diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/deployment_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/deployment_test.yaml.snap index 3f121aab087f7..98991aec2640e 100644 --- a/examples/chart/teleport-cluster/tests/__snapshot__/deployment_test.yaml.snap +++ b/examples/chart/teleport-cluster/tests/__snapshot__/deployment_test.yaml.snap @@ -1,2184 +1,1585 @@ sets Deployment annotations when specified: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: - kubernetes.io/deployment: test-annotation - kubernetes.io/deployment-different: 3 - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 35cc6ed95ae9bbbbebce4e4fafa1c9684fc7a6b2ddcb35a44ed3f3a9c64b8879 - kubernetes.io/pod: test-annotation - kubernetes.io/pod-different: 4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - name: data - persistentVolumeClaim: - claimName: RELEASE-NAME + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - name: data + persistentVolumeClaim: + claimName: RELEASE-NAME sets Pod annotations when specified: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: - kubernetes.io/deployment: test-annotation - kubernetes.io/deployment-different: 3 - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 35cc6ed95ae9bbbbebce4e4fafa1c9684fc7a6b2ddcb35a44ed3f3a9c64b8879 - kubernetes.io/pod: test-annotation - kubernetes.io/pod-different: 4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - name: data - persistentVolumeClaim: - claimName: RELEASE-NAME + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - name: data + persistentVolumeClaim: + claimName: RELEASE-NAME should add PersistentVolumeClaim as volume when in standalone mode: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 02e900883a5cbf51b02418a1bc6d117a08cb373da148b14b1f926d3ba0e5735d - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - name: data - persistentVolumeClaim: - claimName: RELEASE-NAME + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - name: data + persistentVolumeClaim: + claimName: RELEASE-NAME should add emptyDir for data in AWS mode: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 3 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 3c7b6f5c5283e73e5b68b818813503228e3323a9092805a27ac359ba3d2dc29f - labels: - app: RELEASE-NAME - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - RELEASE-NAME - topologyKey: kubernetes.io/hostname - weight: 50 - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - emptyDir: {} - name: data + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - emptyDir: {} + name: data should add emptyDir for data in GCP mode: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 3 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 7860161d0c13077d38858a303a793a0b5cfe0d38cc2c085414e34dba529cc6e6 - labels: - app: RELEASE-NAME - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - RELEASE-NAME - topologyKey: kubernetes.io/hostname - weight: 50 - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport-secrets - name: gcp-credentials - readOnly: true - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - emptyDir: {} - name: data + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport-secrets + name: gcp-credentials + readOnly: true + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - emptyDir: {} + name: data should add emptyDir for data in custom mode: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - emptyDir: {} - name: data + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - emptyDir: {} + name: data should add insecureSkipProxyTLSVerify to args when set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 02e900883a5cbf51b02418a1bc6d117a08cb373da148b14b1f926d3ba0e5735d - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - - --insecure - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - name: data - persistentVolumeClaim: - claimName: RELEASE-NAME + containers: + - args: + - --diag-addr=0.0.0.0:3000 + - --insecure + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - name: data + persistentVolumeClaim: + claimName: RELEASE-NAME should add named PersistentVolumeClaim as volume when in standalone mode and standalone.existingClaimName is set: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 5e1c3e28a7dc5815203ada448e36f79607f8e7308f8732e7d049f1e44b312120 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - name: data - persistentVolumeClaim: - claimName: teleport-storage + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - name: data + persistentVolumeClaim: + claimName: teleport-storage should do enterprise things when when enterprise is set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: df667419732ddf7ade5070ba488bc12cebeb29072dfd4eb2cf9a5214fdd165d6 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport-ent:8.3.4 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /var/lib/license - name: license - readOnly: true - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: license - secret: - secretName: license - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - name: data - persistentVolumeClaim: - claimName: RELEASE-NAME + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport-ent:8.3.4 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /var/lib/license + name: license + readOnly: true + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: license + secret: + secretName: license + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - name: data + persistentVolumeClaim: + claimName: RELEASE-NAME should expose diag port: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 02e900883a5cbf51b02418a1bc6d117a08cb373da148b14b1f926d3ba0e5735d - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - name: data - persistentVolumeClaim: - claimName: RELEASE-NAME + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - name: data + persistentVolumeClaim: + claimName: RELEASE-NAME should have multiple replicas when replicaCount is set: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 3 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - labels: - app: RELEASE-NAME - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - RELEASE-NAME - topologyKey: kubernetes.io/hostname - weight: 50 - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - emptyDir: {} - name: data + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - emptyDir: {} + name: data should mount ConfigMap for config in AWS mode: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 3 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 3c7b6f5c5283e73e5b68b818813503228e3323a9092805a27ac359ba3d2dc29f - labels: - app: RELEASE-NAME - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - RELEASE-NAME - topologyKey: kubernetes.io/hostname - weight: 50 - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - emptyDir: {} - name: data + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - emptyDir: {} + name: data should mount ConfigMap for config in GCP mode: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 3 