diff --git a/docs/pages/enterprise/sso.mdx b/docs/pages/enterprise/sso.mdx
index 3e46b83e8eff0..72776219600ad 100644
--- a/docs/pages/enterprise/sso.mdx
+++ b/docs/pages/enterprise/sso.mdx
@@ -227,8 +227,10 @@ SAML and OIDC types:
Troubleshooting SSO configuration can be challenging. Usually a Teleport administrator
must be able to:
+
- Ensure that HTTP/TLS certificates are configured properly for both Teleport
proxy and the SSO provider.
+
- Be able to see what SAML/OIDC claims and values are getting exported and passed
by the SSO provider to Teleport.
- Be able to see how Teleport maps the received claims to role mappings as defined
@@ -237,5 +239,57 @@ must be able to:
If something is not working, we recommend to:
- Double-check the host names, tokens and TCP ports in a connector definition.
-- Look into Teleport's audit log for claim mapping problems. It is usually stored on the
- auth server in the `/var/lib/teleport/log` directory.ad
+
+
+### Using the Web UI
+
+If you get "access denied" or other login errors, the number one place to check is the Audit
+Log. You can access it in the **Activity** tab of the Teleport Web UI.
+
+
+
+Example of a user being denied because the role `clusteradmin` wasn't set up:
+
+```json
+{
+ "code": "T1001W",
+ "error": "role clusteradmin is not found",
+ "event": "user.login",
+ "method": "oidc",
+ "success": false,
+ "time": "2019-06-15T19:38:07Z",
+ "uid": "cd9e45d0-b68c-43c3-87cf-73c4e0ec37e9"
+}
+```
+
+### Teleport does not show the expected Nodes
+
+When Teleport's Auth Service receives a request to list Teleport Nodes,
+it only returns the Nodes that a user is authorized to access.
+
+A user's Teleport roles must grant the user explicit access to Nodes with a particular label
+ before the user can view those Nodes. The Auth Service compares the user's
+`traits.logins` with the `allow` and `deny` rules defined in each of the user's roles.
+If the user's logins match a role's `allow` and `deny` rules, and a Node's labels match
+the keys and values listed within a role's `node_labels` field, then the Auth Service will
+list the Node in response to the user's request.
+
+When configuring SSO, ensure that the identity provider is populating each user's
+traits correctly. For a user to see a Node in Teleport, the result of populating a
+ template variable in a role's `allow.logins` must match at least one of a user's
+ `traits.logins`.
+
+
+In this example a user will have usernames `ubuntu`, `debian` and usernames from the SSO trait `logins` for Nodes that have a `env: dev` label. If the SSO trait username is `bob` then the usernames would include `ubuntu`, `debian`, and `bob`.
+
+```yaml
+kind: role
+metadata:
+ name: example-role
+spec:
+ allow:
+ logins: ['{{external.logins}}', ubuntu, debian]
+ node_labels:
+ 'env': 'dev'
+version: v5
+```
diff --git a/docs/pages/includes/sso/loginerrortroubleshooting.mdx b/docs/pages/includes/sso/loginerrortroubleshooting.mdx
index d294b001d4360..c7744f79347a2 100644
--- a/docs/pages/includes/sso/loginerrortroubleshooting.mdx
+++ b/docs/pages/includes/sso/loginerrortroubleshooting.mdx
@@ -1,10 +1,23 @@
-
-
+Troubleshooting SSO configuration can be challenging. Usually a Teleport administrator
+must be able to:
+
+
+- Ensure that HTTP/TLS certificates are configured properly for both Teleport
+ proxy and the SSO provider.
+
+- Be able to see what SAML/OIDC claims and values are getting exported and passed
+ by the SSO provider to Teleport.
+- Be able to see how Teleport maps the received claims to role mappings as defined
+ in the connector.
+
+If something is not working, we recommend to:
+
+- Double-check the host names, tokens and TCP ports in a connector definition.
### Using the Web UI
If you get "access denied" or other login errors, the number one place to check is the Audit
-Log on the Teleport Auth Server. You can access it in the **Activity** tab of the Teleport Web UI.
+Log. You can access it in the **Activity** tab of the Teleport Web UI.
@@ -22,62 +35,34 @@ Example of a user being denied because the role `clusteradmin` wasn't set up:
}
```
-### On the Auth Service host
-You can monitor Audit Log file entries and process logs on the Teleport Auth Server.
-The Audit Log is located in `/var/lib/teleport/log` by
-default and it will contain a detailed reason why a user's login was denied.
+### Teleport does not show the expected Nodes
-
- If you are using a Teleport storage configuration that does not store log entries locally, this will not appear. You can look at the `teleport`
-process logs to see `ERROR` and `INFO` entries.
-
+When Teleport's Auth Service receives a request to list Teleport Nodes,
+it only returns the Nodes that a user is authorized to access.
-Example of a user being denied because the role `clusteradmin` wasn't set up:
+A user's Teleport roles must grant the user explicit access to Nodes with a particular label
+ before the user can view those Nodes. The Auth Service compares the user's
+`traits.logins` with the `allow` and `deny` rules defined in each of the user's roles.
+If the user's logins match a role's `allow` and `deny` rules, and a Node's labels match
+the keys and values listed within a role's `node_labels` field, then the Auth Service will
+list the Node in response to the user's request.
+When configuring SSO, ensure that the identity provider is populating each user's
+traits correctly. For a user to see a Node in Teleport, the result of populating a
+ template variable in a role's `allow.logins` must match at least one of a user's
+ `traits.logins`.
-```json
-{
- "code": "T1001W",
- "error": "role clusteradmin is not found",
- "event": "user.login",
- "method": "oidc",
- "success": false,
- "time": "2019-06-15T19:38:07Z",
- "uid": "cd9e45d0-b68c-43c3-87cf-73c4e0ec37e9"
-}
-```
-Some errors (like filesystem permissions or a misconfigured network) can be
-diagnosed using Teleport's `stderr` log, which is usually available via:
-
-```code
-$ sudo journalctl -fu teleport
-```
+In this example a user will have usernames `ubuntu`, `debian` and usernames from the SSO trait `logins` for Nodes that have a `env: dev` label. If the SSO trait username is `bob` then the usernames would include `ubuntu`, `debian`, and `bob`.
-If you wish to increase the verbosity of Teleport's logs, you can pass the
-[`--debug`](../../setup/reference/cli.mdx#teleport-start) flag to the `teleport start` command.
-
-
-If you get "access denied" or other login errors, the number one place to check is the Audit
-Log on the Teleport Auth Server. You can access it in the **Activity** tab of the Teleport Web UI.
