calls tctl to query the Teleport auth server API and get join tokens for nodes and trusted clusters -# It then uses kubectl to export the join tokens as Kubernetes secrets so other nodes/clusters in k8s can use them -# We only generate a trusted cluster join token on the primary (main) cluster, all others must read the secret from there -set -e - -TCTL=/usr/local/bin/tctl - -if [ -z ${NAMESPACE} ]; then - echo "[teleport-publish-tokens] NAMESPACE not set" - exit 1 -elif [ -z ${CLUSTER_NAME} ]; then - echo "[teleport-publish-tokens] CLUSTER_NAME not set" - exit 1 -fi - -# If this is the primary cluster, generate a trusted cluster join token to authenticate other trusted clusters joining -if [[ "${CLUSTER_TYPE}" == "primary" ]]; then - TRUSTEDCLUSTER_TOKEN=$(uuid) - mkdir -p /tmp/trustedcluster - echo "${TRUSTEDCLUSTER_TOKEN}" > /tmp/trustedcluster/join-token - ${TCTL} nodes add --roles=trusted_cluster --ttl=4h --token=${TRUSTEDCLUSTER_TOKEN} - kubectl --namespace ${NAMESPACE} create secret generic ${CLUSTER_NAME}-trustedcluster-join-token --from-file=/tmp/trustedcluster/join-token --dry-run -o yaml | kubectl apply -f - - rm -rf /tmp/trustedcluster -fi - -# Node token authenticates nodes joining the cluster -NODE_TOKEN=$(uuid) -mkdir -p /tmp/node -echo "${NODE_TOKEN}" > /tmp/node/join-token -${TCTL} nodes add --roles=node --ttl=4h --token=${NODE_TOKEN} -kubectl --namespace ${NAMESPACE} create secret generic ${CLUSTER_NAME}-node-join-token --from-file=/tmp/node/join-token --dry-run -o yaml | kubectl apply -f - -rm -rf /tmp/node - -# Export CA certificate as a secret so nodes and clusters can use it if needed -mkdir -p /tmp/ca -CERT=$(${TCTL} auth export --type=tls) -echo ${CERT} > /tmp/ca/ca.pem -kubectl --namespace ${NAMESPACE} create secret generic ${CLUSTER_NAME}-ca --from-file=/tmp/ca/ca.pem --dry-run -o yaml | kubectl apply -f - - -# Export CA pin hash as a secret for secure node joins -CA_PIN_HASH=$(tctl status | grep "CA pin" | awk '{print $3}') -echo ${CA_PIN_HASH} > /tmp/ca/hash -kubectl --namespace ${NAMESPACE} create secret generic ${CLUSTER_NAME}-ca-pin --from-file=/tmp/ca/hash --dry-run -o yaml | kubectl apply -f - -rm -rf /tmp/ca - -# If this is a secondary cluster, we need to get the trusted cluster token from the primary that will allow us to register -if [[ "${CLUSTER_TYPE}" == "secondary" ]]; then - GOT_PRIMARY_TRUSTEDCLUSTER_JOIN_TOKEN=false - while [[ "${GOT_PRIMARY_TRUSTEDCLUSTER_JOIN_TOKEN}" != "true" ]]; do - PRIMARY_TRUSTEDCLUSTER_JOIN_TOKEN=$(kubectl --namespace=${MAIN_CLUSTER_NAME} get secret ${MAIN_CLUSTER_NAME}-trustedcluster-join-token -o jsonpath="{.data['join-token']}" | base64 -d) - if [ $? -eq 0 ]; then - if [[ "${PRIMARY_TRUSTEDCLUSTER_JOIN_TOKEN}" != "" ]]; then - GOT_PRIMARY_TRUSTEDCLUSTER_JOIN_TOKEN=true - echo "${PRIMARY_TRUSTEDCLUSTER_JOIN_TOKEN}" > /var/lib/teleport/primary-trustedcluster-join-token - fi - else - sleep 5 - fi - done -fi \ No newline at end of file diff --git a/examples/chart/teleport-demo/gke-init.sh b/examples/chart/teleport-demo/gke-init.sh deleted file mode 100755 index 591e2a8ba1386..0000000000000 --- a/examples/chart/teleport-demo/gke-init.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/env bash -# this is needed to give tiller admin permissions on GKE -kubectl --namespace kube-system create serviceaccount tiller -kubectl create clusterrolebinding tiller --clusterrole cluster-admin --serviceaccount=kube-system:tiller -helm init --service-account tiller --upgrade --force-upgrade --wait \ No newline at end of file diff --git a/examples/chart/teleport-demo/secrets b/examples/chart/teleport-demo/secrets deleted file mode 160000 index 0c98010051f41..0000000000000 --- a/examples/chart/teleport-demo/secrets +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 0c98010051f41721fa97821e76e557d000ae6085 diff --git a/examples/chart/teleport-demo/templates/NOTES.txt b/examples/chart/teleport-demo/templates/NOTES.txt deleted file mode 100644 index 03c7835ac8027..0000000000000 --- a/examples/chart/teleport-demo/templates/NOTES.txt +++ /dev/null @@ -1,72 +0,0 @@ -{{- $mainClusterRoot := include "teleport.fullname" . -}} -{{- $mainClusterName := .Values.mainClusterName -}} -{{- $mainClusterDomain := .Values.cloudflare.domain -}} -{{- $mainClusterNodeRoot := printf ("%s-%s") $mainClusterRoot $mainClusterName -}} -{{- $mainClusterDNS := printf ("%s.%s") $mainClusterNodeRoot $mainClusterDomain -}} -{{- $mainClusterPort := .Values.service.ports.proxyweb.port -}} -{{- if contains "LoadBalancer" .Values.service.type -}} -{{- $mainClusterProxyAddress := printf ("%s:%v") $mainClusterDNS $mainClusterPort -}} -You can access the main cluster's web UI at https://{{ $mainClusterProxyAddress }} -{{- if not (eq (index .Values.extraClusterNames 0) "") }} - -The following extra clusters/nodes have been added as trusted: - -{{- $root := . -}} -{{- range .Values.extraClusterNames -}} -{{- $trustedClusterRoot := include "teleport.fullname" $root -}} -{{- $trustedClusterName := . -}} -{{- $trustedClusterDomain := $root.Values.cloudflare.domain -}} -{{- $trustedClusterNodeRoot := printf ("%s-%s") $trustedClusterRoot $trustedClusterName -}} -{{- $trustedClusterDNS := printf ("%s.%s") $trustedClusterNodeRoot $trustedClusterDomain -}} -{{- $trustedClusterPort := $root.Values.service.ports.proxyweb.port -}} -{{- $trustedClusterProxyAddress := printf ("%s:%v") $trustedClusterDNS $trustedClusterPort }} -- {{ $trustedClusterDNS }} (Web UI: https://{{ $trustedClusterProxyAddress }}) -{{- end -}} -{{- end }} - -You can log into the main cluster with tsh using the following command: -$ tsh --proxy={{ $mainClusterProxyAddress }} login - -List the available nodes like this: -$ tsh ls - -List clusters: -$ tsh clusters - -SSH into a main cluster node with something like this: -$ tsh ssh root@{{ $mainClusterNodeRoot }}-node-0 -{{- if not (eq (index .Values.extraClusterNames 0) "") }} - -You can also SSH to nodes in trusted clusters in a similar manner: -{{- $root := . -}} -{{- range .Values.extraClusterNames -}} -{{- $trustedClusterRoot := include "teleport.fullname" $root -}} -{{- $trustedClusterName := . -}} -{{- $trustedClusterDomain := $root.Values.cloudflare.domain -}} -{{- $trustedClusterNodeRoot := printf ("%s-%s") $trustedClusterRoot $trustedClusterName -}} -{{- $trustedClusterDNS := printf ("%s.%s") $trustedClusterNodeRoot $trustedClusterDomain }} -$ tsh ssh --cluster={{ $trustedClusterDNS }} root@{{ $trustedClusterNodeRoot }}-node-0 -{{- end -}} -{{- end -}} -{{- else -}} -{{- $minikubeIP := .Values.minikubeIP -}} -{{- $mainClusterPort := .Values.nodePort.ports.proxyweb.nodePort -}} -{{- $mainClusterProxyAddress := printf ("%s:%v") $minikubeIP $mainClusterPort -}} -You can access the main cluster's web UI at https://{{ $mainClusterProxyAddress }} - -You should 'kubectl exec' into the auth pod and create a local user manually. - -You can log into the main cluster with tsh using the following command -$ tsh --proxy={{ $mainClusterProxyAddress }} login --insecure --auth=local - -List the available nodes like this: -$ tsh ls - -List clusters: -$ tsh clusters - -SSH into a main cluster node with something like this: -$ tsh ssh root@{{ $mainClusterNodeRoot }}-node-0 -{{- end }} - -For more information on Teleport, visit https://gravitational.com/teleport/docs/quickstart diff --git a/examples/chart/teleport-demo/templates/auth-config.yaml b/examples/chart/teleport-demo/templates/auth-config.yaml deleted file mode 100644 index 7308eaf2b7a8a..0000000000000 --- a/examples/chart/teleport-demo/templates/auth-config.yaml +++ /dev/null @@ -1,285 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-cluster-config - namespace: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - labels: -{{ include "teleport.labels" . | indent 4 }} -data: - teleport.yaml: | - teleport: - log: - output: {{ .Values.config.teleport.log.output }} - severity: {{ .Values.config.teleport.log.severity }} - data_dir: {{ .Values.config.teleport.data_dir }} - storage: - type: {{ .Values.config.teleport.storage.type }} - - auth_service: - enabled: {{ .Values.config.auth_service.enabled }} - license_file: {{ .Values.license.mountPath }}/license.pem - authentication: - type: {{ .Values.config.auth_service.authentication.type }} - public_addr: {{ template "teleport.main.authssh_public_addr" . }} - cluster_name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}.{{ .Values.cloudflare.domain }} - - ssh_service: - enabled: yes - public_addr: 127.0.0.1:3022 - {{- if .Values.teleportLabels.auth.static }} - labels: - {{- range $key, $value := .Values.teleportLabels.auth.static }} - {{ $key }}: {{ $value }} - {{- end }} - {{- end }} - {{- if .Values.teleportLabels.auth.dynamic }} - commands: - {{ toYaml .Values.teleportLabels.auth.dynamic | indent 6 | trim }} - {{- end }} - - proxy_service: - enabled: {{ .Values.config.proxy_service.enabled }} - public_addr: {{ template "teleport.main.proxyweb_public_addr" . }} - ssh_public_addr: {{ template "teleport.main.proxyssh_public_addr" . }} - web_listen_addr: {{ tpl .Values.config.proxy_service.web_listen_addr . }} - listen_addr: {{ tpl .Values.config.proxy_service.listen_addr . }} - {{- if .Values.proxy.tls.enabled }} - https_key_file: /var/lib/certs/privkey.pem - https_cert_file: /var/lib/certs/fullchain.pem - {{- end }} - kubernetes: - enabled: {{ .Values.config.proxy_service.kubernetes.enabled }} - listen_addr: {{ tpl .Values.config.proxy_service.kubernetes.listen_addr . }} - public_addr: {{ template "teleport.main.proxykube_public_addr" . }} - oidc.yaml: | - kind: oidc - version: v2 - metadata: - name: {{ .Values.auth0.oidc_connector_name }} - spec: - display: {{ .Values.auth0.display }} - issuer_url: {{ .Values.auth0.issuer_url }} - client_id: {{ .Values.secrets.auth0.client_id }} - client_secret: {{ .Values.secrets.auth0.client_secret }} - redirect_url: https://{{ template "teleport.main.proxyweb_public_addr" . }}/v1/webapi/oidc/callback - - scope: {{ .Values.auth0.scope }} - - claims_to_roles: - {{ toYaml .Values.auth0.claims_to_roles | indent 6 | trim }} - - admin-role.yaml: | - kind: role - version: v3 - metadata: - name: admin - spec: - allow: - logins: [root] - kubernetes_groups: {{ .Values.kubernetes_groups.admin_role }} - node_labels: - '*': '*' - rules: - - resources: - - role - verbs: - - list - - read - - resources: - - auth_connector - verbs: - - list - - create - - resources: - - session - verbs: - - list - - read - - resources: - - trusted_cluster - verbs: - - list - - create - - read - - update - - delete - deny: {} - options: - forward_agent: true - max_session_ttl: 12h0m0s - port_forwarding: false - clusteradmin-role.yaml: | - kind: role - version: v3 - metadata: - name: clusteradmin - spec: - allow: - logins: [root] - kubernetes_groups: {{ .Values.kubernetes_groups.clusteradmin_role }} - node_labels: - '*': '*' - rules: - - resources: - - '*' - verbs: - - '*' - deny: {} - options: - forward_agent: true - max_session_ttl: 12h0m0s - port_forwarding: true - -{{- if not (eq (index .Values.extraClusterNames 0) "") -}} -{{- $root := . -}} -{{- range .Values.extraClusterNames }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "teleport.fullname" $root }}-{{ . }}-cluster-config - namespace: {{ template "teleport.fullname" $root }}-{{ . }} - labels: -{{ include "teleport.labels" $root | indent 4 }} -data: - teleport.yaml: | - teleport: - log: - output: {{ $root.Values.config.teleport.log.output }} - severity: {{ $root.Values.config.teleport.log.severity }} - data_dir: {{ $root.Values.config.teleport.data_dir }} - storage: - type: {{ $root.Values.config.teleport.storage.type }} - - auth_service: - enabled: {{ $root.Values.config.auth_service.enabled }} - license_file: /var/lib/license/license.pem - authentication: - type: {{ $root.Values.config.auth_service.authentication.type }} - public_addr: {{ template "teleport.fullname" $root }}-{{ . }}.{{ $root.Values.cloudflare.domain }}:{{ $root.Values.service.ports.authssh.port }} - cluster_name: {{ template "teleport.fullname" $root }}-{{ . }}.{{ $root.Values.cloudflare.domain }} - - ssh_service: - enabled: yes - public_addr: 127.0.0.1:3022 - {{- if $root.Values.teleportLabels.auth.static }} - labels: - {{- range $key, $value := $root.Values.teleportLabels.auth.static }} - {{ $key }}: {{ $value }} - {{- end }} - {{- end }} - {{- if $root.Values.teleportLabels.auth.dynamic }} - commands: - {{ toYaml $root.Values.teleportLabels.auth.dynamic | indent 6 | trim }} - {{- end }} - - proxy_service: - enabled: {{ $root.Values.config.proxy_service.enabled }} - public_addr: {{ template "teleport.fullname" $root }}-{{ . }}.{{ $root.Values.cloudflare.domain }}:{{ $root.Values.service.ports.proxyweb.port }} - web_listen_addr: {{ tpl $root.Values.config.proxy_service.web_listen_addr $root }} - listen_addr: {{ tpl $root.Values.config.proxy_service.listen_addr $root }} - {{- if $root.Values.proxy.tls.enabled }} - https_key_file: /var/lib/certs/privkey.pem - https_cert_file: /var/lib/certs/fullchain.pem - {{- end }} - kubernetes: - enabled: {{ $root.Values.config.proxy_service.kubernetes.enabled }} - listen_addr: {{ tpl $root.Values.config.proxy_service.kubernetes.listen_addr $root }} - public_addr: {{ template "teleport.fullname" $root }}-{{ . }}.{{ $root.Values.cloudflare.domain }}:{{ $root.Values.service.ports.proxykube.port }} - trusted_cluster.yaml: | - kind: trusted_cluster - version: v2 - metadata: - name: {{ template "teleport.fullname" $root }}-{{ $root.Values.mainClusterName }}.{{ $root.Values.cloudflare.domain }} - spec: - enabled: true - token: TRUSTEDCLUSTER_JOIN_TOKEN_PLACEHOLDER - tunnel_addr: {{ template "teleport.fullname" $root }}-{{ $root.Values.mainClusterName }}.{{ $root.Values.cloudflare.domain }}:{{ $root.Values.service.ports.proxytunnel.port }} - web_proxy_addr: {{ template "teleport.fullname" $root }}-{{ $root.Values.mainClusterName }}.{{ $root.Values.cloudflare.domain }}:{{ $root.Values.service.ports.proxyweb.port }} - {{- if $root.Values.license.enabled }} - role_map: - - remote: "admin" - local: ["admin"] - - remote: "clusteradmin" - local: ["clusteradmin"] - {{- end }} - oidc.yaml: | - kind: oidc - version: v2 - metadata: - name: {{ $root.Values.auth0.oidc_connector_name }} - spec: - display: {{ $root.Values.auth0.display }} - issuer_url: {{ $root.Values.auth0.issuer_url }} - client_id: {{ $root.Values.secrets.auth0.client_id }} - client_secret: {{ $root.Values.secrets.auth0.client_secret }} - redirect_url: https://{{ template "teleport.fullname" $root }}-{{ . }}.{{ $root.Values.cloudflare.domain }}:{{ $root.Values.service.ports.proxyweb.port }}/v1/webapi/oidc/callback - - scope: {{ $root.Values.auth0.scope }} - - claims_to_roles: - {{ toYaml $root.Values.auth0.claims_to_roles | indent 6 | trim }} - - admin-role.yaml: | - kind: role - version: v3 - metadata: - name: admin - spec: - allow: - logins: [root] - kubernetes_groups: {{ $root.Values.kubernetes_groups.admin_role }} - node_labels: - '*': '*' - rules: - - resources: - - role - verbs: - - list - - read - - resources: - - auth_connector - verbs: - - list - - create - - resources: - - session - verbs: - - list - - read - - resources: - - trusted_cluster - verbs: - - list - - create - - read - - update - - delete - deny: {} - options: - forward_agent: true - max_session_ttl: 12h0m0s - port_forwarding: false - clusteradmin-role.yaml: | - kind: role - version: v3 - metadata: - name: clusteradmin - spec: - allow: - logins: [root] - kubernetes_groups: {{ $root.Values.kubernetes_groups.clusteradmin_role }} - node_labels: - '*': '*' - rules: - - resources: - - '*' - verbs: - - '*' - deny: {} - options: - forward_agent: true - max_session_ttl: 12h0m0s - port_forwarding: true -{{- end -}} -{{- end }} \ No newline at end of file diff --git a/examples/chart/teleport-demo/templates/auth-statefulset.yaml b/examples/chart/teleport-demo/templates/auth-statefulset.yaml deleted file mode 100644 index 593b06633ed71..0000000000000 --- a/examples/chart/teleport-demo/templates/auth-statefulset.yaml +++ /dev/null @@ -1,328 +0,0 @@ -apiVersion: apps/v1beta1 -kind: StatefulSet -metadata: - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-auth - namespace: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - labels: -{{ include "teleport.labels" . | indent 4 }} -{{- if .Values.labels }} -{{ toYaml .Values.labels | indent 4 }} -{{- end }} -spec: - replicas: 1 - template: - metadata: - labels: - app: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - role: auth - annotations: - checksum/config: {{ toYaml .Values.config | sha256sum }} -{{- if .Values.annotations }} -{{ toYaml .Values.annotations | indent 8 }} -{{- end }} - spec: - containers: - - name: auth - namespace: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - image: "{{ .Values.auth.image.repository }}:{{ tpl .Values.auth.image.tag . }}" - imagePullPolicy: {{ .Values.auth.image.pullPolicy }} - args: -{{- if .Values.extraArgs }} -{{ toYaml .Values.extraArgs | indent 8 }} -{{- end }} -{{- if not .Values.proxy.tls.enabled }} - - --insecure-no-tls -{{- end }} - livenessProbe: - httpGet: - port: 54321 - path: /healthz - initialDelaySeconds: 5 - periodSeconds: 5 - env: - - name: ROLE - value: auth - - name: CLUSTER_TYPE - value: primary -{{- range $key, $value := .Values.extraVars }} - - name: {{ $key }} - value: {{ $value }} -{{- end }} - # See https://gravitational.com/teleport/docs/admin-guide/#ports - ports: -{{- range $key, $port := .Values.ports.auth }} - - name: {{ $key }} -{{ toYaml $port | indent 10 }} -{{- end }} - resources: -{{ toYaml .Values.resources | indent 10 }} - volumeMounts: -{{- if .Values.proxy.tls.enabled }} - - mountPath: /var/lib/certs - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-tls-web - readOnly: true -{{- end }} - - mountPath: /etc/teleport - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-config - readOnly: true -{{- if .Values.license.enabled }} - - mountPath: {{ .Values.license.mountPath }} - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-license - readOnly: true -{{- end }} - - mountPath: /var/lib/teleport - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-storage -{{- if .Values.extraVolumeMounts }} -{{ toYaml .Values.extraVolumeMounts | indent 8 }} -{{- end }} -# sidecar - - name: sidecar - image: "{{ .Values.sidecar.image.repository }}:{{ tpl .Values.sidecar.image.tag . }}" - imagePullPolicy: {{ .Values.sidecar.image.pullPolicy }} -{{- if .Values.sidecar.command }} - command: {{ .Values.sidecar.command }} -{{- end }} -{{- if .Values.sidecar.args }} - args: -{{ toYaml .Values.sidecar.args | indent 8 }} -{{- end }} - env: - - name: ROLE - value: sidecar - - name: CLUSTER_TYPE - value: primary - - name: CLUSTER_NAME - value: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: -{{ toYaml .Values.resources | indent 10 }} - volumeMounts: -{{- if .Values.proxy.tls.enabled }} - - mountPath: /var/lib/certs - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-tls-web - readOnly: true -{{- end }} - - mountPath: /etc/teleport - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-config - readOnly: true -{{- if .Values.license.enabled }} - - mountPath: {{ .Values.license.mountPath }} - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-license - readOnly: true -{{- end }} - - mountPath: /var/lib/teleport - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-storage -{{- if .Values.extraVolumeMounts }} -{{ toYaml .Values.extraVolumeMounts | indent 8 }} -{{- end }} -# end sidecar - volumes: -{{- if .Values.proxy.tls.enabled }} - - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-tls-web - secret: - secretName: tls-web -{{- end }} -{{- if .Values.license.enabled }} - - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-license - secret: - secretName: {{ .Values.license.secretName }} -{{- end }} - - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-config - configMap: - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-cluster-config - - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-storage - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.existingClaim | default (printf "%s-%s-%s" (include "teleport.fullname" .) .Values.mainClusterName "storage") }} - {{- else }} - emptyDir: {} - {{- end }} -{{- if .Values.extraVolumes }} -{{ toYaml .Values.extraVolumes | indent 6 }} -{{- end }} -{{- if .Values.auth.image.pullSecrets }} - imagePullSecrets: -{{ toYaml .Values.auth.image.pullSecrets | indent 6 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} -{{- end }} - serviceAccountName: {{ template "teleport.serviceAccountName" . }}-{{ .Values.mainClusterName }} - -{{- if not (eq (index .Values.extraClusterNames 0) "") -}} -{{- $root := . -}} -{{- range .Values.extraClusterNames }} ---- -apiVersion: apps/v1beta1 -kind: StatefulSet -metadata: - name: {{ template "teleport.fullname" $root }}-{{ . }}-auth - namespace: {{ template "teleport.fullname" $root }}-{{ . }} - labels: -{{ include "teleport.labels" $root | indent 4 }} -{{- if $root.Values.labels }} -{{ toYaml $root.Values.labels | indent 4 }} -{{- end }} -spec: - replicas: 1 - template: - metadata: - labels: - app: {{ template "teleport.fullname" $root }}-{{ . }} - release: {{ $root.Release.Name }} - heritage: {{ $root.Release.Service }} - role: auth - annotations: - checksum/config: {{ toYaml $root.Values.config | sha256sum }} -{{- if $root.Values.annotations }} -{{ toYaml $root.Values.annotations | indent 8 }} -{{- end }} - spec: - containers: - - name: auth - image: "{{ $root.Values.auth.image.repository }}:{{ tpl $root.Values.auth.image.tag $root }}" - imagePullPolicy: {{ $root.Values.auth.image.pullPolicy }} - args: -{{- if $root.Values.extraArgs }} -{{ toYaml $root.Values.extraArgs | indent 8 }} -{{- end }} -{{- if not $root.Values.proxy.tls.enabled }} - - --insecure-no-tls -{{- end }} - livenessProbe: - httpGet: - port: 54321 - path: /healthz - initialDelaySeconds: 5 - periodSeconds: 5 - env: - - name: ROLE - value: auth - - name: CLUSTER_TYPE - value: secondary -{{- range $key, $value := $root.Values.extraVars }} - - name: {{ $key }} - value: {{ $value }} -{{- end }} - # See https://gravitational.com/teleport/docs/admin-guide/#ports - ports: -{{- range $key, $port := $root.Values.ports.auth }} - - name: {{ $key }} -{{ toYaml $port | indent 10 }} -{{- end }} - resources: -{{ toYaml $root.Values.resources | indent 10 }} - volumeMounts: -{{- if $root.Values.proxy.tls.enabled }} - - mountPath: /var/lib/certs - name: {{ template "teleport.fullname" $root }}-tls-web - readOnly: true -{{- end }} - - mountPath: /etc/teleport - name: {{ template "teleport.fullname" $root }}-{{ . }}-config - readOnly: true -{{- if $root.Values.license.enabled }} - - mountPath: {{ $root.Values.license.mountPath }} - name: {{ template "teleport.fullname" $root }}-license - readOnly: true -{{- end }} - - mountPath: /var/lib/teleport - name: {{ template "teleport.fullname" $root }}-{{ . }}-storage -{{- if $root.Values.extraVolumeMounts }} -{{ toYaml $root.Values.extraVolumeMounts | indent 8 }} -{{- end }} -# sidecar - - name: sidecar - image: "{{ $root.Values.sidecar.image.repository }}:{{ tpl $root.Values.sidecar.image.tag $root }}" - imagePullPolicy: {{ $root.Values.sidecar.image.pullPolicy }} -{{- if $root.Values.sidecar.command }} - command: {{ $root.Values.sidecar.command }} -{{- end }} -{{- if $root.Values.sidecar.args }} - args: -{{ toYaml $root.Values.sidecar.args | indent 8 }} -{{- end }} - env: - - name: ROLE - value: sidecar - - name: CLUSTER_TYPE - value: secondary - - name: MAIN_CLUSTER_NAME - value: {{ template "teleport.fullname" $root }}-{{ $root.Values.mainClusterName }} - - name: CLUSTER_NAME - value: {{ template "teleport.fullname" $root }}-{{ . }} - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: -{{ toYaml $root.Values.resources | indent 10 }} - volumeMounts: -{{- if $root.Values.proxy.tls.enabled }} - - mountPath: /var/lib/certs - name: {{ template "teleport.fullname" $root }}-tls-web - readOnly: true -{{- end }} - - mountPath: /etc/teleport - name: {{ template "teleport.fullname" $root }}-{{ . }}-config - readOnly: true -{{- if $root.Values.license.enabled }} - - mountPath: {{ $root.Values.license.mountPath }} - name: {{ template "teleport.fullname" $root }}-license - readOnly: true -{{- end }} - - mountPath: /var/lib/teleport - name: {{ template "teleport.fullname" $root }}-{{ . }}-storage -{{- if $root.Values.extraVolumeMounts }} -{{ toYaml $root.Values.extraVolumeMounts | indent 8 }} -{{- end }} -# end sidecar - volumes: -{{- if $root.Values.proxy.tls.enabled }} - - name: {{ template "teleport.fullname" $root }}-tls-web - secret: - secretName: tls-web -{{- end }} -{{- if $root.Values.license.enabled }} - - name: {{ template "teleport.fullname" $root }}-license - secret: - secretName: {{ $root.Values.license.secretName }} -{{- end }} - - name: {{ template "teleport.fullname" $root }}-{{ . }}-config - configMap: - name: {{ template "teleport.fullname" $root }}-{{ . }}-cluster-config - - name: {{ template "teleport.fullname" $root }}-{{ . }}-storage - {{- if $root.Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ $root.Values.persistence.existingClaim | default (printf "%s-%s-%s" (include "teleport.fullname" $root) . "storage") }} - {{- else }} - emptyDir: {} - {{- end }} -{{- if $root.Values.extraVolumes }} -{{ toYaml $root.Values.extraVolumes | indent 6 }} -{{- end }} -{{- if $root.Values.auth.image.pullSecrets }} - imagePullSecrets: -{{ toYaml $root.Values.auth.image.pullSecrets | indent 6 }} -{{- end }} -{{- if $root.Values.affinity }} - affinity: -{{ toYaml $root.Values.affinity | indent 8 }} -{{- end }} -{{- if $root.Values.tolerations }} - tolerations: -{{ toYaml $root.Values.tolerations | indent 6 }} -{{- end }} - serviceAccountName: {{ template "teleport.serviceAccountName" $root }}-{{ . }} -{{- end -}} -{{- end }} \ No newline at end of file diff --git a/examples/chart/teleport-demo/templates/cloudflare-agent-job.yaml b/examples/chart/teleport-demo/templates/cloudflare-agent-job.yaml deleted file mode 100644 index 39344dacc1eb6..0000000000000 --- a/examples/chart/teleport-demo/templates/cloudflare-agent-job.yaml +++ /dev/null @@ -1,265 +0,0 @@ -kind: Job -apiVersion: batch/v1 -metadata: - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-cloudflare-agent - namespace: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - labels: -{{ include "teleport.labels" . | indent 4 }} -{{- if .Values.labels }} -{{ toYaml .Values.labels | indent 4 }} -{{- end }} -spec: - template: - metadata: - namespace: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - labels: - app: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-cloudflare-agent - spec: - containers: - - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-cloudflare-agent - image: {{ .Values.cloudflareagent.image.repository }}:{{ tpl .Values.cloudflareagent.image.tag . }} - imagePullPolicy: {{ .Values.cloudflareagent.image.pullPolicy }} - env: - - name: API_VERSION - value: "{{ .Values.cloudflare.apiVersion }}" - - name: CLUSTER_NAME - value: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - - name: CLUSTER_TYPE - value: primary - - name: CLOUDFLARE_DOMAIN - value: "{{ .Values.cloudflare.domain }}" - - name: LETSENCRYPT_EMAIL - value: "{{ .Values.letsencrypt.email }}" - - name: MODE - value: create - - name: SERVICE_NAME - value: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if .Values.cloudflare.ttl }} - - name: CLOUDFLARE_TTL - value: "{{ .Values.cloudflare.ttl }}" - {{- end }} - volumeMounts: - - mountPath: /etc/cloudflare - name: cloudflare-credentials - readOnly: true - - mountPath: /etc/teleport-tls - name: teleport-tls - readOnly: true - volumes: - - name: cloudflare-credentials - secret: - secretName: cloudflare-credentials - - name: teleport-tls - secret: - secretName: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-tls-config - restartPolicy: Never -{{- if .Values.cloudflareagent.image.pullSecrets }} - imagePullSecrets: -{{ toYaml .Values.cloudflareagent.image.pullSecrets | indent 6 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} -{{- end }} - serviceAccountName: {{ template "teleport.serviceAccountName" . }}-{{ .Values.mainClusterName }} - backoffLimit: 0 ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-cloudflare-cleaner - namespace: {{ .Release.Namespace }} - labels: -{{ include "teleport.labels" . | indent 4 }} - annotations: - "helm.sh/hook": "pre-delete" - "helm.sh/hook-delete-policy": "before-hook-creation" -spec: - template: - metadata: - namespace: {{ .Release.Namespace }} - labels: - app: cloudflare-cleaner - spec: - containers: - - name: cloudflare-cleaner - image: {{ .Values.cloudflareagent.image.repository }}:{{ tpl .Values.cloudflareagent.image.tag . }} - imagePullPolicy: {{ .Values.cloudflareagent.image.pullPolicy }} - env: - - name: API_VERSION - value: "{{ .Values.cloudflare.apiVersion }}" - - name: CLUSTER_NAME - value: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - - name: CLUSTER_TYPE - value: primary - - name: CLOUDFLARE_DOMAIN - value: "{{ .Values.cloudflare.domain }}" - - name: MODE - value: delete - volumeMounts: - - mountPath: /etc/cloudflare - name: cloudflare-credentials - readOnly: true - volumes: - - name: cloudflare-credentials - secret: - secretName: {{ template "teleport.fullname" . }}-cloudflare-credentials - restartPolicy: Never -{{- if .Values.cloudflareagent.image.pullSecrets }} - imagePullSecrets: -{{ toYaml .Values.cloudflareagent.image.pullSecrets | indent 6 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} -{{- end }} - serviceAccountName: {{ template "teleport.serviceAccountName" . }}-cleaner - backoffLimit: 0 - -{{- if not (eq (index .Values.extraClusterNames 0) "") -}} -{{- $root := . -}} -{{- range .Values.extraClusterNames }} ---- -kind: Job -apiVersion: batch/v1 -metadata: - name: {{ template "teleport.fullname" $root }}-{{ . }}-cloudflare-agent - namespace: {{ template "teleport.fullname" $root }}-{{ . }} - labels: -{{ include "teleport.labels" $root | indent 4 }} -{{- if $root.Values.labels }} -{{ toYaml $root.Values.labels | indent 4 }} -{{- end }} -spec: - template: - metadata: - namespace: {{ template "teleport.fullname" $root }}-{{ . }} - labels: - app: {{ template "teleport.fullname" $root }}-{{ . }}-cloudflare-agent - spec: - containers: - - name: {{ template "teleport.fullname" $root }}-{{ . }}-cloudflare-agent - image: {{ $root.Values.cloudflareagent.image.repository }}:{{ tpl $root.Values.cloudflareagent.image.tag $root }} - imagePullPolicy: {{ $root.Values.cloudflareagent.image.pullPolicy }} - env: - - name: API_VERSION - value: "{{ $root.Values.cloudflare.apiVersion }}" - - name: CLUSTER_NAME - value: {{ template "teleport.fullname" $root }}-{{ . }} - - name: CLUSTER_TYPE - value: secondary - - name: CLOUDFLARE_DOMAIN - value: "{{ $root.Values.cloudflare.domain }}" - - name: LETSENCRYPT_EMAIL - value: "{{ $root.Values.letsencrypt.email }}" - - name: MODE - value: create - - name: SERVICE_NAME - value: {{ template "teleport.fullname" $root }}-{{ . }} - - name: NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- if $root.Values.cloudflare.ttl }} - - name: CLOUDFLARE_TTL - value: "{{ $root.Values.cloudflare.ttl }}" - {{- end }} - volumeMounts: - - mountPath: /etc/cloudflare - name: cloudflare-credentials - readOnly: true - - mountPath: /etc/teleport-tls - name: teleport-tls - readOnly: true - volumes: - - name: cloudflare-credentials - secret: - secretName: cloudflare-credentials - - name: teleport-tls - secret: - secretName: {{ template "teleport.fullname" $root }}-{{ . }}-tls-config - restartPolicy: Never -{{- if $root.Values.cloudflareagent.image.pullSecrets }} - imagePullSecrets: -{{ toYaml $root.Values.cloudflareagent.image.pullSecrets | indent 6 }} -{{- end }} -{{- if $root.Values.affinity }} - affinity: -{{ toYaml $root.Values.affinity | indent 8 }} -{{- end }} -{{- if $root.Values.tolerations }} - tolerations: -{{ toYaml $root.Values.tolerations | indent 6 }} -{{- end }} - serviceAccountName: {{ template "teleport.serviceAccountName" $root }}-{{ . }} - backoffLimit: 0 ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ template "teleport.fullname" $root }}-{{ . }}-cloudflare-cleaner - namespace: {{ $root.Release.Namespace }} - labels: -{{ include "teleport.labels" $root | indent 4 }} - annotations: - "helm.sh/hook": "pre-delete" - "helm.sh/hook-delete-policy": "before-hook-creation" -spec: - template: - metadata: - namespace: {{ $root.Release.Namespace }} - labels: - app: cloudflare-cleaner - spec: - containers: - - name: cloudflare-cleaner - image: {{ $root.Values.cloudflareagent.image.repository }}:{{ tpl $root.Values.cloudflareagent.image.tag $root }} - imagePullPolicy: {{ $root.Values.cloudflareagent.image.pullPolicy }} - env: - - name: API_VERSION - value: "{{ $root.Values.cloudflare.apiVersion }}" - - name: CLUSTER_NAME - value: {{ template "teleport.fullname" $root }}-{{ . }} - - name: CLUSTER_TYPE - value: secondary - - name: CLOUDFLARE_DOMAIN - value: "{{ $root.Values.cloudflare.domain }}" - - name: MODE - value: delete - volumeMounts: - - mountPath: /etc/cloudflare - name: cloudflare-credentials - readOnly: true - volumes: - - name: cloudflare-credentials - secret: - secretName: {{ template "teleport.fullname" $root }}-cloudflare-credentials - restartPolicy: Never -{{- if $root.Values.cloudflareagent.image.pullSecrets }} - imagePullSecrets: -{{ toYaml $root.Values.cloudflareagent.image.pullSecrets | indent 6 }} -{{- end }} -{{- if $root.Values.affinity }} - affinity: -{{ toYaml $root.Values.affinity | indent 8 }} -{{- end }} -{{- if $root.Values.tolerations }} - tolerations: -{{ toYaml $root.Values.tolerations | indent 6 }} -{{- end }} - serviceAccountName: {{ template "teleport.serviceAccountName" $root }}-cleaner - backoffLimit: 0 -{{- end -}} -{{- end }} \ No newline at end of file diff --git a/examples/chart/teleport-demo/templates/generic/_helpers.tpl b/examples/chart/teleport-demo/templates/generic/_helpers.tpl deleted file mode 100644 index f5d61fab270cf..0000000000000 --- a/examples/chart/teleport-demo/templates/generic/_helpers.tpl +++ /dev/null @@ -1,98 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "teleport.name" -}} -{{- default .Release.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "teleport.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Release.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "teleport.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "teleport.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "teleport.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* Manage the labels for each entity */}} -{{- define "teleport.labels" -}} -app: {{ template "teleport.fullname" . }} -fullname: {{ template "teleport.fullname" . }} -chart: {{ template "teleport.chart" . }} -release: {{ .Release.Name }} -heritage: {{ .Release.Service }} -{{- end -}} - -{{/* Public authssh address should be set according to ServiceType */}} -{{- define "teleport.main.authssh_public_addr" -}} -{{ $.clusterName }} -{{- if contains "LoadBalancer" $.Values.service.type -}} -{{ template "teleport.fullname" $ }}-{{ $.Values.mainClusterName }}.{{ $.Values.cloudflare.domain }}:{{ $.Values.service.ports.authssh.port }} -{{- else -}} -{{ $.Values.minikubeIP }}:{{ $.Values.nodePort.ports.authssh.nodePort }} -{{- end -}} -{{- end -}} - -{{/* Public proxyweb address should be set according to ServiceType */}} -{{- define "teleport.main.proxyweb_public_addr" -}} -{{- if contains "LoadBalancer" .Values.service.type -}} -{{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}.{{ .Values.cloudflare.domain }}:{{ .Values.service.ports.proxyweb.port }} -{{- else -}} -{{ .Values.minikubeIP }}:{{ .Values.nodePort.ports.proxyweb.nodePort }} -{{- end -}} -{{- end -}} - -{{/* Public proxykube address should be set according to ServiceType */}} -{{- define "teleport.main.proxykube_public_addr" -}} -{{- if contains "LoadBalancer" .Values.service.type -}} -{{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}.{{ .Values.cloudflare.domain }}:{{ .Values.service.ports.proxykube.port }} -{{- else -}} -{{ .Values.minikubeIP }}:{{ .Values.nodePort.ports.proxykube.nodePort }} -{{- end -}} -{{- end -}} - -{{/* Public proxyssh address should be set according to ServiceType */}} -{{- define "teleport.main.proxyssh_public_addr" -}} -{{- if contains "LoadBalancer" .Values.service.type -}} -{{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}.{{ .Values.cloudflare.domain }}:{{ .Values.service.ports.proxyssh.port }} -{{- else -}} -{{ .Values.minikubeIP }}:{{ .Values.nodePort.ports.proxyssh.nodePort }} -{{- end -}} -{{- end -}} - -{{/* Public proxytunnel address should be set according to ServiceType */}} -{{- define "teleport.main.proxytunnel_public_addr" -}} -{{- if contains "LoadBalancer" .Values.service.type -}} -{{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}.{{ .Values.cloudflare.domain }}:{{ .Values.service.ports.proxytunnel.port }} -{{- else -}} -{{ .Values.minikubeIP }}:{{ .Values.nodePort.ports.proxytunnel.nodePort }} -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/examples/chart/teleport-demo/templates/generic/clusterrole.yaml b/examples/chart/teleport-demo/templates/generic/clusterrole.yaml deleted file mode 100644 index 4f830acca687b..0000000000000 --- a/examples/chart/teleport-demo/templates/generic/clusterrole.yaml +++ /dev/null @@ -1,133 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "teleport.fullname" . }}-cleaner - namespace: {{ .Release.Namespace }} - labels: -{{ include "teleport.labels" . | indent 4 }} - annotations: - "helm.sh/hook": "pre-install" - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": "before-hook-creation" -rules: -- apiGroups: - - "" - resources: - - namespaces - resourceNames: - - {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - {{- if not (eq (index .Values.extraClusterNames 0) "") -}} - {{- $root := . -}} - {{- range .Values.extraClusterNames }} - - {{ template "teleport.fullname" $root }}-{{ . }} - {{- end -}} - {{- end }} - verbs: - - delete - - get -- apiGroups: - - "" - resources: - - secrets - resourceNames: - - {{ template "teleport.fullname" . }}-cloudflare-credentials - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - labels: -{{ include "teleport.labels" . | indent 4 }} - annotations: - "helm.sh/hook": "pre-install" - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": "before-hook-creation" -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create -- apiGroups: - - "" - resources: - - secrets - resourceNames: - - tls-web - - {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-trustedcluster-join-token - - {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-node-join-token - - {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-ca - - {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-ca-pin - verbs: - - delete - - get - - list - - patch - - watch -- apiGroups: - - "" - resources: - - services - resourceNames: - - {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - verbs: - - get - - list - - watch - -{{- if not (eq (index .Values.extraClusterNames 0) "") -}} -{{- $root := . -}} -{{- range .Values.extraClusterNames }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "teleport.fullname" $root }}-{{ . }} - labels: -{{ include "teleport.labels" $root | indent 4 }} - annotations: - "helm.sh/hook": "pre-install" - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": "before-hook-creation" -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - create -- apiGroups: - - "" - resources: - - secrets - resourceNames: - - tls-web - - {{ template "teleport.fullname" $root }}-{{ $root.Values.mainClusterName }}-trustedcluster-join-token - - {{ template "teleport.fullname" $root }}-{{ . }}-node-join-token - - {{ template "teleport.fullname" $root }}-{{ . }}-ca - - {{ template "teleport.fullname" $root }}-{{ . }}-ca-pin - verbs: - - delete - - get - - list - - patch - - watch -- apiGroups: - - "" - resources: - - services - resourceNames: - - {{ template "teleport.fullname" $root }}-{{ . }} - verbs: - - get - - list - - watch -{{- end }} -{{- end -}} -{{- end -}} diff --git a/examples/chart/teleport-demo/templates/generic/clusterrolebinding.yaml b/examples/chart/teleport-demo/templates/generic/clusterrolebinding.yaml deleted file mode 100644 index 1da111912262b..0000000000000 --- a/examples/chart/teleport-demo/templates/generic/clusterrolebinding.