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 7860161d0c13077d38858a303a793a0b5cfe0d38cc2c085414e34dba529cc6e6 - labels: - app: RELEASE-NAME - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - RELEASE-NAME - topologyKey: kubernetes.io/hostname - weight: 50 - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport-secrets - name: gcp-credentials - readOnly: true - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - emptyDir: {} - name: data + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport-secrets + name: gcp-credentials + readOnly: true + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - emptyDir: {} + name: data should mount ConfigMap for config in custom mode: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - emptyDir: {} - name: data + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - emptyDir: {} + name: data should mount ConfigMap for config in standalone mode: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 02e900883a5cbf51b02418a1bc6d117a08cb373da148b14b1f926d3ba0e5735d - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - name: data - persistentVolumeClaim: - claimName: RELEASE-NAME + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - name: data + persistentVolumeClaim: + claimName: RELEASE-NAME should mount GCP credentials for initContainer in GCP mode: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 3 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: d500f89b1581e027a502c2fac36c06b0ae973de64a8d12611702701ea615be0a - labels: - app: RELEASE-NAME - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - RELEASE-NAME - topologyKey: kubernetes.io/hostname - weight: 50 - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport-secrets - name: gcp-credentials - readOnly: true - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - initContainers: - - args: - - echo test - image: alpine - name: teleport-init - volumeMounts: - - mountPath: /etc/teleport-secrets - name: gcp-credentials - readOnly: true - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - emptyDir: {} - name: data + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport-secrets + name: gcp-credentials + readOnly: true + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + initContainers: + - args: + - echo test + image: alpine + name: teleport-init + volumeMounts: + - mountPath: /etc/teleport-secrets + name: gcp-credentials + readOnly: true + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - emptyDir: {} + name: data should mount GCP credentials in GCP mode: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 3 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 7860161d0c13077d38858a303a793a0b5cfe0d38cc2c085414e34dba529cc6e6 - labels: - app: RELEASE-NAME - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - RELEASE-NAME - topologyKey: kubernetes.io/hostname - weight: 50 - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport-secrets - name: gcp-credentials - readOnly: true - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - emptyDir: {} - name: data + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport-secrets + name: gcp-credentials + readOnly: true + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - emptyDir: {} + name: data should mount TLS certs for initContainer when cert-manager is enabled: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 3 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: cf089ed888d98d4ca45d59a2ee015579370c1e00cb53a89793969b30c5234451 - labels: - app: RELEASE-NAME - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - RELEASE-NAME - topologyKey: kubernetes.io/hostname - weight: 50 - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport-secrets - name: gcp-credentials - readOnly: true - - mountPath: /etc/teleport-tls - name: teleport-tls - readOnly: true - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - initContainers: - - args: - - echo test - image: alpine - name: teleport-init - volumeMounts: - - mountPath: /etc/teleport-secrets - name: gcp-credentials - readOnly: true - - mountPath: /etc/teleport-tls - name: teleport-tls - readOnly: true - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - name: teleport-tls - secret: - secretName: teleport-tls - - configMap: - name: RELEASE-NAME - name: config - - emptyDir: {} - name: data + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport-secrets + name: gcp-credentials + readOnly: true + - mountPath: /etc/teleport-tls + name: teleport-tls + readOnly: true + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + initContainers: + - args: + - echo test + image: alpine + name: teleport-init + volumeMounts: + - mountPath: /etc/teleport-secrets + name: gcp-credentials + readOnly: true + - mountPath: /etc/teleport-tls + name: teleport-tls + readOnly: true + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - name: teleport-tls + secret: + secretName: teleport-tls + - configMap: + name: RELEASE-NAME + name: config + - emptyDir: {} + name: data should mount TLS certs when cert-manager is enabled: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 3 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 86d88c5cb948c27a7ed679c5c68698ef8d124361bcba7fd62735d99176cc21c2 - labels: - app: RELEASE-NAME - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - RELEASE-NAME - topologyKey: kubernetes.io/hostname - weight: 50 - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport-secrets - name: gcp-credentials - readOnly: true - - mountPath: /etc/teleport-tls - name: teleport-tls - readOnly: true - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - name: teleport-tls - secret: - secretName: teleport-tls - - configMap: - name: RELEASE-NAME - name: config - - emptyDir: {} - name: data + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport-secrets + name: gcp-credentials + readOnly: true + - mountPath: /etc/teleport-tls + name: teleport-tls + readOnly: true + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - name: teleport-tls + secret: + secretName: teleport-tls + - configMap: + name: RELEASE-NAME + name: config + - emptyDir: {} + name: data should mount extraVolumes and extraVolumeMounts: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 5ffc3d652d8c34499967db353b39c34b66ec1e0178abcbea2ea471b4613ee605 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - - mountPath: /path/to/mount - name: my-mount - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - name: data - persistentVolumeClaim: - claimName: RELEASE-NAME - - name: my-mount - secret: - secretName: mySecret + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /path/to/mount + name: my-mount + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - name: data + persistentVolumeClaim: + claimName: RELEASE-NAME + - name: my-mount + secret: + secretName: mySecret should not do enterprise things when when enterprise is not set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 5ffc3d652d8c34499967db353b39c34b66ec1e0178abcbea2ea471b4613ee605 