-
-
-
-Example of a user being denied because the role `clusteradmin` wasn't set up:
-
-```json
-{
- "code": "T1001W",
- "error": "role clusteradmin is not found",
- "event": "user.login",
- "method": "oidc",
- "success": false,
- "time": "2019-06-15T19:38:07Z",
- "uid": "cd9e45d0-b68c-43c3-87cf-73c4e0ec37e9"
-}
+```yaml
+kind: role
+metadata:
+ name: example-role
+spec:
+ allow:
+ logins: ['{{external.logins}}', ubuntu, debian]
+ node_labels:
+ 'env': 'dev'
+version: v5
```
-
-
diff --git a/docs/pages/kubernetes-access/helm/reference/teleport-kube-agent.mdx b/docs/pages/kubernetes-access/helm/reference/teleport-kube-agent.mdx
index 4e90f4514a5d5..c32e563410221 100644
--- a/docs/pages/kubernetes-access/helm/reference/teleport-kube-agent.mdx
+++ b/docs/pages/kubernetes-access/helm/reference/teleport-kube-agent.mdx
@@ -768,6 +768,27 @@ Ensures that this number of replicas is available during voluntary disruptions,
+## `priorityClassName`
+
+| Type | Default value |
+| - | - |
+| `string` | `nil` |
+
+`priorityClassName` allows to specify a priority class for the `teleport-kube-agent` deployment/statefulset.
+
+
+
+ ```yaml
+ priorityClassName: "teleport-kube-agent"
+ ```
+
+
+ ```code
+ $ --set priorityClassName=teleport-kube-agent
+ ```
+
+
+
## `serviceAccountName`
@@ -1000,6 +1021,267 @@ Kubernetes affinity to set for pod assignments.
+## `extraLabels.clusterRole`
+
+| Type | Default value |
+| - | - |
+| `object` | `{}` |
+
+[Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
+
+Kubernetes labels which should be applied to the `ClusterRole` created by the chart.
+
+
+
+ ```yaml
+ extraLabels:
+ clusterRole:
+ app.kubernetes.io/name: teleport-kube-agent
+ ```
+
+
+ ```code
+ $ --set extraLabels.clusterRole."app\.kubernetes\.io\/name"=teleport-kube-agent
+ ```
+
+ You must escape values entered on the command line correctly for Helm's CLI to understand them. We recommend
+ using a `values.yaml` file instead to avoid confusion and errors.
+
+
+
+
+## `extraLabels.clusterRoleBinding`
+
+| Type | Default value |
+| - | - |
+| `object` | `{}` |
+
+[Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
+
+Kubernetes labels which should be applied to the `ClusterRoleBinding` created by the chart.
+
+
+
+ ```yaml
+ extraLabels:
+ clusterRoleBinding:
+ app.kubernetes.io/name: teleport-kube-agent
+ ```
+
+
+ ```code
+ $ --set extraLabels.clusterRoleBinding."app\.kubernetes\.io\/name"=teleport-kube-agent
+ ```
+
+ You must escape values entered on the command line correctly for Helm's CLI to understand them. We recommend
+ using a `values.yaml` file instead to avoid confusion and errors.
+
+
+
+
+## `extraLabels.config`
+
+| Type | Default value |
+| - | - |
+| `object` | `{}` |
+
+[Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
+
+Kubernetes labels which should be applied to the `ConfigMap` created by the chart.
+
+
+
+ ```yaml
+ extraLabels:
+ config:
+ app.kubernetes.io/name: teleport-kube-agent
+ ```
+
+
+ ```code
+ $ --set extraLabels.config."app\.kubernetes\.io\/name"=teleport-kube-agent
+ ```
+
+ You must escape values entered on the command line correctly for Helm's CLI to understand them. We recommend
+ using a `values.yaml` file instead to avoid confusion and errors.
+
+
+
+
+## `extraLabels.deployment`
+
+| Type | Default value |
+| - | - |
+| `object` | `{}` |
+
+[Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
+
+Kubernetes labels which should be applied to the `Deployment` or `StatefulSet` created by the chart.
+
+
+
+ ```yaml
+ extraLabels:
+ deployment:
+ app.kubernetes.io/name: teleport-kube-agent
+ ```
+
+
+ ```code
+ $ --set extraLabels.deployment."app\.kubernetes\.io\/name"=teleport-kube-agent
+ ```
+
+ You must escape values entered on the command line correctly for Helm's CLI to understand them. We recommend
+ using a `values.yaml` file instead to avoid confusion and errors.
+
+
+
+
+## `extraLabels.pod`
+
+| Type | Default value |
+| - | - |
+| `object` | `{}` |
+
+[Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
+
+Kubernetes labels which should be applied to every `Pod` in the `Deployment` or `StatefulSet` created by the chart.
+
+
+
+ ```yaml
+ extraLabels:
+ pod:
+ app.kubernetes.io/name: teleport-kube-agent
+ ```
+
+
+ ```code
+ $ --set extraLabels.pod."app\.kubernetes\.io\/name"=teleport-kube-agent
+ ```
+
+ You must escape values entered on the command line correctly for Helm's CLI to understand them. We recommend
+ using a `values.yaml` file instead to avoid confusion and errors.
+
+
+
+
+## `extraLabels.podDisruptionBudget`
+
+| Type | Default value |
+| - | - |
+| `object` | `{}` |
+
+[Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
+
+Kubernetes labels which should be applied to the `PodDisruptionBudget` created by the chart (if enabled).
+
+
+
+ ```yaml
+ extraLabels:
+ podDisruptionBudget:
+ app.kubernetes.io/name: teleport-kube-agent
+ ```
+
+
+ ```code
+ $ --set extraLabels.podDisruptionBudget."app\.kubernetes\.io\/name"=teleport-kube-agent
+ ```
+
+ You must escape values entered on the command line correctly for Helm's CLI to understand them. We recommend
+ using a `values.yaml` file instead to avoid confusion and errors.
+
+
+
+
+## `extraLabels.podSecurityPolicy`
+
+| Type | Default value |
+| - | - |
+| `object` | `{}` |
+
+[Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
+
+Kubernetes labels which should be applied to the `PodSecurityPolicy` created by the chart (if enabled).
+
+
+
+ ```yaml
+ extraLabels:
+ podSecurityPolicy:
+ app.kubernetes.io/name: teleport-kube-agent
+ ```
+
+
+ ```code
+ $ --set extraLabels.podSecurityPolicy."app\.kubernetes\.io\/name"=teleport-kube-agent
+ ```
+
+ You must escape values entered on the command line correctly for Helm's CLI to understand them. We recommend
+ using a `values.yaml` file instead to avoid confusion and errors.
+
+
+
+
+## `extraLabels.secret`
+
+| Type | Default value |
+| - | - |
+| `object` | `{}` |
+
+[Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
+
+Kubernetes labels which should be applied to the `Secret` created by the chart (if enabled).
+
+
+
+ ```yaml
+ extraLabels:
+ secret:
+ app.kubernetes.io/name: teleport-kube-agent
+ ```
+
+
+ ```code
+ $ --set extraLabels.secret."app\.kubernetes\.io\/name"=teleport-kube-agent
+ ```
+
+ You must escape values entered on the command line correctly for Helm's CLI to understand them. We recommend
+ using a `values.yaml` file instead to avoid confusion and errors.
