From 44d45c20de99d5201e9a763a9633e950aa44d3ce Mon Sep 17 00:00:00 2001 From: Alexey Dubkov Date: Tue, 18 Oct 2022 18:46:27 -0700 Subject: [PATCH 1/3] add option to disable creation of ClusteRole and ClusterRoleBinding --- .../templates/clusterrole.yaml | 4 ++- .../templates/clusterrolebinding.yaml | 2 ++ .../chart/teleport-cluster/values.schema.json | 14 ++++++++- examples/chart/teleport-cluster/values.yaml | 6 ++++ .../templates/clusterrole.yaml | 2 ++ .../templates/clusterrolebinding.yaml | 2 ++ .../teleport-kube-agent/values.schema.json | 29 +++++++++++++++++++ .../chart/teleport-kube-agent/values.yaml | 12 ++++++-- 8 files changed, 66 insertions(+), 5 deletions(-) diff --git a/examples/chart/teleport-cluster/templates/clusterrole.yaml b/examples/chart/teleport-cluster/templates/clusterrole.yaml index 6cd29ec4e771b..371d6b179aa9d 100644 --- a/examples/chart/teleport-cluster/templates/clusterrole.yaml +++ b/examples/chart/teleport-cluster/templates/clusterrole.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.create -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -60,4 +61,5 @@ rules: - events verbs: - create -{{ end }} +{{- end -}} +{{- end -}} diff --git a/examples/chart/teleport-cluster/templates/clusterrolebinding.yaml b/examples/chart/teleport-cluster/templates/clusterrolebinding.yaml index 8915a29b2c3eb..0a0c5e21ead8c 100644 --- a/examples/chart/teleport-cluster/templates/clusterrolebinding.yaml +++ b/examples/chart/teleport-cluster/templates/clusterrolebinding.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.create -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -10,3 +11,4 @@ subjects: - kind: ServiceAccount name: {{ template "teleport.serviceAccountName" . }} namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/examples/chart/teleport-cluster/values.schema.json b/examples/chart/teleport-cluster/values.schema.json index 18092523c9e7e..73ca51a7204d6 100644 --- a/examples/chart/teleport-cluster/values.schema.json +++ b/examples/chart/teleport-cluster/values.schema.json @@ -698,7 +698,19 @@ "create": { "$id": "#properties/service/create", "type": "boolean", - "default": true + "default": true + } + } + }, + "clusterRole": { + "$id": "#/properties/clusterRole", + "type": "object", + "required": [], + "properties": { + "create": { + "$id": "#properties/service/create", + "type": "boolean", + "default": true } } }, diff --git a/examples/chart/teleport-cluster/values.yaml b/examples/chart/teleport-cluster/values.yaml index 297a54cb8d4b3..9afc9b87b6a87 100644 --- a/examples/chart/teleport-cluster/values.yaml +++ b/examples/chart/teleport-cluster/values.yaml @@ -352,6 +352,12 @@ serviceAccount: name: "" # To set annotations on the service account, use the annotations.serviceAccount value. +# Kubernetes ClusterRole and ClusterRoleBinding to create. +rbac: + # Specifies wheather a ClusterRole and ClusterRoleBindigs should be created. + # Set to false if your cluster level resources are managed separately. + create: true + # Options for the Teleport service service: type: LoadBalancer diff --git a/examples/chart/teleport-kube-agent/templates/clusterrole.yaml b/examples/chart/teleport-kube-agent/templates/clusterrole.yaml index 7cb5f60d54a3f..c6f3c736ad0a4 100644 --- a/examples/chart/teleport-kube-agent/templates/clusterrole.yaml +++ b/examples/chart/teleport-kube-agent/templates/clusterrole.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.create -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -27,3 +28,4 @@ rules: - selfsubjectaccessreviews verbs: - create +{{- end -}} diff --git a/examples/chart/teleport-kube-agent/templates/clusterrolebinding.yaml b/examples/chart/teleport-kube-agent/templates/clusterrolebinding.yaml index abe4a2f2e5174..22b79c1341e24 100644 --- a/examples/chart/teleport-kube-agent/templates/clusterrolebinding.yaml +++ b/examples/chart/teleport-kube-agent/templates/clusterrolebinding.