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "teleport.fullname" . }}-cleaner - labels: -{{ include "teleport.labels" . | indent 4 }} - annotations: - "helm.sh/hook": "pre-install" - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": "before-hook-creation" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "teleport.fullname" . }}-cleaner -subjects: -- kind: ServiceAccount - name: {{ template "teleport.serviceAccountName" . }}-cleaner - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - labels: -{{ include "teleport.labels" . | indent 4 }} - annotations: - "helm.sh/hook": "pre-install" - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": "before-hook-creation" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} -subjects: -- kind: ServiceAccount - name: {{ template "teleport.serviceAccountName" . }}-{{ .Values.mainClusterName }} - namespace: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} -{{- if not (eq (index .Values.extraClusterNames 0) "") -}} -{{- $root := . -}} -{{- range .Values.extraClusterNames }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "teleport.fullname" $root }}-{{ . }} - labels: -{{ include "teleport.labels" $root | indent 4 }} - annotations: - "helm.sh/hook": "pre-install" - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": "before-hook-creation" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "teleport.fullname" $root }}-{{ . }} -subjects: -- kind: ServiceAccount - name: {{ template "teleport.serviceAccountName" $root }}-{{ . }} - namespace: {{ template "teleport.fullname" $root }}-{{ . }} -{{- end -}} -{{- end -}} -{{- end }} \ No newline at end of file diff --git a/examples/chart/teleport-demo/templates/generic/namespace.yaml b/examples/chart/teleport-demo/templates/generic/namespace.yaml deleted file mode 100644 index 5a11a7f1f1c8d..0000000000000 --- a/examples/chart/teleport-demo/templates/generic/namespace.yaml +++ /dev/null @@ -1,70 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - labels: -{{ include "teleport.labels" .| indent 4 }} - annotations: - "helm.sh/hook": "pre-install" - "helm.sh/hook-weight": "-10" - -{{- if not (eq (index .Values.extraClusterNames 0) "") -}} -{{- $root := . -}} -{{- range .Values.extraClusterNames }} ---- -apiVersion: v1 -kind: Namespace -metadata: - name: {{ template "teleport.fullname" $root }}-{{ . }} - labels: -{{ include "teleport.labels" $root | indent 4 }} - annotations: - "helm.sh/hook": "pre-install" - "helm.sh/hook-weight": "-10" -{{- end -}} -{{- end }} ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: namespace-cleaner - namespace: {{ .Release.Namespace }} - labels: -{{ include "teleport.labels" . | indent 4 }} - annotations: - "helm.sh/hook": "post-delete" - "helm.sh/hook-delete-policy": "before-hook-creation" -spec: - template: - metadata: - namespace: {{ .Release.Namespace }} - labels: - app: namespace-cleaner - spec: - containers: - - name: namespace-cleaner - image: {{ .Values.namespacecleaner.image.repository }}:{{ tpl .Values.namespacecleaner.image.tag . }} - imagePullPolicy: {{ .Values.namespacecleaner.image.pullPolicy }} - args: - - {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - {{- if not (eq (index .Values.extraClusterNames 0) "") -}} - {{- $root := . -}} - {{- range .Values.extraClusterNames }} - - {{ template "teleport.fullname" $root }}-{{ . }} - {{- end -}} - {{- end }} - restartPolicy: Never -{{- if .Values.namespacecleaner.image.pullSecrets }} - imagePullSecrets: -{{ toYaml .Values.namespacecleaner.image.pullSecrets | indent 6 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} -{{- end }} - serviceAccountName: {{ template "teleport.serviceAccountName" . }}-cleaner - backoffLimit: 0 \ No newline at end of file diff --git a/examples/chart/teleport-demo/templates/generic/pv.yaml b/examples/chart/teleport-demo/templates/generic/pv.yaml deleted file mode 100644 index be61d11ea53d0..0000000000000 --- a/examples/chart/teleport-demo/templates/generic/pv.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if .Values.persistence.pdName -}} -apiVersion: v1 -kind: PersistentVolume -metadata: - name: {{ .Values.persistence.pdName }}-{{ .Values.mainClusterName }} - namespace: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - labels: -{{ include "teleport.labels" . | indent 4 }} -spec: - capacity: - storage: {{ .Values.persistence.storageSize }} - accessModes: - - ReadWriteOnce - claimRef: - namespace: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-storage - gcePersistentDisk: - pdName: {{ .Values.persistence.pdName }} - fsType: {{ .Values.persistence.fsType }} - -{{- if not (eq (index .Values.extraClusterNames 0) "") -}} -{{- $root := . -}} -{{- range .Values.extraClusterNames }} ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: {{ template "teleport.fullname" $root }}-{{ $root.Values.persistence.pdName }}-{{ . }} - namespace: {{ template "teleport.fullname" $root }}-{{ . }} - labels: -{{ include "teleport.labels" $root | indent 4 }} -spec: - capacity: - storage: {{ $root.Values.persistence.storageSize }} - accessModes: - - ReadWriteOnce - claimRef: - namespace: {{ template "teleport.fullname" $root }}-{{ . }} - name: {{ template "teleport.fullname" $root }}-{{ . }}-storage - gcePersistentDisk: - pdName: {{ $root.Values.persistence.pdName }}-{{ . }} - fsType: {{ $root.Values.persistence.fsType }} -{{- end -}} -{{- end -}} -{{- end }} \ No newline at end of file diff --git a/examples/chart/teleport-demo/templates/generic/pvc.yaml b/examples/chart/teleport-demo/templates/generic/pvc.yaml deleted file mode 100644 index 3a42264635c3e..0000000000000 --- a/examples/chart/teleport-demo/templates/generic/pvc.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-storage - namespace: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - labels: -{{ include "teleport.labels" . | indent 4 }} -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - resources: - requests: - storage: {{ .Values.persistence.storageSize | quote }} -{{- if .Values.persistence.storageClass }} -{{- if (eq "-" .Values.persistence.storageClass) }} - storageClassName: "" -{{- else }} - storageClassName: "{{ .Values.persistence.storageClass }}" -{{- end }} -{{- end }} - -{{- if not (eq (index .Values.extraClusterNames 0) "") -}} -{{- $root := . -}} -{{- range .Values.extraClusterNames }} ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "teleport.fullname" $root }}-{{ . }}-storage - namespace: {{ template "teleport.fullname" $root }}-{{ . }} - labels: -{{ include "teleport.labels" $root | indent 4 }} -{{- if $root.Values.persistence.annotations }} - annotations: -{{ toYaml $root.Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ $root.Values.persistence.accessMode | quote }} - resources: - requests: - storage: {{ $root.Values.persistence.storageSize | quote }} -{{- if $root.Values.persistence.storageClass }} -{{- if (eq "-" $root.Values.persistence.storageClass) }} - storageClassName: "" -{{- else }} - storageClassName: "{{ $root.Values.persistence.storageClass }}" -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end }} diff --git a/examples/chart/teleport-demo/templates/generic/secret.yaml b/examples/chart/teleport-demo/templates/generic/secret.yaml deleted file mode 100644 index 4e0abd423d901..0000000000000 --- a/examples/chart/teleport-demo/templates/generic/secret.yaml +++ /dev/null @@ -1,119 +0,0 @@ -# put cloudflare credentials in release namespace for use in a post-delete hook -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "teleport.fullname" . }}-cloudflare-credentials - namespace: {{ .Release.Namespace }} - labels: -{{ include "teleport.labels" . | indent 4 }} -{{- if .Values.labels }} -{{ toYaml .Values.labels | indent 4 }} -{{- end }} - annotations: - "helm.sh/hook": "pre-install" - "helm.sh/hook-weight": "-1" - "helm.sh/hook-delete-policy": "before-hook-creation" -type: Opaque -data: - api_key: {{ .Values.secrets.cloudflare.api_key | b64enc | quote }} - email: {{ .Values.secrets.cloudflare.email | b64enc | quote }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-tls-config - namespace: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - labels: -{{ include "teleport.labels" . | indent 4 }} -{{- if .Values.labels }} -{{ toYaml .Values.labels | indent 4 }} -{{- end }} -type: Opaque -data: - # we want a non-quoted boolean value encoded as base64 - enabled: {{ .Values.proxy.tls.enabled | quote | replace "\"" "" | b64enc }} - letsencrypt-enabled: {{ .Values.letsencrypt.enabled | quote | replace "\"" "" | b64enc }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: cloudflare-credentials - namespace: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - labels: -{{ include "teleport.labels" . | indent 4 }} -{{- if .Values.labels }} -{{ toYaml .Values.labels | indent 4 }} -{{- end }} -type: Opaque -data: - api_key: {{ .Values.secrets.cloudflare.api_key | b64enc | quote }} - email: {{ .Values.secrets.cloudflare.email | b64enc | quote }} ---- -{{- if .Values.license.enabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: teleport-license - namespace: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - labels: -{{ include "teleport.labels" . | indent 4 }} -{{- if .Values.labels }} -{{ toYaml .Values.labels | indent 4 }} -{{- end }} -type: Opaque -data: - license.pem: {{ .Values.secrets.license | b64enc }} -{{- end -}} - -{{- if not (eq (index .Values.extraClusterNames 0) "") -}} -{{- $root := . -}} -{{- range .Values.extraClusterNames }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "teleport.fullname" $root }}-{{ . }}-tls-config - namespace: {{ template "teleport.fullname" $root }}-{{ . }} - labels: -{{ include "teleport.labels" $root | indent 4 }} -{{- if $root.Values.labels }} -{{ toYaml $root.Values.labels | indent 4 }} -{{- end }} -type: Opaque -data: - # we want a non-quoted boolean value encoded as base64 - enabled: {{ $root.Values.proxy.tls.enabled | quote | replace "\"" "" | b64enc }} - letsencrypt-enabled: {{ $root.Values.letsencrypt.enabled | quote | replace "\"" "" | b64enc }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: cloudflare-credentials - namespace: {{ template "teleport.fullname" $root }}-{{ . }} - labels: -{{ include "teleport.labels" $root | indent 4 }} -{{- if $root.Values.labels }} -{{ toYaml $root.Values.labels | indent 4 }} -{{- end }} -type: Opaque -data: - api_key: {{ $root.Values.secrets.cloudflare.api_key | b64enc | quote }} - email: {{ $root.Values.secrets.cloudflare.email | b64enc | quote }} ---- -{{- if $root.Values.license.enabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: teleport-license - namespace: {{ template "teleport.fullname" $root }}-{{ . }} - labels: -{{ include "teleport.labels" $root | indent 4 }} -{{- if $root.Values.labels }} -{{ toYaml $root.Values.labels | indent 4 }} -{{- end }} -type: Opaque -data: - license.pem: {{ $root.Values.secrets.license | b64enc }} -{{- end -}} -{{- end -}} -{{- end }} \ No newline at end of file diff --git a/examples/chart/teleport-demo/templates/generic/service.yaml b/examples/chart/teleport-demo/templates/generic/service.yaml deleted file mode 100644 index 456a132d4ad34..0000000000000 --- a/examples/chart/teleport-demo/templates/generic/service.yaml +++ /dev/null @@ -1,69 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - namespace: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - labels: -{{ include "teleport.labels" . | indent 4 }} -{{- if .Values.service.labels }} -{{ toYaml .Values.service.annotations | indent 4 }} -{{- end }} -{{- if .Values.service.annotations }} - annotations: -{{ toYaml .Values.service.annotations | indent 4 }} -{{- end }} -spec: - type: {{ .Values.service.type }} - {{- if contains "LoadBalancer" .Values.service.type }} - externalTrafficPolicy: Local - ports: - {{- range $key, $value := .Values.service.ports }} - - name: {{ $key }} -{{ toYaml $value | indent 6 }} - {{- end -}} - {{- else }} - ports: - {{- range $key, $value := .Values.nodePort.ports }} - - name: {{ $key }} -{{ toYaml $value | indent 6 }} - {{- end }} - {{- end }} - selector: - app: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - release: {{ .Release.Name }} - role: auth - -{{- if not (eq (index .Values.extraClusterNames 0) "") -}} -{{- $root := . -}} -{{- range .Values.extraClusterNames }} ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ template "teleport.fullname" $root }}-{{ . }} - namespace: {{ template "teleport.fullname" $root }}-{{ . }} - labels: -{{ include "teleport.labels" $root | indent 4 }} -{{- if $root.Values.service.labels }} -{{ toYaml $root.Values.service.annotations | indent 4 }} -{{- end }} -{{- if $root.Values.service.annotations }} - annotations: -{{ toYaml $root.Values.service.annotations | indent 4 }} -{{- end }} -spec: - type: {{ $root.Values.service.type }} - {{- if contains "LoadBalancer" $root.Values.service.type }} - externalTrafficPolicy: Local - {{- end }} - ports: - {{- range $key, $value := $root.Values.service.ports }} - - name: {{ $key }} -{{ toYaml $value | indent 6 }} - {{- end }} - selector: - app: {{ template "teleport.fullname" $root }}-{{ . }} - release: {{ $root.Release.Name }} - role: auth -{{- end -}} -{{- end }} diff --git a/examples/chart/teleport-demo/templates/generic/serviceaccount.yaml b/examples/chart/teleport-demo/templates/generic/serviceaccount.yaml deleted file mode 100644 index ccf3d4fcf5d8e..0000000000000 --- a/examples/chart/teleport-demo/templates/generic/serviceaccount.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "teleport.serviceAccountName" . }}-cleaner - namespace: {{ .Release.Namespace }} - labels: -{{ include "teleport.labels" . | indent 4 }} - annotations: - "helm.sh/hook": "pre-install" - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": "before-hook-creation" ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "teleport.serviceAccountName" . }}-{{ .Values.mainClusterName }} - namespace: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - labels: -{{ include "teleport.labels" . | indent 4 }} - annotations: - "helm.sh/hook": "pre-install" - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": "before-hook-creation" -{{- if .Values.serviceAccount.imagePullSecrets }} -imagePullSecrets: -{{ toYaml .Values.serviceAccount.imagePullSecrets | indent 2 }} -{{- end }} - -{{- if not (eq (index .Values.extraClusterNames 0) "") -}} -{{- $root := . -}} -{{- range .Values.extraClusterNames }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "teleport.serviceAccountName" $root }}-{{ . }} - namespace: {{ template "teleport.fullname" $root }}-{{ . }} - labels: -{{ include "teleport.labels" $root | indent 4 }} - annotations: - "helm.sh/hook": "pre-install" - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": "before-hook-creation" -{{- if $root.Values.serviceAccount.imagePullSecrets }} -imagePullSecrets: -{{ toYaml $root.Values.serviceAccount.imagePullSecrets | indent 2 }} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end }} \ No newline at end of file diff --git a/examples/chart/teleport-demo/templates/generic/teleport-k8s.yaml b/examples/chart/teleport-demo/templates/generic/teleport-k8s.yaml deleted file mode 100644 index fb4c3b3360d6d..0000000000000 --- a/examples/chart/teleport-demo/templates/generic/teleport-k8s.yaml +++ /dev/null @@ -1,124 +0,0 @@ -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "teleport.fullname" . }}-impersonator - labels: -{{ include "teleport.labels" . | indent 4 }} - annotations: - "helm.sh/hook": "pre-install" - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": "before-hook-creation" -rules: -- apiGroups: - - "" - resources: - - users - - serviceaccounts - - groups - verbs: - - impersonate -- apiGroups: - - "authorization.k8s.io" - resources: - - selfsubjectaccessreviews - verbs: - - create ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "teleport.fullname" . }}-teleport-admin-role - labels: -{{ include "teleport.labels" . | indent 4 }} - annotations: - "helm.sh/hook": "pre-install" - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": "before-hook-creation" -rules: -- apiGroups: - - "" - resources: - - pods - - jobs - - services - - statefulsets - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-impersonator - annotations: - "helm.sh/hook": "pre-install" - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": "before-hook-creation" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "teleport.fullname" . }}-impersonator -subjects: -- kind: ServiceAccount - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - namespace: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-teleport-admin-role - namespace: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - annotations: - "helm.sh/hook": "pre-install" - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": "before-hook-creation" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "teleport.fullname" . }}-teleport-admin-role -subjects: -- kind: Group - name: teleport-users - -{{- if not (eq (index .Values.extraClusterNames 0) "") -}} -{{- $root := . -}} -{{- range .Values.extraClusterNames }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "teleport.fullname" $root }}-{{.}}-impersonator - annotations: - "helm.sh/hook": "pre-install" - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": "before-hook-creation" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "teleport.fullname" $root }}-impersonator -subjects: -- kind: ServiceAccount - name: {{ template "teleport.fullname" $root }}-{{.}} - namespace: {{ template "teleport.fullname" $root }}-{{.}} ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ template "teleport.fullname" $root }}-{{.}}-teleport-admin-role - namespace: {{ template "teleport.fullname" $root }}-{{.