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:8.3.4 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - name: data - persistentVolumeClaim: - claimName: RELEASE-NAME + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:8.3.4 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - name: data + persistentVolumeClaim: + claimName: RELEASE-NAME should not have more than one replica in standalone mode: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 02e900883a5cbf51b02418a1bc6d117a08cb373da148b14b1f926d3ba0e5735d - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - name: data - persistentVolumeClaim: - claimName: RELEASE-NAME + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - name: data + persistentVolumeClaim: + claimName: RELEASE-NAME should provision initContainer correctly when set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 5ffc3d652d8c34499967db353b39c34b66ec1e0178abcbea2ea471b4613ee605 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - env: - - name: SSL_CERT_FILE - value: /etc/tls/some-cert-file.pem - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - resources: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - initContainers: - - args: - - echo test - image: alpine - name: teleport-init - resources: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - name: data - persistentVolumeClaim: - claimName: RELEASE-NAME + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: SSL_CERT_FILE + value: /etc/tls/some-cert-file.pem + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + initContainers: + - args: + - echo test + image: alpine + name: teleport-init + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - name: data + persistentVolumeClaim: + claimName: RELEASE-NAME should set affinity when set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 3 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 - labels: - app: RELEASE-NAME - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: gravitational.io/dedicated - operator: In - values: - - teleport - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - emptyDir: {} - name: data + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gravitational.io/dedicated + operator: In + values: + - teleport + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - emptyDir: {} + name: data should set environment when extraEnv set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 02e900883a5cbf51b02418a1bc6d117a08cb373da148b14b1f926d3ba0e5735d - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - env: - - name: SSL_CERT_FILE - value: /etc/tls/some-cert-file.pem - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - name: data - persistentVolumeClaim: - claimName: RELEASE-NAME + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: SSL_CERT_FILE + value: /etc/tls/some-cert-file.pem + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - name: data + persistentVolumeClaim: + claimName: RELEASE-NAME should set imagePullPolicy when set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 02e900883a5cbf51b02418a1bc6d117a08cb373da148b14b1f926d3ba0e5735d - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: Always - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - name: data - persistentVolumeClaim: - claimName: RELEASE-NAME + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: Always + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - name: data + persistentVolumeClaim: + claimName: RELEASE-NAME should set postStart command if set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 02e900883a5cbf51b02418a1bc6d117a08cb373da148b14b1f926d3ba0e5735d - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - lifecycle: - postStart: - exec: - command: - - /bin/echo - - test - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - name: data - persistentVolumeClaim: - claimName: RELEASE-NAME + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + lifecycle: + postStart: + exec: + command: + - /bin/echo + - test + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - name: data + persistentVolumeClaim: + claimName: RELEASE-NAME should set priorityClassName when set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 5ffc3d652d8c34499967db353b39c34b66ec1e0178abcbea2ea471b4613ee605 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - priorityClassName: system-cluster-critical - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - name: data - persistentVolumeClaim: - claimName: RELEASE-NAME + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + priorityClassName: system-cluster-critical + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - name: data + persistentVolumeClaim: + claimName: RELEASE-NAME should set required affinity when highAvailability.requireAntiAffinity is set: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 3 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 3c7b6f5c5283e73e5b68b818813503228e3323a9092805a27ac359ba3d2dc29f - labels: - app: RELEASE-NAME - spec: - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - RELEASE-NAME - topologyKey: kubernetes.io/hostname - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - emptyDir: {} - name: data + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - emptyDir: {} + name: data should set resources when set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 5ffc3d652d8c34499967db353b39c34b66ec1e0178abcbea2ea471b4613ee605 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - resources: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - name: data - persistentVolumeClaim: - claimName: RELEASE-NAME + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - name: data + persistentVolumeClaim: + claimName: RELEASE-NAME should set tolerations when set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 3 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 2f8462f0dc120a8666b7f1c0acb0dbf391095cea02ad5ddd2d225a9e3f552ad4 - labels: - app: RELEASE-NAME - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - RELEASE-NAME - topologyKey: kubernetes.io/hostname - weight: 50 - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - tolerations: - - effect: NoExecute - key: dedicated - operator: Equal - value: teleport - - effect: NoSchedule - key: dedicated - operator: Equal - value: teleport - volumes: - - name: gcp-credentials - secret: - secretName: teleport-gcp-credentials - - configMap: - name: RELEASE-NAME - name: config - - emptyDir: {} - name: data + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + tolerations: + - effect: NoExecute + key: dedicated + operator: Equal + value: teleport + - effect: NoSchedule + key: dedicated + operator: Equal + value: teleport + volumes: + - name: gcp-credentials + secret: + secretName: teleport-gcp-credentials + - configMap: + name: RELEASE-NAME + name: config + - emptyDir: {} + name: data diff --git a/examples/chart/teleport-cluster/tests/deployment_test.yaml b/examples/chart/teleport-cluster/tests/deployment_test.yaml index 967c0120a170d..930925c9cc5d2 100644 --- a/examples/chart/teleport-cluster/tests/deployment_test.yaml +++ b/examples/chart/teleport-cluster/tests/deployment_test.yaml @@ -13,7 +13,8 @@ tests: - equal: path: metadata.annotations.kubernetes\.io/deployment-different value: 3 - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: sets Pod annotations when specified values: @@ -25,7 +26,8 @@ tests: - equal: path: spec.template.metadata.annotations.kubernetes\.io/pod-different value: 4 - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should not have more than one replica in standalone mode set: @@ -35,7 +37,8 @@ tests: - equal: path: spec.replicas value: 1 - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should have multiple replicas when replicaCount is set set: @@ -47,7 +50,8 @@ tests: - equal: path: spec.replicas value: 3 - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set affinity when set in values set: @@ -67,7 +71,8 @@ tests: asserts: - isNotNull: path: spec.template.spec.affinity - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set required affinity when highAvailability.requireAntiAffinity is set values: @@ -79,7 +84,8 @@ tests: path: spec.template.spec.affinity.podAntiAffinity - isNotNull: path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set tolerations when set in values values: @@ -87,7 +93,8 @@ tests: asserts: - isNotNull: path: spec.template.spec.tolerations - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set resources when set in values values: @@ -105,7 +112,8 @@ tests: - equal: path: spec.template.spec.containers[0].resources.requests.memory value: 2Gi - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec # we can't use the dynamic chart version or appVersion as a variable in the tests, # so we override it manually and check that gets set instead @@ -131,7 +139,8 @@ tests: name: license secret: secretName: license - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should not do enterprise things when when enterprise is not set in values set: @@ -153,7 +162,8 @@ tests: name: license secret: secretName: license - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should mount GCP credentials in GCP mode values: @@ -171,7 +181,8 @@ tests: name: gcp-credentials secret: secretName: teleport-gcp-credentials - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should mount GCP credentials for initContainer in GCP mode values: @@ -184,7 +195,8 @@ tests: mountPath: /etc/teleport-secrets name: "gcp-credentials" readOnly: true - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should mount TLS certs when cert-manager is enabled values: @@ -202,7 +214,8 @@ tests: name: teleport-tls secret: secretName: teleport-tls - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should mount TLS certs for initContainer when cert-manager is enabled values: @@ -215,7 +228,8 @@ tests: mountPath: /etc/teleport-tls name: "teleport-tls" readOnly: true - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should mount ConfigMap for config in AWS mode values: @@ -233,7 +247,8 @@ tests: name: config configMap: name: RELEASE-NAME - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should mount ConfigMap for config in GCP mode values: @@ -251,7 +266,8 @@ tests: name: config configMap: name: RELEASE-NAME - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should mount ConfigMap for config in standalone mode set: @@ -270,7 +286,8 @@ tests: name: config configMap: name: RELEASE-NAME - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should mount ConfigMap for config in custom mode set: @@ -289,7 +306,8 @@ tests: name: config configMap: name: RELEASE-NAME - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should mount extraVolumes and extraVolumeMounts values: @@ -306,7 +324,8 @@ tests: name: my-mount secret: secretName: mySecret - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should mount extraVolumes and extraVolumeMounts values: @@ -323,7 +342,8 @@ tests: name: my-mount secret: secretName: mySecret - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should mount extraVolumes and extraVolumeMounts values: @@ -340,7 +360,8 @@ tests: name: my-mount secret: secretName: mySecret - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set imagePullPolicy when set in values set: @@ -350,7 +371,8 @@ tests: - equal: path: spec.template.spec.containers[0].imagePullPolicy value: Always - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set environment when extraEnv set in values set: @@ -364,7 +386,8 @@ tests: content: name: SSL_CERT_FILE value: "/etc/tls/some-cert-file.pem" - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should provision initContainer correctly when set in values values: @@ -396,7 +419,8 @@ tests: - equal: path: spec.template.spec.initContainers[0].resources.requests.memory value: 2Gi - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should add insecureSkipProxyTLSVerify to args when set in values set: @@ -406,7 +430,8 @@ tests: - contains: path: spec.template.spec.containers[0].args content: "--insecure" - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should expose diag port set: @@ -418,7 +443,8 @@ tests: name: diag containerPort: 3000 protocol: TCP - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set postStart command if set in values set: @@ -429,7 +455,8 @@ tests: - equal: path: spec.template.spec.containers[0].lifecycle.postStart.exec.command value: ["/bin/echo", "test"] - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should add PersistentVolumeClaim as volume when in standalone mode set: @@ -442,7 +469,8 @@ tests: name: data persistentVolumeClaim: claimName: RELEASE-NAME - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should add named PersistentVolumeClaim as volume when in standalone mode and standalone.existingClaimName is set values: @@ -454,7 +482,8 @@ tests: name: data persistentVolumeClaim: claimName: teleport-storage - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should add emptyDir for data in AWS mode values: @@ -465,7 +494,8 @@ tests: content: name: data emptyDir: {} - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should add emptyDir for data in GCP mode values: @@ -476,7 +506,8 @@ tests: content: name: data emptyDir: {} - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should add emptyDir for data in custom mode set: @@ -488,7 +519,8 @@ tests: content: name: data emptyDir: {} - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set priorityClassName when set in values values: @@ -497,4 +529,5 @@ tests: - equal: path: spec.template.spec.priorityClassName value: system-cluster-critical - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap index 0b92834087a9b..980b420d739b2 100644 --- a/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap +++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap @@ -1,1793 +1,1346 @@ sets Deployment annotations when specified: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: - kubernetes.io/deployment: test-annotation - kubernetes.io/deployment-different: 3 - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: adbe9a136a1f161df9b830b7e04a05d91d808e4a5d37350266a9730b791dabc6 - kubernetes.io/pod: test-annotation - kubernetes.io/pod-different: 4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data sets Pod annotations when specified: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - annotations: - kubernetes.io/deployment: test-annotation - kubernetes.io/deployment-different: 3 - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: adbe9a136a1f161df9b830b7e04a05d91d808e4a5d37350266a9730b791dabc6 - kubernetes.io/pod: test-annotation - kubernetes.io/pod-different: 4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data should add emptyDir for data when existingDataVolume is not set: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data should add insecureSkipProxyTLSVerify to args when set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - - --insecure - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + containers: + - args: + - --diag-addr=0.0.0.0:3000 + - --insecure + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data should correctly configure existingDataVolume when set: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 2c9e2e0426ef51303e16333b07163365428483c3916b061d1ce7a5355d58f778 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: teleport-kube-agent-data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: teleport-kube-agent-data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should expose diag port: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data should have multiple replicas when replicaCount is set (using .replicaCount, deprecated): 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 3 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - RELEASE-NAME - topologyKey: kubernetes.io/hostname - weight: 50 - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data should have multiple replicas when replicaCount is set (using highAvailability.replicaCount): 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 3 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - RELEASE-NAME - topologyKey: kubernetes.io/hostname - weight: 50 - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data should have one replica when replicaCount is not set: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data should mount extraVolumes and extraVolumeMounts: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 2c9e2e0426ef51303e16333b07163365428483c3916b061d1ce7a5355d58f778 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - - mountPath: /path/to/mount - name: my-mount - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data - - name: my-mount - secret: - secretName: mySecret + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /path/to/mount + name: my-mount + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data + - name: my-mount + secret: + secretName: mySecret should provision initContainer correctly when set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 2c9e2e0426ef51303e16333b07163365428483c3916b061d1ce7a5355d58f778 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - resources: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - initContainers: - - args: - - echo test - image: alpine - name: teleport-init - resources: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + initContainers: + - args: + - echo test + image: alpine + name: teleport-init + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data should set SecurityContext: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data should set affinity when set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 2c9e2e0426ef51303e16333b07163365428483c3916b061d1ce7a5355d58f778 - labels: - app: RELEASE-NAME - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: gravitational.io/dedicated - operator: In - values: - - teleport - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - teleport - topologyKey: kubernetes.io/hostname - weight: 1 - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gravitational.io/dedicated + operator: In + values: + - teleport + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - teleport + topologyKey: kubernetes.io/hostname + weight: 1 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data should set default serviceAccountName when not set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data should set environment when extraEnv set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: a0e194d315c4d1a73f7c1b7a276bfcbb74aef2b03f7529e393844bdda44abb72 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - env: - - name: HTTPS_PROXY - value: http://username:password@my.proxy.host:3128 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: HTTPS_PROXY + value: http://username:password@my.proxy.host:3128 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data should set image and tag correctly: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: e853ab9f90fe642bd0a1efb48b881e6da55d1ff9903c11e7713f30a4bdde2935 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:8.3.4 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:8.3.4 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data should set imagePullPolicy when set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: Always - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: Always + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data should set nodeSelector if set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - nodeSelector: - gravitational.io/k8s-role: node - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + nodeSelector: + gravitational.io/k8s-role: node + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data should set preferred affinity when more than one replica is used: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 3 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - RELEASE-NAME - topologyKey: kubernetes.io/hostname - weight: 50 - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data should set required affinity when highAvailability.requireAntiAffinity is set: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 2 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - RELEASE-NAME - topologyKey: kubernetes.io/hostname - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data should set resources when set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 2c9e2e0426ef51303e16333b07163365428483c3916b061d1ce7a5355d58f778 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - resources: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data should set serviceAccountName when set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 2c9e2e0426ef51303e16333b07163365428483c3916b061d1ce7a5355d58f778 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: teleport-kube-agent-sa - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: teleport-kube-agent-sa + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data