+
+
+
+
+## `extraLabels.serviceAccount`
+
+| Type | Default value |
+| - | - |
+| `object` | `{}` |
+
+[Kubernetes reference](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
+
+Kubernetes labels which should be applied to the `ServiceAccount` created by the chart.
+
+
+
+ ```yaml
+ extraLabels:
+ serviceAccount:
+ app.kubernetes.io/name: teleport-kube-agent
+ ```
+
+
+ ```code
+ $ --set extraLabels.serviceAccount."app\.kubernetes\.io\/name"=teleport-kube-agent
+ ```
+
+ You must escape values entered on the command line correctly for Helm's CLI to understand them. We recommend
+ using a `values.yaml` file instead to avoid confusion and errors.
+
+
+
+
## `annotations.config`
| Type | Default value | Can be used in `custom` mode? | `teleport.yaml` equivalent |
diff --git a/examples/chart/teleport-kube-agent/.lint/extra-labels.yaml b/examples/chart/teleport-kube-agent/.lint/extra-labels.yaml
new file mode 100644
index 0000000000000..29d6b946265c8
--- /dev/null
+++ b/examples/chart/teleport-kube-agent/.lint/extra-labels.yaml
@@ -0,0 +1,31 @@
+authToken: auth-token
+proxyAddr: proxy.example.com:3080
+kubeClusterName: test-kube-cluster
+extraLabels:
+ clusterRole:
+ app.kubernetes.io/name: "teleport-kube-agent"
+ resource: "clusterrole"
+ clusterRoleBinding:
+ app.kubernetes.io/name: "teleport-kube-agent"
+ resource: "clusterrolebinding"
+ config:
+ app.kubernetes.io/name: "teleport-kube-agent"
+ resource: "config"
+ deployment:
+ app.kubernetes.io/name: "teleport-kube-agent"
+ resource: "deployment"
+ pod:
+ app.kubernetes.io/name: "teleport-kube-agent"
+ resource: "pod"
+ podDisruptionBudget:
+ app.kubernetes.io/name: "teleport-kube-agent"
+ resource: "poddisruptionbudget"
+ podSecurityPolicy:
+ app.kubernetes.io/name: "teleport-kube-agent"
+ resource: "podsecuritypolicy"
+ secret:
+ app.kubernetes.io/name: "teleport-kube-agent"
+ resource: "secret"
+ serviceAccount:
+ app.kubernetes.io/name: "teleport-kube-agent"
+ resource: "serviceaccount"
diff --git a/examples/chart/teleport-kube-agent/.lint/priority-class-name.yaml b/examples/chart/teleport-kube-agent/.lint/priority-class-name.yaml
new file mode 100644
index 0000000000000..1f0baeb9262f6
--- /dev/null
+++ b/examples/chart/teleport-kube-agent/.lint/priority-class-name.yaml
@@ -0,0 +1,4 @@
+authToken: auth-token
+proxyAddr: proxy.example.com:3080
+kubeClusterName: test-kube-cluster
+priorityClassName: teleport-kube-agent
diff --git a/examples/chart/teleport-kube-agent/templates/clusterrole.yaml b/examples/chart/teleport-kube-agent/templates/clusterrole.yaml
index af039269c7e72..7cb5f60d54a3f 100644
--- a/examples/chart/teleport-kube-agent/templates/clusterrole.yaml
+++ b/examples/chart/teleport-kube-agent/templates/clusterrole.yaml
@@ -2,6 +2,10 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ .Values.clusterRoleName | default .Release.Name }}
+{{- if .Values.extraLabels.clusterRole }}
+ labels:
+ {{- toYaml .Values.extraLabels.clusterRole | nindent 4 }}
+{{- end }}
rules:
- apiGroups:
- ""
diff --git a/examples/chart/teleport-kube-agent/templates/clusterrolebinding.yaml b/examples/chart/teleport-kube-agent/templates/clusterrolebinding.yaml
index 57200e4aee90b..6298169bd6659 100644
--- a/examples/chart/teleport-kube-agent/templates/clusterrolebinding.yaml
+++ b/examples/chart/teleport-kube-agent/templates/clusterrolebinding.yaml
@@ -2,6 +2,10 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Values.clusterRoleBindingName | default .Release.Name }}
+{{- if .Values.extraLabels.clusterRoleBinding }}
+ labels:
+ {{- toYaml .Values.extraLabels.clusterRoleBinding | nindent 4 }}
+{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
diff --git a/examples/chart/teleport-kube-agent/templates/config.yaml b/examples/chart/teleport-kube-agent/templates/config.yaml
index bc7453847097f..2a9f21cbc3ad2 100644
--- a/examples/chart/teleport-kube-agent/templates/config.yaml
+++ b/examples/chart/teleport-kube-agent/templates/config.yaml
@@ -9,6 +9,10 @@ kind: ConfigMap
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
+{{- if .Values.extraLabels.config }}
+ labels:
+ {{- toYaml .Values.extraLabels.config | nindent 4 }}
+{{- end }}
{{- if .Values.annotations.config }}
annotations:
{{- toYaml .Values.annotations.config | nindent 4 }}
diff --git a/examples/chart/teleport-kube-agent/templates/deployment.yaml b/examples/chart/teleport-kube-agent/templates/deployment.yaml
index 9b503444d59b6..764e9a62ae16a 100644
--- a/examples/chart/teleport-kube-agent/templates/deployment.yaml
+++ b/examples/chart/teleport-kube-agent/templates/deployment.yaml
@@ -11,6 +11,9 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Release.Name }}
+ {{- if .Values.extraLabels.deployment }}
+ {{- toYaml .Values.extraLabels.deployment | nindent 4 }}
+ {{- end }}
{{- if .Values.annotations.deployment }}
annotations:
{{- toYaml .Values.annotations.deployment | nindent 4 }}
@@ -30,6 +33,9 @@ spec:
{{- end }}
labels:
app: {{ .Release.Name }}
+{{- if .Values.extraLabels.pod }}
+ {{- toYaml .Values.extraLabels.pod | nindent 8 }}
+{{- end }}
spec:
{{- if or .Values.affinity (gt (int $replicaCount) 1) }}
affinity:
@@ -177,6 +183,9 @@ spec:
{{- end }}
{{- if .Values.extraVolumes }}
{{- toYaml .Values.extraVolumes | nindent 6 }}
+{{- end }}
+{{- if .Values.priorityClassName }}
+ priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
serviceAccountName: {{ .Values.serviceAccountName | default .Release.Name }}
{{- end }}
diff --git a/examples/chart/teleport-kube-agent/templates/pdb.yaml b/examples/chart/teleport-kube-agent/templates/pdb.yaml
index 6e3f5c3f117a4..6b6e17ae09e10 100644
--- a/examples/chart/teleport-kube-agent/templates/pdb.yaml
+++ b/examples/chart/teleport-kube-agent/templates/pdb.yaml
@@ -10,6 +10,9 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Release.Name }}
+{{- if .Values.extraLabels.podDisruptionBudget }}
+ {{- toYaml .Values.extraLabels.podDisruptionBudget | nindent 4 }}
+{{- end }}
spec:
minAvailable: {{ .Values.highAvailability.podDisruptionBudget.minAvailable }}
selector:
diff --git a/examples/chart/teleport-kube-agent/templates/psp.yaml b/examples/chart/teleport-kube-agent/templates/psp.yaml