}} - annotations: - "helm.sh/hook": "pre-install" - "helm.sh/hook-weight": "-3" - "helm.sh/hook-delete-policy": "before-hook-creation" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "teleport.fullname" $root }}-teleport-admin-role -subjects: -- kind: Group - name: teleport-users -{{- end -}} -{{- end -}} -{{- end }} diff --git a/examples/chart/teleport-demo/templates/node-config.yaml b/examples/chart/teleport-demo/templates/node-config.yaml deleted file mode 100644 index df32bbd50acfe..0000000000000 --- a/examples/chart/teleport-demo/templates/node-config.yaml +++ /dev/null @@ -1,85 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-node-config - namespace: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - labels: -{{ include "teleport.labels" . | indent 4 }} -data: - teleport.yaml: | - teleport: - log: - output: {{ .Values.config.teleport.log.output }} - severity: {{ .Values.config.teleport.log.severity }} - data_dir: {{ .Values.config.teleport.data_dir }} - storage: - type: {{ .Values.config.teleport.storage.type }} - auth_servers: - - {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}:3025 - auth_token: NODE_JOIN_TOKEN_PLACEHOLDER - ca_pin: CA_PIN_HASH_PLACEHOLDER - - auth_service: - enabled: no - - ssh_service: - enabled: yes - {{- if .Values.teleportLabels.node.static }} - labels: - {{- range $key, $value := .Values.teleportLabels.node.static }} - {{ $key }}: {{ $value }} - {{- end }} - {{- end }} - {{- if .Values.teleportLabels.node.dynamic }} - commands: - {{ toYaml .Values.teleportLabels.node.dynamic | indent 6 | trim }} - {{- end }} - - proxy_service: - enabled: no - -{{- if not (eq (index .Values.extraClusterNames 0) "") -}} -{{- $root := . -}} -{{- range .Values.extraClusterNames }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "teleport.fullname" $root }}-{{ . }}-node-config - namespace: {{ template "teleport.fullname" $root }}-{{ . }} - labels: -{{ include "teleport.labels" $root | indent 4 }} -data: - teleport.yaml: | - teleport: - log: - output: {{ $root.Values.config.teleport.log.output }} - severity: {{ $root.Values.config.teleport.log.severity }} - data_dir: {{ $root.Values.config.teleport.data_dir }} - storage: - type: {{ $root.Values.config.teleport.storage.type }} - auth_servers: - - {{ template "teleport.fullname" $root }}-{{ . }}:3025 - auth_token: NODE_JOIN_TOKEN_PLACEHOLDER - ca_pin: CA_PIN_HASH_PLACEHOLDER - - auth_service: - enabled: no - - ssh_service: - enabled: yes - {{- if $root.Values.teleportLabels.node.static }} - labels: - {{- range $key, $value := $root.Values.teleportLabels.node.static }} - {{ $key }}: {{ $value }} - {{- end }} - {{- end }} - {{- if $root.Values.teleportLabels.node.dynamic }} - commands: - {{ toYaml $root.Values.teleportLabels.node.dynamic | indent 6 | trim }} - {{- end }} - - proxy_service: - enabled: no -{{- end -}} -{{- end }} \ No newline at end of file diff --git a/examples/chart/teleport-demo/templates/node-statefulset.yaml b/examples/chart/teleport-demo/templates/node-statefulset.yaml deleted file mode 100644 index be9627bbde6e9..0000000000000 --- a/examples/chart/teleport-demo/templates/node-statefulset.yaml +++ /dev/null @@ -1,227 +0,0 @@ -apiVersion: apps/v1beta1 -kind: StatefulSet -metadata: - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-node - namespace: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - labels: -{{ include "teleport.labels" . | indent 4 }} -{{- if .Values.labels }} -{{ toYaml .Values.labels | indent 4 }} -{{- end }} -spec: - replicas: {{ .Values.nodesPerCluster }} - podManagementPolicy: Parallel - template: - metadata: - namespace: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - labels: - app: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - role: node - annotations: - checksum/config: {{ toYaml .Values.config | sha256sum }} -{{- if .Values.annotations }} -{{ toYaml .Values.annotations | indent 8 }} -{{- end }} - spec: - containers: - - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-node - image: "{{ .Values.node.image.repository }}:{{ tpl .Values.node.image.tag . }}" - imagePullPolicy: {{ .Values.node.image.pullPolicy }} - args: -{{- if .Values.extraArgs }} -{{ toYaml .Values.extraArgs | indent 8 }} -{{- end }} - livenessProbe: - httpGet: - port: 54321 - path: /healthz - initialDelaySeconds: 5 - periodSeconds: 5 - readinessProbe: - httpGet: - port: 54321 - path: /readyz - initialDelaySeconds: 5 - periodSeconds: 5 - env: - - name: ROLE - value: node - - name: CLUSTER_TYPE - value: primary -{{- range $key, $value := .Values.extraVars }} - - name: {{ $key }} - value: {{ $value }} -{{- end }} - # See https://gravitational.com/teleport/docs/admin-guide/#ports - ports: -{{- range $key, $port := .Values.ports.node }} - - name: {{ $key }} -{{ toYaml $port | indent 10 }} -{{- end }} - resources: -{{ toYaml .Values.resources | indent 10 }} - volumeMounts: - - mountPath: /etc/teleport - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-node-config - readOnly: true - - mountPath: /var/lib/teleport - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-storage - - mountPath: /var/lib/tokens/node - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-node-join-token - - mountPath: /var/lib/tokens/ca-pin - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-ca-pin -{{- if .Values.extraVolumeMounts }} -{{ toYaml .Values.extraVolumeMounts | indent 8 }} -{{- end }} - volumes: - - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-node-config - configMap: - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-node-config - - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-storage - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.existingClaim | default (printf "%s-%s-%s" (include "teleport.fullname" .) .Values.mainClusterName "storage") }} - {{- else }} - emptyDir: {} - {{- end }} - - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-node-join-token - secret: - secretName: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-node-join-token - - name: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-ca-pin - secret: - secretName: {{ template "teleport.fullname" . }}-{{ .Values.mainClusterName }}-ca-pin -{{- if .Values.extraVolumes }} -{{ toYaml .Values.extraVolumes | indent 6 }} -{{- end }} -{{- if .Values.node.image.pullSecrets }} - imagePullSecrets: -{{ toYaml .Values.node.image.pullSecrets | indent 6 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 6 }} -{{- end }} - serviceAccountName: {{ template "teleport.serviceAccountName" . }}-{{ .Values.mainClusterName }} - -{{- if not (eq (index .Values.extraClusterNames 0) "") -}} -{{- $root := . -}} -{{- range .Values.extraClusterNames }} ---- -apiVersion: apps/v1beta1 -kind: StatefulSet -metadata: - name: {{ template "teleport.fullname" $root }}-{{ . }}-node - namespace: {{ template "teleport.fullname" $root }}-{{ . }} - labels: -{{ include "teleport.labels" $root | indent 4 }} -{{- if $root.Values.labels }} -{{ toYaml $root.Values.labels | indent 4 }} -{{- end }} -spec: - replicas: {{ $root.Values.nodesPerCluster }} - podManagementPolicy: Parallel - template: - metadata: - namespace: {{ template "teleport.fullname" $root }}-{{ . }} - labels: - app: {{ template "teleport.fullname" $root }}-{{ . }} - release: {{ $root.Release.Name }} - heritage: {{ $root.Release.Service }} - role: node - annotations: - checksum/config: {{ toYaml $root.Values.config | sha256sum }} -{{- if $root.Values.annotations }} -{{ toYaml $root.Values.annotations | indent 8 }} -{{- end }} - spec: - containers: - - name: {{ template "teleport.fullname" $root }}--{{ . }}-node - image: "{{ $root.Values.node.image.repository }}:{{ tpl $root.Values.node.image.tag $root }}" - imagePullPolicy: {{ $root.Values.node.image.pullPolicy }} - args: -{{- if $root.Values.extraArgs }} -{{ toYaml $root.Values.extraArgs | indent 8 }} -{{- end }} - livenessProbe: - httpGet: - port: 54321 - path: /healthz - initialDelaySeconds: 5 - periodSeconds: 5 - readinessProbe: - httpGet: - port: 54321 - path: /readyz - initialDelaySeconds: 5 - periodSeconds: 5 - env: - - name: ROLE - value: node - - name: CLUSTER_TYPE - value: secondary -{{- range $key, $value := $root.Values.extraVars }} - - name: {{ $key }} - value: {{ $value }} -{{- end }} - # See https://gravitational.com/teleport/docs/admin-guide/#ports - ports: -{{- range $key, $port := $root.Values.ports.node }} - - name: {{ $key }} -{{ toYaml $port | indent 10 }} -{{- end }} - resources: -{{ toYaml $root.Values.resources | indent 10 }} - volumeMounts: - - mountPath: /etc/teleport - name: {{ template "teleport.fullname" $root }}-{{ . }}-node-config - readOnly: true - - mountPath: /var/lib/teleport - name: {{ template "teleport.fullname" $root }}-{{ . }}-storage - - mountPath: /var/lib/tokens/node - name: {{ template "teleport.fullname" $root }}-{{ . }}-node-join-token - - mountPath: /var/lib/tokens/ca-pin - name: {{ template "teleport.fullname" $root }}-{{ . }}-ca-pin -{{- if $root.Values.extraVolumeMounts }} -{{ toYaml $root.Values.extraVolumeMounts | indent 8 }} -{{- end }} - volumes: - - name: {{ template "teleport.fullname" $root }}-{{ . }}-node-config - configMap: - name: {{ template "teleport.fullname" $root }}-{{ . }}-node-config - - name: {{ template "teleport.fullname" $root }}-{{ . }}-storage - {{- if $root.Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ $root.Values.persistence.existingClaim | default (printf "%s-%s-%s" (include "teleport.fullname" $root) . "storage") }} - {{- else }} - emptyDir: {} - {{- end }} - - name: {{ template "teleport.fullname" $root }}-{{ . }}-node-join-token - secret: - secretName: {{ template "teleport.fullname" $root }}-{{ . }}-node-join-token - - name: {{ template "teleport.fullname" $root }}-{{ . }}-ca-pin - secret: - secretName: {{ template "teleport.fullname" $root }}-{{ . }}-ca-pin -{{- if $root.Values.extraVolumes }} -{{ toYaml $root.Values.extraVolumes | indent 6 }} -{{- end }} -{{- if $root.Values.node.image.pullSecrets }} - imagePullSecrets: -{{ toYaml $root.Values.node.image.pullSecrets | indent 6 }} -{{- end }} -{{- if $root.Values.affinity }} - affinity: -{{ toYaml $root.Values.affinity | indent 8 }} -{{- end }} -{{- if $root.Values.tolerations }} - tolerations: -{{ toYaml $root.Values.tolerations | indent 6 }} -{{- end }} - serviceAccountName: {{ template "teleport.serviceAccountName" $root }}-{{ . }} -{{- end -}} -{{- end }} \ No newline at end of file diff --git a/examples/chart/teleport-demo/values.yaml b/examples/chart/teleport-demo/values.yaml deleted file mode 100644 index cffc406cae6d1..0000000000000 --- a/examples/chart/teleport-demo/values.yaml +++ /dev/null @@ -1,364 +0,0 @@ -## override these on the helm command line with things like --set teleportVersion=4.2.0 -# teleport version to deploy (must be a valid tag on https://quay.io/repository/gravitational/teleport-ent?tab=tags) -teleportVersion: 4.2.7 -# name of the 'main' cluster which will be set up and configured - this will also the cluster's namespace -# DNS will be set up for . -mainClusterName: main -# names of the 'extra' trusted clusters which will be linked -# adding more values to this list