should set tolerations when set in values: 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 2c9e2e0426ef51303e16333b07163365428483c3916b061d1ce7a5355d58f778 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /healthz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: data - serviceAccountName: RELEASE-NAME - tolerations: - - effect: NoExecute - key: dedicated - operator: Equal - value: teleport - - effect: NoSchedule - key: dedicated - operator: Equal - value: teleport - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - emptyDir: {} - name: data + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + serviceAccountName: RELEASE-NAME + tolerations: + - effect: NoExecute + key: dedicated + operator: Equal + value: teleport + - effect: NoSchedule + key: dedicated + operator: Equal + value: teleport + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap index d05221d49a0c7..c824d810abfa9 100644 --- a/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap +++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap @@ -1,2206 +1,1454 @@ sets Pod annotations when specified: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 25941abd1272c0a5fd702c37a3bce1a919d8f2ecec3aa72f19ee3acb7c1eaa50 - kubernetes.io/pod: test-annotation - kubernetes.io/pod-different: 4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should add insecureSkipProxyTLSVerify to args when set in values: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - - --insecure - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + - --insecure + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should add volumeClaimTemplate for data volume when using StatefulSet: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should add volumeMount for data volume when using StatefulSet: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should expose diag port: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should have multiple replicas when replicaCount is set (using .replicaCount, deprecated): 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 3 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - RELEASE-NAME - topologyKey: kubernetes.io/hostname - weight: 50 - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should have multiple replicas when replicaCount is set (using highAvailability.replicaCount): 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 3 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - RELEASE-NAME - topologyKey: kubernetes.io/hostname - weight: 50 - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should have one replica when replicaCount is not set: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should mount extraVolumes and extraVolumeMounts: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 2c9e2e0426ef51303e16333b07163365428483c3916b061d1ce7a5355d58f778 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - - mountPath: /path/to/mount - name: my-mount - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - - name: my-mount - secret: - secretName: mySecret - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + - mountPath: /path/to/mount + name: my-mount + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - name: my-mount + secret: + secretName: mySecret should not add emptyDir for data when using StatefulSet: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should provision initContainer correctly when set in values: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 2c9e2e0426ef51303e16333b07163365428483c3916b061d1ce7a5355d58f778 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - resources: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - initContainers: - - args: - - echo test - image: alpine - name: teleport-init - resources: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + initContainers: + - args: + - echo test + image: alpine + name: teleport-init + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should set SecurityContext: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should set affinity when set in values: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 2c9e2e0426ef51303e16333b07163365428483c3916b061d1ce7a5355d58f778 - labels: - app: RELEASE-NAME - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: gravitational.io/dedicated - operator: In - values: - - teleport - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - teleport - topologyKey: kubernetes.io/hostname - weight: 1 - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gravitational.io/dedicated + operator: In + values: + - teleport + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - teleport + topologyKey: kubernetes.io/hostname + weight: 1 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should set default serviceAccountName when not set in values: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should set environment when extraEnv set in values: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - env: - - name: HTTPS_PROXY - value: http://username:password@my.proxy.host:3128 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: HTTPS_PROXY + value: http://username:password@my.proxy.host:3128 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should set image and tag correctly: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: e853ab9f90fe642bd0a1efb48b881e6da55d1ff9903c11e7713f30a4bdde2935 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:8.3.4 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:8.3.4 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should set imagePullPolicy when set in values: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: Always - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: Always + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should set nodeSelector if set in values: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - nodeSelector: - gravitational.io/k8s-role: node - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + nodeSelector: + gravitational.io/k8s-role: node + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should set preferred affinity when more than one replica is used: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 3 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - RELEASE-NAME - topologyKey: kubernetes.io/hostname - weight: 50 - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + weight: 50 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should set required affinity when highAvailability.requireAntiAffinity is set: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 2 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - RELEASE-NAME - topologyKey: kubernetes.io/hostname - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - RELEASE-NAME + topologyKey: kubernetes.io/hostname + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should set resources when set in values: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 2c9e2e0426ef51303e16333b07163365428483c3916b061d1ce7a5355d58f778 