index 57cfb11a1b27d..20cab01bd1c6b 100644
--- a/examples/chart/teleport-kube-agent/templates/psp.yaml
+++ b/examples/chart/teleport-kube-agent/templates/psp.yaml
@@ -3,6 +3,10 @@ apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ .Release.Name }}
+{{- if .Values.extraLabels.podSecurityPolicy }}
+ labels:
+ {{- toYaml .Values.extraLabels.podSecurityPolicy | nindent 4 }}
+{{- end }}
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default'
seccomp.security.alpha.kubernetes.io/defaultProfileName: 'runtime/default'
diff --git a/examples/chart/teleport-kube-agent/templates/secret.yaml b/examples/chart/teleport-kube-agent/templates/secret.yaml
index aa8ad47bd0b32..ae26024097ff9 100644
--- a/examples/chart/teleport-kube-agent/templates/secret.yaml
+++ b/examples/chart/teleport-kube-agent/templates/secret.yaml
@@ -4,6 +4,10 @@ kind: Secret
metadata:
name: {{ .Values.secretName }}
namespace: {{ .Release.Namespace }}
+{{- if .Values.extraLabels.secret }}
+ labels:
+ {{- toYaml .Values.extraLabels.secret | nindent 4 }}
+{{- end }}
type: Opaque
stringData:
auth-token: |
diff --git a/examples/chart/teleport-kube-agent/templates/serviceaccount.yaml b/examples/chart/teleport-kube-agent/templates/serviceaccount.yaml
index 26d79e5eb9fe1..e3eb068278401 100644
--- a/examples/chart/teleport-kube-agent/templates/serviceaccount.yaml
+++ b/examples/chart/teleport-kube-agent/templates/serviceaccount.yaml
@@ -3,7 +3,11 @@ kind: ServiceAccount
metadata:
name: {{ .Values.serviceAccountName | default .Release.Name }}
namespace: {{ .Release.Namespace }}
+{{- if .Values.extraLabels.serviceAccount }}
+ labels:
+ {{- toYaml .Values.extraLabels.serviceAccount | nindent 4 }}
+{{- end }}
{{- if .Values.annotations.serviceAccount }}
annotations:
{{- toYaml .Values.annotations.serviceAccount | nindent 4 }}
-{{- end -}}
\ No newline at end of file
+{{- end -}}
diff --git a/examples/chart/teleport-kube-agent/templates/statefulset.yaml b/examples/chart/teleport-kube-agent/templates/statefulset.yaml
index 5dab56f476094..30d7e9ee57fdb 100644
--- a/examples/chart/teleport-kube-agent/templates/statefulset.yaml
+++ b/examples/chart/teleport-kube-agent/templates/statefulset.yaml
@@ -11,6 +11,9 @@ metadata:
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Release.Name }}
+ {{- if .Values.extraLabels.deployment }}
+ {{- toYaml .Values.extraLabels.deployment | nindent 4 }}
+ {{- end }}
spec:
serviceName: {{ .Release.Name }}
replicas: {{ $replicaCount }}
@@ -27,6 +30,9 @@ spec:
{{- end }}
labels:
app: {{ .Release.Name }}
+{{- if .Values.extraLabels.pod }}
+ {{- toYaml .Values.extraLabels.pod | nindent 8 }}
+{{- end }}
spec:
securityContext:
fsGroup: 9807
@@ -92,6 +98,9 @@ spec:
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 8 }}
{{- end }}
+{{- end }}
+{{- if .Values.priorityClassName }}
+ priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
serviceAccountName: {{ .Values.serviceAccountName | default .Release.Name }}
{{- if .Values.nodeSelector }}
diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/clusterrole_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/clusterrole_test.yaml.snap
index 73d2b30742ace..708bc3e53288a 100644
--- a/examples/chart/teleport-kube-agent/tests/__snapshot__/clusterrole_test.yaml.snap
+++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/clusterrole_test.yaml.snap
@@ -25,3 +25,33 @@ creates a ClusterRole:
- selfsubjectaccessreviews
verbs:
- create
+sets ClusterRole labels when specified:
+ 1: |
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRole
+ metadata:
+ labels:
+ app.kubernetes.io/name: teleport-kube-agent
+ resource: clusterrole
+ name: RELEASE-NAME
+ rules:
+ - apiGroups:
+ - ""
+ resources:
+ - users
+ - groups
+ - serviceaccounts
+ verbs:
+ - impersonate
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ verbs:
+ - get
+ - apiGroups:
+ - authorization.k8s.io
+ resources:
+ - selfsubjectaccessreviews
+ verbs:
+ - create
diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/clusterrolebinding_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/clusterrolebinding_test.yaml.snap
index 408ec5f4556e2..8780c90aab1a5 100644
--- a/examples/chart/teleport-kube-agent/tests/__snapshot__/clusterrolebinding_test.yaml.snap
+++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/clusterrolebinding_test.yaml.snap
@@ -12,3 +12,20 @@ creates a ClusterRoleBinding:
- kind: ServiceAccount
name: RELEASE-NAME
namespace: NAMESPACE
+sets ClusterRoleBinding labels when specified:
+ 1: |
+ apiVersion: rbac.authorization.k8s.io/v1
+ kind: ClusterRoleBinding
+ metadata:
+ labels:
+ app.kubernetes.io/name: teleport-kube-agent
+ resource: clusterrolebinding
+ name: RELEASE-NAME
+ roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: RELEASE-NAME
+ subjects:
+ - kind: ServiceAccount
+ name: RELEASE-NAME
+ namespace: NAMESPACE
diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap
index 4c73bbfb71cf9..444871d38328b 100644
--- a/examples/chart/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap
+++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap
@@ -97,6 +97,41 @@ matches snapshot and tests for annotations.yaml:
kubernetes.io/config-different: 2
name: RELEASE-NAME
namespace: NAMESPACE
+matches snapshot and tests for extra-labels.yaml:
+ 1: |
+ apiVersion: v1
+ data:
+ teleport.yaml: |
+ teleport:
+ auth_token: "/etc/teleport-secrets/auth-token"
+ auth_servers: ["proxy.example.com:3080"]
+ log:
+ severity: INFO
+ output: stderr
+ format:
+ output: text
+ extra_fields: ["timestamp","level","component","caller"]
+
+ kubernetes_service:
+ enabled: true
+ kube_cluster_name: test-kube-cluster
+
+ app_service:
+ enabled: false
+
+ auth_service:
+ enabled: false
+ ssh_service:
+ enabled: false
+ proxy_service:
+ enabled: false
+ kind: ConfigMap
+ metadata:
+ labels:
+ app.kubernetes.io/name: teleport-kube-agent
+ resource: config
+ name: RELEASE-NAME
+ namespace: NAMESPACE
matches snapshot for affinity.yaml:
1: |
apiVersion: v1
diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap
index 4e6703e461df9..8e927620934bb 100644