will create more trusted clusters -# each of these will be deployed to its own equivalent namespace -extraClusterNames: -- east -# number of nodes to start in each cluster -nodesPerCluster: 2 - -### Auth0 -auth0: - display: Auth0 - oidc_connector_name: gravitational-auth0 - issuer_url: https://gravitational.auth0.com/ - # scope must be an array - scope: ["roles"] - # oidc roles to map to associated teleport roles - claims_to_roles: - - claim: roles - value: gravitational/admins - roles: ["clusteradmin"] - - claim: roles - value: gravitational/devc - roles: ["clusteradmin"] - -# kubernetes group mappings -kubernetes_groups: - admin_role: '["teleport-users"]' - clusteradmin_role: '["system:masters"]' - -# teleport labels -# static is a dictionary of key:value pairs -# dynamic is a list containing name, command and period -teleportLabels: - auth: - static: - role: auth - environment: demo - dynamic: - - name: uptime - command: ['uptime', '-p'] - period: '1m' - - name: kernel - command: ['uname', '-r'] - period: '1h' - node: - static: - role: node - environment: demo - dynamic: - - name: uptime - command: ['uptime', '-p'] - period: '1m' - - name: kernel - command: ['uname', '-r'] - period: '1h' - -### Cloudflare -cloudflare: - # domain you want to update DNS records for - domain: gravitational.co - # API version (4 is standard/default) - apiVersion: 4 - # optional TTL in seconds to set on DNS records registered with Cloudflare - # Cloudflare's default/automatic setting is 300 (5 minutes) which is fine for most situations - # For testing it might be useful to set this lower to avoid slow propagation - #ttl: 300 - -### LetsEncrypt -letsencrypt: - # Should we get TLS certificates for each cluster? Be aware that leaving this on and deploying many clusters - # repeatedly may cause you to hit LetsEncrypt's rate limits. To avoid this, You can take a backup of the tls-web - # secret for each cluster namespace after Letsencrypt has provisioned the certificates, then manually re-add these - # secrets after deploying the Helm chart - enabled: false - # Email address to register with LetsEncrypt - email: email@address.com - -# Teleport Proxy configuration -proxy: - tls: - # true: TLS terminated on proxy server - # false: TLS terminated before proxy (i.e. handle TLS yourself and run Teleport in insecure mode) - enabled: true - -license: - ## Set to false to run Teleport in Community edition mode - # OIDC isn't supported in the community edition so changing this won't work (for now) - enabled: true - secretName: teleport-license - mountPath: /var/lib/license - -# See the admin guide for full details -# https://gravitational.com/teleport/docs/admin-guide/#configuration-file -# this file is templated (in templates/auth-config.yaml and templates/node-config.yaml) so just adding new values here -# WILL NOT WORK - you must also change the template to interpret them -config: - teleport: - log: - output: stderr - severity: DEBUG - data_dir: /var/lib/teleport - storage: - type: dir - - auth_service: - enabled: yes - authentication: - type: oidc - - ssh_service: - enabled: no - - proxy_service: - enabled: yes - web_listen_addr: "0.0.0.0:{{ .Values.ports.auth.proxyweb.containerPort }}" - listen_addr: "0.0.0.0:{{ .Values.ports.auth.proxyssh.containerPort }}" - kubernetes: - enabled: yes - listen_addr: "0.0.0.0:{{ .Values.ports.auth.proxykube.containerPort }}" - # public_addr is used to set values - # setup in kubeconfig after tsh login - # public_addr: [kubeproxy.example.com:443] - - -############################################################## -##### You probably don't want to change stuff below here ##### -############################################################## - -# Teleport container image -auth: - image: - repository: gcr.io/kubeadm-167321/teleport-ent - tag: "{{ .Values.teleportVersion }}" - pullPolicy: Always - # Optionally specify an array of imagePullSecrets. - # Secrets must be manually created in the namespace. - # ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod - pullSecrets: - # - name: myRegistryKeySecretName - -# Teleport container sidecar -# Handles trusted cluster/node token generation -sidecar: - image: - repository: gcr.io/kubeadm-167321/teleport-sidecar - tag: "{{ .Values.teleportVersion }}" - pullPolicy: Always - pullSecrets: - # - name: myRegistryKeySecretName - -# Teleport node container image -node: - image: - repository: gcr.io/kubeadm-167321/teleport-ent - tag: "{{ .Values.teleportVersion }}" - pullPolicy: Always - pullSecrets: - # - name: myRegistryKeySecretName - -# Cloudflare agent container image -# Used to generate A records for LoadBalancer IP addresses within a Cloudflare-managed domain -cloudflareagent: - image: - repository: gcr.io/kubeadm-167321/cloudflare-agent - tag: "{{ .Values.teleportVersion }}" - pullPolicy: Always - pullSecrets: - # - name: myRegistryKeySecretName - -# Namespace cleaner image (runs when a release is deleted to remove the namespaces it created) -namespacecleaner: - image: - repository: gcr.io/kubeadm-167321/namespace-cleaner - tag: "{{ .Values.teleportVersion }}" - pullPolicy: Always - pullSecrets: - # - name: myRegistryKeySecretName - -labels: {} - -# Pod annotations -annotations: {} -## See https://github.com/uswitch/kiam#overview -## To enable AWS API access from teleport, use kube2iam or kiam, annotate the namespace, and then set something like: -# iam.amazonaws.com/role: teleport-dynamodb-and-s3-access - -## Affinity for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity -# affinity: {} -# -## For the sake of security, make specific node group(s) dedicated to Teleport -# nodeAffinity: -# requiredDuringSchedulingIgnoredDuringExecution: -# nodeSelectorTerms: -# - matchExpressions: -# - key: gravitational.io/dedicated -# operator: In -# values: -# - teleport -# -## For high availability, distribute teleport pods to nodes as evenly as possible -# podAntiAffinity: -# preferredDuringSchedulingIgnoredDuringExecution: -# - podAffinityTerm: -# labelSelector: -# matchExpressions: -# - key: app -# operator: In -# values: -# - teleport -# topologyKey: kubernetes.io/hostname - -# Tolerations for pod assignment -# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -tolerations: [] -# - key: "dedicated" -# operator: "Equal" -# value: "teleport" -# effect: "NoExecute" -# - key: "dedicated" -# operator: "Equal" -# value: "teleport" -# effect: "NoSchedule" - -service: - # use NodePort for local testing/minikube - # use LoadBalancer with GKE/Gravity or similar for external access in the cloud - #type: NodePort - type: LoadBalancer - ports: - proxyweb: - port: 3080 - targetPort: 3080 - protocol: TCP - authssh: - port: 3025 - targetPort: 3025 - protocol: TCP - proxykube: - port: 3026 - targetPort: 3026 - protocol: TCP - proxyssh: - port: 3023 - targetPort: 3023 - protocol: TCP - proxytunnel: - port: 3024 - targetPort: 3024 - protocol: TCP - annotations: {} - ## See https://github.com/kubernetes-incubator/external-dns/blob/master/docs/tutorials/aws-sd.md#verify-that-externaldns-works-service-example - # Set something like the below in order to instruct external-dns to create a Route53 record set for your ELB on AWS: - # external-dns.alpha.kubernetes.io/hostname: teleport.my-org.com - -# minikubeIP needs to be set via command-line when running in minikube -#minikubeIP: 192.168.39.46 - -# list of local ports to use when running in NodePort mode -# you'll need to override these to run more than one chart installation using NodePort -# these only apply to the 'main' cluster - any trusted clusters will have randomly assigned NodePorts -nodePort: - ports: - proxyweb: - port: 3080 - nodePort: 30080 - authssh: - port: 3025 - nodePort: 30025 - proxykube: - port: 3026 - nodePort: 30026 - proxyssh: - port: 3023 - nodePort: 30023 - proxytunnel: - port: 3024 - nodePort: 30024 - -ports: - auth: - proxyweb: - containerPort: 3080 - authssh: - containerPort: 3025 - proxykube: - containerPort: 3026 - proxyssh: - containerPort: 3023 - proxytunnel: - containerPort: 3024 - node: - nodessh: - containerPort: 3022 - -## Additional container arguments -extraArgs: [] - -# A map of additional environment variables -extraVars: {} - # Provide the path to your own CA cert if you would like to use to - # validate the certificate chain presented by the proxy - # SSL_CERT_FILE: "/var/lib/ca-certs/ca.pem" - -# Add additional volumes and mounts, for example to read other log files on the host -extraVolumes: [] - # - name: ca-certs - # configMap: - # name: ca-certs -extraVolumeMounts: [] - # - name: ca-certs - # mountPath: /var/lib/ca-certs - # readOnly: true - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with smaller - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 200Mi - # requests: - # cpu: 100m - # memory: 100Mi - -rbac: - # Specifies whether RBAC resources should be created - create: true - -serviceAccount: - # Specifies whether a ServiceAccount should be created - create: true - # The name of the ServiceAccount to use. - # If name is not set (or is blank) and 'create' is true, a name is generated using the fullname template - name: - # optional imagePullSecrets to add to the ServiceAccount (as an alternative to specifying for each individual image) - # this secret must be present within each Teleport cluster's Kubernetes namespace otherwise it won't work! - #imagePullSecrets: - #- name: gcr-pull - -persistence: - enabled: false - accessMode: ReadWriteOnce - ## If defined, storageClass: - ## If set to "-", storageClass: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClass spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # existingClaim: - # annotations: - # "helm.sh/resource-policy": keep - # storageClass: "-" - storageSize: 8Gi - # If PersistentDisk already exists you can create a PV for it by including the 2 following keypairs. - # pdName: teleport-data-disk - # fsType: ext4