From ce9b679989394829477edfd2bd59d51d0c8f8f32 Mon Sep 17 00:00:00 2001
From: Marco Dinis <marco.dinis@goteleport.com>
Date: Fri, 15 Apr 2022 16:35:44 +0100
Subject: [PATCH] add operator to teleport-cluster charts

---
 .../templates/clusterrole.yaml                | 76 +++++++++++++++++++
 .../templates/deployment.yaml                 | 31 ++++++++
 .../chart/teleport-cluster/values.schema.json | 12 +++
 examples/chart/teleport-cluster/values.yaml   |  5 ++
 4 files changed, 124 insertions(+)

diff --git a/examples/chart/teleport-cluster/templates/clusterrole.yaml b/examples/chart/teleport-cluster/templates/clusterrole.yaml
index 172402313f4e7..62269720d95ca 100644
--- a/examples/chart/teleport-cluster/templates/clusterrole.yaml
+++ b/examples/chart/teleport-cluster/templates/clusterrole.yaml
@@ -23,3 +23,79 @@ rules:
   - selfsubjectaccessreviews
   verbs:
   - create
+
+{{ if .Values.operator }}
+- apiGroups:
+  - "resources.teleport.dev"
+  resources:
+  - roles
+  - users
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+
+- apiGroups:
+  - "auth.teleport.dev"
+  resources:
+  - identities
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+  - get
+  - update
+
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
+
+- apiGroups:
+  - "apiextensions.k8s.io"
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
+
+- apiGroups:
+  - "coordination.k8s.io"
+  resources:
+  - leases
+  verbs:
+  - create
+  - get
+  - update
+{{ end }}
diff --git a/examples/chart/teleport-cluster/templates/deployment.yaml b/examples/chart/teleport-cluster/templates/deployment.yaml
index 3f4141adac664..5f5d62dcc6e92 100644
--- a/examples/chart/teleport-cluster/templates/deployment.yaml
+++ b/examples/chart/teleport-cluster/templates/deployment.yaml
@@ -202,6 +202,37 @@ spec:
 {{- if .Values.extraVolumeMounts }}
   {{- toYaml .Values.extraVolumeMounts | nindent 8 }}
 {{- end }}
+{{ if .Values.operator }}
+      - name: "operator"
+        image: "{{ .Values.operatorImage }}"
+        imagePullPolicy: {{ .Values.imagePullPolicy }}
+        args:
+        - start-sidecar
+        - --config
+        - /etc/teleport/operator.yaml
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8081
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8081
+          initialDelaySeconds: 5
+          periodSeconds: 10
+{{- if .Values.resources }}
+        resources:
+  {{- toYaml .Values.resources | nindent 10 }}
+{{- end }}
+        volumeMounts:
+        - mountPath: /etc/teleport
+          name: "config"
+          readOnly: true
+        - mountPath: /var/lib/teleport
+          name: "data"
+{{ end }}
       volumes:
 {{- if .Values.enterprise }}
       - name: license
diff --git a/examples/chart/teleport-cluster/values.schema.json b/examples/chart/teleport-cluster/values.schema.json
index cedfdf45f83da..0efbba53cd094 100644
--- a/examples/chart/teleport-cluster/values.schema.json
+++ b/examples/chart/teleport-cluster/values.schema.json
@@ -5,6 +5,7 @@
         "clusterName",
         "authenticationType",
         "enterprise",
+        "operator",
         "podSecurityPolicy",
         "labels",
         "chartMode",
@@ -12,6 +13,7 @@
         "tls",
         "image",
         "enterpriseImage",
+        "operatorImage",
         "log",
         "affinity",
         "annotations",
@@ -104,6 +106,11 @@
             "type": "boolean",
             "default": false
         },
+        "operator": {
+            "$id": "#/properties/operator",
+            "type": "boolean",
+            "default": false
+        },
         "podSecurityPolicy": {
             "$id": "#/properties/podSecurityPolicy",
             "type": "object",
@@ -362,6 +369,11 @@
             "type": "string",
             "default": "quay.io/gravitational/teleport-ent"
         },
+        "operatorImage": {
+            "$id": "#/properties/operatorImage",
+            "type": "string",
+            "default": "quay.io/gravitational/teleport-operator"
+        },
         "logLevel": {
             "$id": "#/properties/logLevel",
             "type": "string",
diff --git a/examples/chart/teleport-cluster/values.yaml b/examples/chart/teleport-cluster/values.yaml
index 6e07f2b880659..2cff2fd32013e 100644
--- a/examples/chart/teleport-cluster/values.yaml
+++ b/examples/chart/teleport-cluster/values.yaml
@@ -54,6 +54,9 @@ acmeURI: ""
 # kubectl -n ${TELEPORT_NAMESPACE?} create secret generic license --from-file=/path/to/downloaded/license.pem
 enterprise: false
 
+# Set operator to true to enable the Teleport Operator
+operator: false
+
 # If true, create & use Pod Security Policy resources
 # https://kubernetes.io/docs/concepts/policy/pod-security-policy/
 podSecurityPolicy:
@@ -191,6 +194,8 @@ tls:
 image: quay.io/gravitational/teleport
 # Enterprise version of the image
 enterpriseImage: quay.io/gravitational/teleport-ent
+# Teleport Kubernetes Operator image
+operatorImage: quay.io/gravitational/teleport-operator
 # Teleport logging configuration
 log:
   # Log level for the Teleport process.