--- a/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap
+++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap
@@ -1,4 +1,151 @@
sets Deployment annotations when specified:
+ 1: |
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ annotations:
+ kubernetes.io/deployment: test-annotation
+ kubernetes.io/deployment-different: 3
+ labels:
+ app: RELEASE-NAME
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: RELEASE-NAME
+ template:
+ metadata:
+ annotations:
+ checksum/config: d4b68af041b4bf4aa8cb4ea527c775607b7062d3565b5b3220a0b5bbe16afa23
+ kubernetes.io/pod: test-annotation
+ kubernetes.io/pod-different: 4
+ labels:
+ app: RELEASE-NAME
+ spec:
+ containers:
+ - args:
+ - --diag-addr=0.0.0.0:3000
+ image: quay.io/gravitational/teleport:10.0.0-dev
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 6
+ httpGet:
+ path: /healthz
+ port: diag
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 1
+ name: teleport
+ ports:
+ - containerPort: 3000
+ name: diag
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 12
+ httpGet:
+ path: /readyz
+ port: diag
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 1
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - all
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 9807
+ volumeMounts:
+ - mountPath: /etc/teleport
+ name: config
+ readOnly: true
+ - mountPath: /etc/teleport-secrets
+ name: auth-token
+ readOnly: true
+ - mountPath: /var/lib/teleport
+ name: data
+ serviceAccountName: RELEASE-NAME
+ volumes:
+ - configMap:
+ name: RELEASE-NAME
+ name: config
+ - name: auth-token
+ secret:
+ secretName: teleport-kube-agent-join-token
+ - emptyDir: {}
+ name: data
+sets Deployment labels when specified:
+ 1: |
+ replicas: 1
+ selector:
+ matchLabels:
+ app: RELEASE-NAME
+ template:
+ metadata:
+ annotations:
+ checksum/config: 790ebcf515a3f43b0c1dba7b809211184a6ad4481ac78b21e1275777ec4207af
+ labels:
+ app: RELEASE-NAME
+ app.kubernetes.io/name: teleport-kube-agent
+ resource: pod
+ spec:
+ containers:
+ - args:
+ - --diag-addr=0.0.0.0:3000
+ image: quay.io/gravitational/teleport:10.0.0-dev
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 6
+ httpGet:
+ path: /healthz
+ port: diag
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 1
+ name: teleport
+ ports:
+ - containerPort: 3000
+ name: diag
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 12
+ httpGet:
+ path: /readyz
+ port: diag
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 1
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - all
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 9807
+ volumeMounts:
+ - mountPath: /etc/teleport
+ name: config
+ readOnly: true
+ - mountPath: /etc/teleport-secrets
+ name: auth-token
+ readOnly: true
+ - mountPath: /var/lib/teleport
+ name: data
+ serviceAccountName: RELEASE-NAME
+ volumes:
+ - configMap:
+ name: RELEASE-NAME
+ name: config
+ - name: auth-token
+ secret:
+ secretName: teleport-kube-agent-join-token
+ - emptyDir: {}
+ name: data
+sets Pod annotations when specified:
1: |
containers:
- args:
@@ -53,7 +200,7 @@ sets Deployment annotations when specified:
secretName: teleport-kube-agent-join-token
- emptyDir: {}
name: data
-sets Pod annotations when specified:
+sets Pod labels when specified:
1: |
containers:
- args:
@@ -1077,6 +1224,61 @@ should set nodeSelector if set in values:
secretName: teleport-kube-agent-join-token
- emptyDir: {}
name: data
+should set not set priorityClassName when not set in values:
+ 1: |
+ containers:
+ - args:
+ - --diag-addr=0.0.0.0:3000
+ image: quay.io/gravitational/teleport:10.0.0-dev
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 6
+ httpGet:
+ path: /healthz
+ port: diag
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 1
+ name: teleport
+ ports:
+ - containerPort: 3000
+ name: diag
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 12
+ httpGet:
+ path: /readyz
+ port: diag
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 1
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - all
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 9807
+ volumeMounts:
+ - mountPath: /etc/teleport
+ name: config
+ readOnly: true
+ - mountPath: /etc/teleport-secrets
+ name: auth-token
+ readOnly: true
+ - mountPath: /var/lib/teleport
+ name: data
+ serviceAccountName: RELEASE-NAME
+ volumes:
+ - configMap:
+ name: RELEASE-NAME
+ name: config
+ - name: auth-token
+ secret:
+ secretName: teleport-kube-agent-join-token
+ - emptyDir: {}
+ name: data
should set preferred affinity when more than one replica is used:
1: |
affinity:
@@ -1144,6 +1346,62 @@ should set preferred affinity when more than one replica is used:
secretName: teleport-kube-agent-join-token
- emptyDir: {}
name: data
+should set priorityClassName when set in values:
+ 1: |
+ containers:
+ - args:
+ - --diag-addr=0.0.0.0:3000
+ image: quay.io/gravitational/teleport:10.0.0-dev
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 6
+ httpGet:
+ path: /healthz
+ port: diag
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 1
+ name: teleport
+ ports:
+ - containerPort: 3000
+ name: diag
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 12
+ httpGet:
+ path: /readyz
+ port: diag
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 1
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - all
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 9807
+ volumeMounts:
+ - mountPath: /etc/teleport
+ name: config
+ readOnly: true
+ - mountPath: /etc/teleport-secrets
+ name: auth-token
+ readOnly: true
+ - mountPath: /var/lib/teleport
+ name: data
+ priorityClassName: teleport-kube-agent
+ serviceAccountName: RELEASE-NAME
+ volumes:
+ - configMap:
+ name: RELEASE-NAME
+ name: config
+ - name: auth-token
+ secret:
+ secretName: teleport-kube-agent-join-token
+ - emptyDir: {}
+ name: data
should set probeTimeoutSeconds when set in values:
1: |
containers:
diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/pdb_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/pdb_test.yaml.snap
index a8d3bf87b8092..7103d986a1568 100644
--- a/examples/chart/teleport-kube-agent/tests/__snapshot__/pdb_test.yaml.snap