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - resources: - limits: - cpu: 2 - memory: 4Gi - requests: - cpu: 1 - memory: 2Gi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 1 + memory: 2Gi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should set serviceAccountName when set in values: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 2c9e2e0426ef51303e16333b07163365428483c3916b061d1ce7a5355d58f778 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: teleport-kube-agent-sa - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: teleport-kube-agent-sa + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should set storage.requests when set in values: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 256Mi - storageClassName: aws-gp2 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should set storage.storageClassName when set in values: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 9df339832853cbe02d36960c7beff63e9f848aa56c8745a853dbd912d0f05be4 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: helm-lint-storage-class + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token should set tolerations when set in values: 1: | - apiVersion: apps/v1 - kind: StatefulSet - metadata: - labels: - app: RELEASE-NAME - name: RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app: RELEASE-NAME - serviceName: RELEASE-NAME - template: - metadata: - annotations: - checksum/config: 2c9e2e0426ef51303e16333b07163365428483c3916b061d1ce7a5355d58f778 - labels: - app: RELEASE-NAME - spec: - containers: - - args: - - --diag-addr=0.0.0.0:3000 - image: quay.io/gravitational/teleport:10.0.0-dev - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 6 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - name: teleport - ports: - - containerPort: 3000 - name: diag - protocol: TCP - readinessProbe: - failureThreshold: 12 - httpGet: - path: /readyz - port: diag - initialDelaySeconds: 5 - periodSeconds: 5 - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - all - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 9807 - volumeMounts: - - mountPath: /etc/teleport - name: config - readOnly: true - - mountPath: /etc/teleport-secrets - name: auth-token - readOnly: true - - mountPath: /var/lib/teleport - name: RELEASE-NAME-teleport-data - securityContext: - fsGroup: 9807 - serviceAccountName: RELEASE-NAME - tolerations: - - effect: NoExecute - key: dedicated - operator: Equal - value: teleport - - effect: NoSchedule - key: dedicated - operator: Equal - value: teleport - volumes: - - configMap: - name: RELEASE-NAME - name: config - - name: auth-token - secret: - secretName: teleport-kube-agent-join-token - volumeClaimTemplates: - - metadata: - name: RELEASE-NAME-teleport-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 128Mi - storageClassName: aws-gp2 + containers: + - args: + - --diag-addr=0.0.0.0:3000 + image: quay.io/gravitational/teleport:10.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - all + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: RELEASE-NAME-teleport-data + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + tolerations: + - effect: NoExecute + key: dedicated + operator: Equal + value: teleport + - effect: NoSchedule + key: dedicated + operator: Equal + value: teleport + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token diff --git a/examples/chart/teleport-kube-agent/tests/deployment_test.yaml b/examples/chart/teleport-kube-agent/tests/deployment_test.yaml index 49e8c4df02699..0e3011e5950cb 100644 --- a/examples/chart/teleport-kube-agent/tests/deployment_test.yaml +++ b/examples/chart/teleport-kube-agent/tests/deployment_test.yaml @@ -22,7 +22,8 @@ tests: - equal: path: metadata.annotations.kubernetes\.io/deployment-different value: 3 - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: sets Pod annotations when specified values: @@ -34,7 +35,8 @@ tests: - equal: path: spec.template.metadata.annotations.kubernetes\.io/pod-different value: 4 - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should have one replica when replicaCount is not set values: @@ -43,7 +45,8 @@ tests: - equal: path: spec.replicas value: 1 - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should have multiple replicas when replicaCount is set (using .replicaCount, deprecated) values: @@ -54,7 +57,8 @@ tests: - equal: path: spec.replicas value: 3 - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should have multiple replicas when replicaCount is set (using highAvailability.replicaCount) values: @@ -66,7 +70,8 @@ tests: - equal: path: spec.replicas value: 3 - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set affinity when set in values values: @@ -74,7 +79,8 @@ tests: asserts: - isNotNull: path: spec.template.spec.affinity - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set required affinity when highAvailability.requireAntiAffinity is set values: @@ -92,7 +98,8 @@ tests: path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution - isNull: path: spec.template.spec.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set preferred affinity when more than one replica is used values: @@ -109,7 +116,8 @@ tests: path: spec.template.spec.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution - isNull: path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set tolerations when set in values values: @@ -117,7 +125,8 @@ tests: asserts: - isNotNull: path: spec.template.spec.tolerations - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set resources when set in values values: @@ -135,7 +144,8 @@ tests: - equal: path: spec.template.spec.containers[0].resources.requests.memory value: 2Gi - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set SecurityContext values: @@ -158,7 +168,8 @@ tests: - equal: path: spec.template.spec.containers[0].securityContext.runAsUser value: 9807 - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set image and tag correctly values: @@ -169,7 +180,8 @@ tests: - equal: path: spec.template.spec.containers[0].image value: quay.io/gravitational/teleport:8.3.4 - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should mount extraVolumes and extraVolumeMounts values: @@ -186,7 +198,8 @@ tests: name: my-mount secret: secretName: mySecret - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set imagePullPolicy when set in values values: @@ -197,7 +210,8 @@ tests: - equal: path: spec.template.spec.containers[0].imagePullPolicy value: Always - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set environment when extraEnv set in values set: @@ -213,7 +227,8 @@ tests: content: name: HTTPS_PROXY value: "http://username:password@my.proxy.host:3128" - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should provision initContainer correctly when set in values values: @@ -240,7 +255,8 @@ tests: - equal: path: spec.template.spec.initContainers[0].resources.requests.memory value: 2Gi - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should