+++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/pdb_test.yaml.snap
@@ -1,3 +1,19 @@
+sets PodDisruptionBudget labels when specified:
+ 1: |
+ apiVersion: policy/v1beta1
+ kind: PodDisruptionBudget
+ metadata:
+ labels:
+ app: RELEASE-NAME
+ app.kubernetes.io/name: teleport-kube-agent
+ resource: poddisruptionbudget
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ minAvailable: 2
+ selector:
+ matchLabels:
+ app: RELEASE-NAME
should create a PDB when enabled in values (pdb.yaml):
1: |
apiVersion: policy/v1beta1
diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/psp_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/psp_test.yaml.snap
index 5536920844cf3..fd2a0c67c6216 100644
--- a/examples/chart/teleport-kube-agent/tests/__snapshot__/psp_test.yaml.snap
+++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/psp_test.yaml.snap
@@ -32,3 +32,40 @@ creates a PodSecurityPolicy when enabled in values:
rule: MustRunAs
volumes:
- '*'
+sets PodSecurityPolicy labels when specified:
+ 1: |
+ apiVersion: policy/v1beta1
+ kind: PodSecurityPolicy
+ metadata:
+ annotations:
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default,runtime/default
+ seccomp.security.alpha.kubernetes.io/defaultProfileName: runtime/default
+ labels:
+ app.kubernetes.io/name: teleport-kube-agent
+ resource: podsecuritypolicy
+ name: RELEASE-NAME
+ spec:
+ allowPrivilegeEscalation: false
+ fsGroup:
+ ranges:
+ - max: 65535
+ min: 1
+ rule: MustRunAs
+ hostIPC: false
+ hostNetwork: false
+ hostPID: false
+ privileged: false
+ readOnlyRootFilesystem: true
+ requiredDropCapabilities:
+ - ALL
+ runAsUser:
+ rule: MustRunAsNonRoot
+ seLinux:
+ rule: RunAsAny
+ supplementalGroups:
+ ranges:
+ - max: 65535
+ min: 1
+ rule: MustRunAs
+ volumes:
+ - '*'
diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/secret_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/secret_test.yaml.snap
index a1176d268f494..538c72421fbd3 100644
--- a/examples/chart/teleport-kube-agent/tests/__snapshot__/secret_test.yaml.snap
+++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/secret_test.yaml.snap
@@ -20,3 +20,17 @@ generates a secret with a custom name when authToken and secretName are provided
auth-token: |
sample-auth-token-dont-use-this
type: Opaque
+sets Secret labels when specified:
+ 1: |
+ apiVersion: v1
+ kind: Secret
+ metadata:
+ labels:
+ app.kubernetes.io/name: teleport-kube-agent
+ resource: secret
+ name: teleport-kube-agent-join-token
+ namespace: NAMESPACE
+ stringData:
+ auth-token: |
+ auth-token
+ type: Opaque
diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/serviceaccount_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/serviceaccount_test.yaml.snap
index fa132fe5d7c65..a451b140851ba 100644
--- a/examples/chart/teleport-kube-agent/tests/__snapshot__/serviceaccount_test.yaml.snap
+++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/serviceaccount_test.yaml.snap
@@ -8,3 +8,13 @@ sets ServiceAccount annotations when specified:
kubernetes.io/serviceaccount-different: 5
name: RELEASE-NAME
namespace: NAMESPACE
+sets ServiceAccount labels when specified:
+ 1: |
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+ labels:
+ app.kubernetes.io/name: teleport-kube-agent
+ resource: serviceaccount
+ name: RELEASE-NAME
+ namespace: NAMESPACE
diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap
index 63f657161272c..a8566f1c1d8be 100644
--- a/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap
+++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap
@@ -53,6 +53,150 @@ sets Pod annotations when specified:
- name: auth-token
secret:
secretName: teleport-kube-agent-join-token
+sets Pod labels when specified:
+ 1: |
+ containers:
+ - args:
+ - --diag-addr=0.0.0.0:3000
+ image: quay.io/gravitational/teleport:10.0.0-dev
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 6
+ httpGet:
+ path: /readyz
+ port: diag
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 1
+ name: teleport
+ ports:
+ - containerPort: 3000
+ name: diag
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 12
+ httpGet:
+ path: /readyz
+ port: diag
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 1
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - all
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 9807
+ volumeMounts:
+ - mountPath: /etc/teleport
+ name: config
+ readOnly: true
+ - mountPath: /etc/teleport-secrets
+ name: auth-token
+ readOnly: true
+ - mountPath: /var/lib/teleport
+ name: RELEASE-NAME-teleport-data
+ securityContext:
+ fsGroup: 9807
+ serviceAccountName: RELEASE-NAME
+ volumes:
+ - configMap:
+ name: RELEASE-NAME
+ name: config
+ - name: auth-token
+ secret:
+ secretName: teleport-kube-agent-join-token
+sets StatefulSet labels when specified:
+ 1: |
+ apiVersion: apps/v1
+ kind: StatefulSet
+ metadata:
+ labels:
+ app: RELEASE-NAME
+ app.kubernetes.io/name: teleport-kube-agent
+ resource: deployment
+ name: RELEASE-NAME
+ namespace: NAMESPACE
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: RELEASE-NAME
+ serviceName: RELEASE-NAME
+ template:
+ metadata:
+ annotations:
+ checksum/config: 790ebcf515a3f43b0c1dba7b809211184a6ad4481ac78b21e1275777ec4207af
+ labels:
+ app: RELEASE-NAME
+ app.kubernetes.io/name: teleport-kube-agent
+ resource: pod
+ spec:
+ containers:
+ - args:
+ - --diag-addr=0.0.0.0:3000
+ image: quay.io/gravitational/teleport:10.0.0-dev
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ failureThreshold: 6
+ httpGet:
+ path: /readyz
+ port: diag
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 1
+ name: teleport
+ ports:
+ - containerPort: 3000
+ name: diag
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 12
+ httpGet:
+ path: /readyz
+ port: diag
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ timeoutSeconds: 1
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - all
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 9807
+ volumeMounts:
+ - mountPath: /etc/teleport
+ name: config
+ readOnly: true
+ - mountPath: /etc/teleport-secrets
+ name: auth-token
+ readOnly: true
+ - mountPath: /var/lib/teleport
+ name: RELEASE-NAME-teleport-data
+ securityContext:
+ fsGroup: 9807
+ serviceAccountName: RELEASE-NAME
+ volumes:
+ - configMap:
+ name: RELEASE-NAME
+ name: config
+ - name: auth-token
+ secret:
+ secretName: teleport-kube-agent-join-token
+ volumeClaimTemplates:
+ - metadata:
+ name: RELEASE-NAME-teleport-data
+ spec:
+ accessModes:
+ - ReadWriteOnce
+ resources:
+ requests:
+ storage: 128Mi
+ storageClassName: aws-gp2
should add insecureSkipProxyTLSVerify to args when set in values:
1: |
containers:
diff --git a/examples/chart/teleport-kube-agent/tests/clusterrole_test.yaml b/examples/chart/teleport-kube-agent/tests/clusterrole_test.yaml
index 337947d13ad2b..c589a7a7ed5f4 100644
--- a/examples/chart/teleport-kube-agent/tests/clusterrole_test.yaml
+++ b/examples/chart/teleport-kube-agent/tests/clusterrole_test.yaml
@@ -9,3 +9,15 @@ tests:
- isKind:
of: ClusterRole
- matchSnapshot: {}
+
+ - it: sets ClusterRole labels when specified
+ values:
+ - ../.lint/extra-labels.yaml
+ asserts:
+ - equal:
+ path: metadata.labels.app\.kubernetes\.io/name
+ value: teleport-kube-agent
+ - equal:
+ path: metadata.labels.resource
+ value: clusterrole
+ - matchSnapshot: {}
diff --git a/examples/chart/teleport-kube-agent/tests/clusterrolebinding_test.yaml b/examples/chart/teleport-kube-agent/tests/clusterrolebinding_test.yaml
index b8f30d8cf4fc2..ce78e09f8b971 100644
--- a/examples/chart/teleport-kube-agent/tests/clusterrolebinding_test.yaml
+++ b/examples/chart/teleport-kube-agent/tests/clusterrolebinding_test.yaml
@@ -9,3 +9,15 @@ tests:
- isKind:
of: ClusterRoleBinding
- matchSnapshot: {}
+
+ - it: sets ClusterRoleBinding labels when specified
+ values:
+ - ../.lint/extra-labels.yaml
+ asserts:
+ - equal:
+ path: metadata.labels.app\.kubernetes\.io/name
+ value: teleport-kube-agent
+ - equal:
+ path: metadata.labels.resource
+ value: clusterrolebinding
+ - matchSnapshot: {}
diff --git a/examples/chart/teleport-kube-agent/tests/config_test.yaml b/examples/chart/teleport-kube-agent/tests/config_test.yaml
index b3115d6b31352..8424b2e69ec1b 100644
--- a/examples/chart/teleport-kube-agent/tests/config_test.yaml
+++ b/examples/chart/teleport-kube-agent/tests/config_test.yaml
@@ -32,6 +32,18 @@ tests:
of: ConfigMap
- matchSnapshot: {}
+ - it: matches snapshot and tests for extra-labels.yaml
+ values:
+ - ../.lint/extra-labels.yaml
+ asserts:
+ - equal:
+ path: metadata.labels.app\.kubernetes\.io/name
+ value: teleport-kube-agent
+ - equal:
+ path: metadata.labels.resource
+ value: config
+ - matchSnapshot: {}
+
- it: matches snapshot and tests for annotations.yaml
values:
- ../.lint/annotations.yaml
diff --git a/examples/chart/teleport-kube-agent/tests/deployment_test.yaml b/examples/chart/teleport-kube-agent/tests/deployment_test.yaml
index f652750b849ba..17ad9a7b4978d 100644
--- a/examples/chart/teleport-kube-agent/tests/deployment_test.yaml
+++ b/examples/chart/teleport-kube-agent/tests/deployment_test.yaml
@@ -12,6 +12,32 @@ tests:
- hasDocuments:
count: 1
+ - it: sets Deployment labels when specified
+ values:
+ - ../.lint/extra-labels.yaml
+ asserts:
+ - equal:
+ path: metadata.labels.app\.kubernetes\.io/name
+ value: teleport-kube-agent
+ - equal:
+ path: metadata.labels.resource
+ value: deployment
+ - matchSnapshot:
+ path: spec
+
+ - it: sets Pod labels when specified
+ values:
+ - ../.lint/extra-labels.yaml
+ asserts:
+ - equal:
+ path: spec.template.metadata.labels.app\.kubernetes\.io/name
+ value: teleport-kube-agent
+ - equal:
+ path: spec.template.metadata.labels.resource
+ value: pod
+ - matchSnapshot:
+ path: spec.template.spec
+
- it: sets Deployment annotations when specified
values:
- ../.lint/annotations.yaml
@@ -22,8 +48,7 @@ tests:
- equal:
path: metadata.annotations.kubernetes\.io/deployment-different
value: 3
- - matchSnapshot:
- path: spec.template.spec
+ - matchSnapshot: {}
- it: sets Pod annotations when specified
values:
@@ -328,6 +353,25 @@ tests:
- matchSnapshot:
path: spec.template.spec
+ - it: should set priorityClassName when set in values
+ values:
+ - ../.lint/priority-class-name.yaml
+ asserts:
+ - equal:
+ path: spec.template.spec.priorityClassName
+ value: teleport-kube-agent
+ - matchSnapshot:
+ path: spec.template.spec
+
+ - it: should set not set priorityClassName when not set in values
+ values:
+ - ../.lint/backwards-compatibility.yaml
+ asserts:
+ - isNull:
+ path: spec.template.spec.priorityClassName
+ - matchSnapshot:
+ path: spec.template.spec
+
- it: should set serviceAccountName when set in values
values:
- ../.lint/service-account-name.yaml
diff --git a/examples/chart/teleport-kube-agent/tests/pdb_test.yaml b/examples/chart/teleport-kube-agent/tests/pdb_test.yaml
index b673ce8400ce3..9486b9511f0e5 100644
--- a/examples/chart/teleport-kube-agent/tests/pdb_test.yaml
+++ b/examples/chart/teleport-kube-agent/tests/pdb_test.yaml
@@ -11,3 +11,16 @@ tests:
- isKind:
of: PodDisruptionBudget
- matchSnapshot: {}
+
+ - it: sets PodDisruptionBudget labels when specified
+ values:
+ - ../.lint/pdb.yaml
+ - ../.lint/extra-labels.yaml
+ asserts:
+ - equal:
+ path: metadata.labels.app\.kubernetes\.io/name
+ value: teleport-kube-agent
+ - equal:
+ path: metadata.labels.resource
+ value: poddisruptionbudget
+ - matchSnapshot: {}
diff --git a/examples/chart/teleport-kube-agent/tests/psp_test.yaml b/examples/chart/teleport-kube-agent/tests/psp_test.yaml
index 0faad123c1dc1..3f8a5f87b88aa 100644
--- a/examples/chart/teleport-kube-agent/tests/psp_test.yaml
+++ b/examples/chart/teleport-kube-agent/tests/psp_test.yaml
@@ -19,3 +19,15 @@ tests:
isKind:
of: RoleBinding
- matchSnapshot: {}
+
+ - it: sets PodSecurityPolicy labels when specified
+ values:
+ - ../.lint/extra-labels.yaml
+ asserts:
+ - equal:
+ path: metadata.labels.app\.kubernetes\.io/name
+ value: teleport-kube-agent
+ - equal:
+ path: metadata.labels.resource
+ value: podsecuritypolicy
+ - matchSnapshot: {}
diff --git a/examples/chart/teleport-kube-agent/tests/secret_test.yaml b/examples/chart/teleport-kube-agent/tests/secret_test.yaml
index d2d7963b8e213..1acb7174da0d0 100644
--- a/examples/chart/teleport-kube-agent/tests/secret_test.yaml