add insecureSkipProxyTLSVerify to args when set in values values: @@ -251,7 +267,8 @@ tests: - contains: path: spec.template.spec.containers[0].args content: "--insecure" - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should expose diag port values: @@ -263,7 +280,8 @@ tests: name: diag containerPort: 3000 protocol: TCP - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set nodeSelector if set in values values: @@ -273,7 +291,8 @@ tests: path: spec.template.spec.nodeSelector value: gravitational.io/k8s-role: node - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should add emptyDir for data when existingDataVolume is not set values: @@ -289,7 +308,8 @@ tests: content: mountPath: /var/lib/teleport name: data - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should correctly configure existingDataVolume when set values: @@ -305,7 +325,8 @@ tests: content: mountPath: /var/lib/teleport name: teleport-kube-agent-data - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set serviceAccountName when set in values values: @@ -314,7 +335,8 @@ tests: - equal: path: spec.template.spec.serviceAccountName value: teleport-kube-agent-sa - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set default serviceAccountName when not set in values values: @@ -323,4 +345,5 @@ tests: - equal: path: spec.template.spec.serviceAccountName value: RELEASE-NAME - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec diff --git a/examples/chart/teleport-kube-agent/tests/statefulset_test.yaml b/examples/chart/teleport-kube-agent/tests/statefulset_test.yaml index 574d08300e05f..6da67d49eebb7 100644 --- a/examples/chart/teleport-kube-agent/tests/statefulset_test.yaml +++ b/examples/chart/teleport-kube-agent/tests/statefulset_test.yaml @@ -23,7 +23,8 @@ tests: - equal: path: spec.template.metadata.annotations.kubernetes\.io/pod-different value: 4 - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should have one replica when replicaCount is not set values: @@ -32,7 +33,8 @@ tests: - equal: path: spec.replicas value: 1 - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should have multiple replicas when replicaCount is set (using .replicaCount, deprecated) values: @@ -43,7 +45,8 @@ tests: - equal: path: spec.replicas value: 3 - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should have multiple replicas when replicaCount is set (using highAvailability.replicaCount) values: @@ -55,7 +58,8 @@ tests: - equal: path: spec.replicas value: 3 - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set affinity when set in values values: @@ -64,7 +68,8 @@ tests: asserts: - isNotNull: path: spec.template.spec.affinity - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set required affinity when highAvailability.requireAntiAffinity is set values: @@ -82,7 +87,8 @@ tests: path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution - isNull: path: spec.template.spec.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set preferred affinity when more than one replica is used values: @@ -99,7 +105,8 @@ tests: path: spec.template.spec.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution - isNull: path: spec.template.spec.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set tolerations when set in values values: @@ -108,7 +115,8 @@ tests: asserts: - isNotNull: path: spec.template.spec.tolerations - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set resources when set in values values: @@ -127,7 +135,8 @@ tests: - equal: path: spec.template.spec.containers[0].resources.requests.memory value: 2Gi - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set SecurityContext values: @@ -150,7 +159,8 @@ tests: - equal: path: spec.template.spec.containers[0].securityContext.runAsUser value: 9807 - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set image and tag correctly values: @@ -161,7 +171,8 @@ tests: - equal: path: spec.template.spec.containers[0].image value: quay.io/gravitational/teleport:8.3.4 - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should mount extraVolumes and extraVolumeMounts values: @@ -179,7 +190,8 @@ tests: name: my-mount secret: secretName: mySecret - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set imagePullPolicy when set in values values: @@ -190,7 +202,8 @@ tests: - equal: path: spec.template.spec.containers[0].imagePullPolicy value: Always - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set environment when extraEnv set in values values: @@ -205,7 +218,8 @@ tests: content: name: HTTPS_PROXY value: "http://username:password@my.proxy.host:3128" - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should provision initContainer correctly when set in values values: @@ -233,7 +247,8 @@ tests: - equal: path: spec.template.spec.initContainers[0].resources.requests.memory value: 2Gi - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should add insecureSkipProxyTLSVerify to args when set in values values: @@ -244,7 +259,8 @@ tests: - contains: path: spec.template.spec.containers[0].args content: "--insecure" - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should expose diag port values: @@ -256,7 +272,8 @@ tests: name: diag containerPort: 3000 protocol: TCP - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set nodeSelector if set in values values: @@ -267,7 +284,8 @@ tests: path: spec.template.spec.nodeSelector value: gravitational.io/k8s-role: node - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should not add emptyDir for data when using StatefulSet values: @@ -278,7 +296,8 @@ tests: content: name: data emptyDir: {} - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should add volumeMount for data volume when using StatefulSet values: @@ -289,7 +308,8 @@ tests: content: name: data mountPath: RELEASE-NAME-teleport-data - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should add volumeClaimTemplate for data volume when using StatefulSet values: @@ -297,7 +317,8 @@ tests: asserts: - isNotNull: path: spec.volumeClaimTemplates[0].spec - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set storage.storageClassName when set in values values: @@ -309,7 +330,8 @@ tests: - equal: path: spec.volumeClaimTemplates[0].spec.storageClassName value: helm-lint-storage-class - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set storage.requests when set in values values: @@ -321,7 +343,8 @@ tests: - equal: path: spec.volumeClaimTemplates[0].spec.resources.requests.storage value: 256Mi - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set serviceAccountName when set in values values: @@ -331,7 +354,8 @@ tests: - equal: path: spec.template.spec.serviceAccountName value: teleport-kube-agent-sa - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec - it: should set default serviceAccountName when not set in values values: @@ -341,4 +365,5 @@ tests: - equal: path: spec.template.spec.serviceAccountName value: RELEASE-NAME - - matchSnapshot: {} + - matchSnapshot: + path: spec.template.spec