+++ b/examples/chart/teleport-kube-agent/tests/secret_test.yaml
@@ -28,3 +28,15 @@ tests:
path: metadata.name
value: some-other-secret-name
- matchSnapshot: {}
+
+ - it: sets Secret labels when specified
+ values:
+ - ../.lint/extra-labels.yaml
+ asserts:
+ - equal:
+ path: metadata.labels.app\.kubernetes\.io/name
+ value: teleport-kube-agent
+ - equal:
+ path: metadata.labels.resource
+ value: secret
+ - matchSnapshot: {}
diff --git a/examples/chart/teleport-kube-agent/tests/serviceaccount_test.yaml b/examples/chart/teleport-kube-agent/tests/serviceaccount_test.yaml
index fe5d1ebede622..05347340b50fd 100644
--- a/examples/chart/teleport-kube-agent/tests/serviceaccount_test.yaml
+++ b/examples/chart/teleport-kube-agent/tests/serviceaccount_test.yaml
@@ -2,6 +2,18 @@ suite: ServiceAccount
templates:
- serviceaccount.yaml
tests:
+ - it: sets ServiceAccount labels when specified
+ values:
+ - ../.lint/extra-labels.yaml
+ asserts:
+ - equal:
+ path: metadata.labels.app\.kubernetes\.io/name
+ value: teleport-kube-agent
+ - equal:
+ path: metadata.labels.resource
+ value: serviceaccount
+ - matchSnapshot: {}
+
- it: sets ServiceAccount annotations when specified
values:
- ../.lint/annotations.yaml
diff --git a/examples/chart/teleport-kube-agent/tests/statefulset_test.yaml b/examples/chart/teleport-kube-agent/tests/statefulset_test.yaml
index 95edd2586c15a..c863a45401ae9 100644
--- a/examples/chart/teleport-kube-agent/tests/statefulset_test.yaml
+++ b/examples/chart/teleport-kube-agent/tests/statefulset_test.yaml
@@ -12,6 +12,33 @@ tests:
- hasDocuments:
count: 1
+ - it: sets StatefulSet labels when specified
+ values:
+ - ../.lint/stateful.yaml
+ - ../.lint/extra-labels.yaml
+ asserts:
+ - equal:
+ path: metadata.labels.app\.kubernetes\.io/name
+ value: teleport-kube-agent
+ - equal:
+ path: metadata.labels.resource
+ value: deployment
+ - matchSnapshot: {}
+
+ - it: sets Pod labels when specified
+ values:
+ - ../.lint/stateful.yaml
+ - ../.lint/extra-labels.yaml
+ asserts:
+ - equal:
+ path: spec.template.metadata.labels.app\.kubernetes\.io/name
+ value: teleport-kube-agent
+ - equal:
+ path: spec.template.metadata.labels.resource
+ value: pod
+ - matchSnapshot:
+ path: spec.template.spec
+
- it: sets Pod annotations when specified
values:
- ../.lint/annotations.yaml
diff --git a/examples/chart/teleport-kube-agent/values.schema.json b/examples/chart/teleport-kube-agent/values.schema.json
index 4f3604bb23f96..8f9f4170a16cf 100644
--- a/examples/chart/teleport-kube-agent/values.schema.json
+++ b/examples/chart/teleport-kube-agent/values.schema.json
@@ -206,6 +206,11 @@
}
}
},
+ "priorityClassName": {
+ "$id": "#/properties/priorityClassName",
+ "type": "string",
+ "default": ""
+ },
"serviceAccountName": {
"$id": "#/properties/serviceAccountName",
"type": "string",
@@ -228,7 +233,13 @@
"level": {
"$id": "#/properties/log/properties/level",
"type": "string",
- "enum": ["DEBUG", "INFO", "WARN", "WARNING", "ERROR"],
+ "enum": [
+ "DEBUG",
+ "INFO",
+ "WARN",
+ "WARNING",
+ "ERROR"
+ ],
"default": "INFO"
},
"deployment": {
@@ -253,6 +264,57 @@
"type": "object",
"default": {}
},
+ "extraLabels": {
+ "$id": "#/properties/extraLabels",
+ "type": "object",
+ "properties": {
+ "clusterRole": {
+ "$id": "#/properties/extraLabels/properties/clusterRole",
+ "type": "object",
+ "default": {}
+ },
+ "clusterRoleBinding": {
+ "$id": "#/properties/extraLabels/properties/clusterRoleBinding",
+ "type": "object",
+ "default": {}
+ },
+ "config": {
+ "$id": "#/properties/extraLabels/properties/config",
+ "type": "object",
+ "default": {}
+ },
+ "deployment": {
+ "$id": "#/properties/extraLabels/properties/deployment",
+ "type": "object",
+ "default": {}
+ },
+ "pod": {
+ "$id": "#/properties/extraLabels/properties/pod",
+ "type": "object",
+ "default": {}
+ },
+ "podDisruptionBudget": {
+ "$id": "#/properties/extraLabels/properties/podDisruptionBudget",
+ "type": "object",
+ "default": {}
+ },
+ "podSecurityPolicy": {
+ "$id": "#/properties/extraLabels/properties/podSecurityPolicy",
+ "type": "object",
+ "default": {}
+ },
+ "secret": {
+ "$id": "#/properties/extraLabels/properties/secret",
+ "type": "object",
+ "default": {}
+ },
+ "serviceAccount": {
+ "$id": "#/properties/extraLabels/properties/serviceAccount",
+ "type": "object",
+ "default": {}
+ }
+ }
+ },
"annotations": {
"$id": "#/properties/annotations",
"type": "object",
@@ -336,4 +398,4 @@
"default": 1
}
}
-}
+}
\ No newline at end of file
diff --git a/examples/chart/teleport-kube-agent/values.yaml b/examples/chart/teleport-kube-agent/values.yaml
index 91ab950525518..f7173bbf04338 100644
--- a/examples/chart/teleport-kube-agent/values.yaml
+++ b/examples/chart/teleport-kube-agent/values.yaml
@@ -167,6 +167,28 @@ affinity: {}
# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
nodeSelector: {}
+# Kubernetes labels to apply
+# https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
+extraLabels:
+ # Labels for the Cluster Role
+ clusterRole: {}
+ # Labels for the Cluster Role Binding
+ clusterRoleBinding: {}
+ # Labels for the ConfigMap
+ config: {}
+ # Labels for the Deployment/StatefulSet
+ deployment: {}
+ # Labels for each Pod in the Deployment/StatefulSet
+ pod: {}
+ # Labels for the Pod Disruption Budget (ignored when disabled)
+ podDisruptionBudget: {}
+ # Labels for the Pod Security Policy (ignored when disabled)
+ podSecurityPolicy: {}
+ # Labels for the Secret (ignored when disabled)
+ secret: {}
+ # Labels for the ServiceAccount object
+ serviceAccount: {}
+
# Kubernetes annotations to apply
# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
annotations:
@@ -214,6 +236,9 @@ resources: {}
# cpu: "1"
# memory: "2Gi"
+# Priority class name to add to the deployment
+priorityClassName: ""
+
# Tolerations for pod assignment
# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
diff --git a/webassets b/webassets
index b21c30aeeb946..963ed0c6d3d8f 160000
--- a/webassets
+++ b/webassets
@@ -1 +1 @@
-Subproject commit b21c30aeeb9463164a7f1332c5f4987d48b5337e
+Subproject commit 963ed0c6d3d8f96c90c2461e935fb52fca47d22d