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.create -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -14,3 +15,4 @@ subjects: - kind: ServiceAccount name: {{ template "teleport.serviceAccountName" . }} namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/examples/chart/teleport-kube-agent/values.schema.json b/examples/chart/teleport-kube-agent/values.schema.json index eec58c19213db..fd3fcce6846d2 100644 --- a/examples/chart/teleport-kube-agent/values.schema.json +++ b/examples/chart/teleport-kube-agent/values.schema.json @@ -508,6 +508,35 @@ } } }, + "serviceAccount": { + "$id": "#/properties/serviceAccount", + "type": "object", + "required": [], + "properties": { + "name": { + "$id": "#properties/service/name", + "type": "string", + "default": "" + }, + "create": { + "$id": "#properties/service/create", + "type": "boolean", + "default": true + } + } + }, + "clusterRole": { + "$id": "#/properties/clusterRole", + "type": "object", + "required": [], + "properties": { + "create": { + "$id": "#properties/service/create", + "type": "boolean", + "default": true + } + } + }, "extraArgs": { "$id": "#/properties/extraArgs", "type": "array", diff --git a/examples/chart/teleport-kube-agent/values.yaml b/examples/chart/teleport-kube-agent/values.yaml index df54c3262aaa8..36f7c3313bb68 100644 --- a/examples/chart/teleport-kube-agent/values.yaml +++ b/examples/chart/teleport-kube-agent/values.yaml @@ -160,8 +160,8 @@ highAvailability: ################################################################ # Values that must be provided if using persistent storage for Teleport. # -# Assigning a persistent volume to Teleport agent allows the agent to keep session recordings when the pod is restarted if `session_recording` is set to `node` or `proxy`. -# The security association between the agent and the Teleport is no longer stored in PV, instead it is stored in a Kubernetes Secret so that the agent does not require PV +# Assigning a persistent volume to Teleport agent allows the agent to keep session recordings when the pod is restarted if `session_recording` is set to `node` or `proxy`. +# The security association between the agent and the Teleport is no longer stored in PV, instead it is stored in a Kubernetes Secret so that the agent does not require PV # to survive restarts and rotations while using short-lived joining tokens. # # Fields: @@ -201,12 +201,18 @@ serviceAccountName: "" # (optional) Kubernetes service account to create/use. serviceAccount: # Specifies whether a ServiceAccount should be created - create: true + create: true # The name of the ServiceAccount to use. # If not set and serviceAccount.create is true, the name is generated using the release name. # If create is false, the name will be used to reference an existing service account. name: "" +# Kubernetes ClusterRole and ClusterRoleBinding to create. +rbac: + # Specifies wheather a ClusterRole and ClusterRoleBindigs should be created. + # Set to false if your cluster level resources are managed separately. + create: true + # Name of the Secret to store the teleport join token. secretName: teleport-kube-agent-join-token From 08b6a8b9d997399b3be9a2c89c8dffba7c2c91a1 Mon Sep 17 00:00:00 2001 From: Alexey Dubkov Date: Mon, 31 Oct 2022 15:24:51 -0700 Subject: [PATCH 2/3] schema & comments fixes --- examples/chart/teleport-cluster/values.schema.json | 4 ++-- examples/chart/teleport-cluster/values.yaml | 4 ++-- examples/chart/teleport-kube-agent/values.schema.json | 4 ++-- examples/chart/teleport-kube-agent/values.yaml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/examples/chart/teleport-cluster/values.schema.json b/examples/chart/teleport-cluster/values.schema.json index 73ca51a7204d6..80a517bfcfd72 100644 --- a/examples/chart/teleport-cluster/values.schema.json +++ b/examples/chart/teleport-cluster/values.schema.json @@ -702,8 +702,8 @@ } } }, - "clusterRole": { - "$id": "#/properties/clusterRole", + "rbac": { + "$id": "#/properties/rbac", "type": "object", "required": [], "properties": { diff --git a/examples/chart/teleport-cluster/values.yaml b/examples/chart/teleport-cluster/values.yaml index 9afc9b87b6a87..9ef9ee43e7a52 100644 --- a/examples/chart/teleport-cluster/values.yaml +++ b/examples/chart/teleport-cluster/values.yaml @@ -352,9 +352,9 @@ serviceAccount: name: "" # To set annotations on the service account, use the annotations.serviceAccount value. -# Kubernetes ClusterRole and ClusterRoleBinding to create. +# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding. rbac: - # Specifies wheather a ClusterRole and ClusterRoleBindigs should be created. + # Specifies whether a ClusterRole and ClusterRoleBinding should be created. # Set to false if your cluster level resources are managed separately. create: true diff --git a/examples/chart/teleport-kube-agent/values.schema.json b/examples/chart/teleport-kube-agent/values.schema.json index fd3fcce6846d2..e332219d4a473 100644 --- a/examples/chart/teleport-kube-agent/values.schema.json +++ b/examples/chart/teleport-kube-agent/values.schema.json @@ -525,8 +525,8 @@ } } }, - "clusterRole": { - "$id": "#/properties/clusterRole", + "rbac": { + "$id": "#/properties/rbac", "type": "object", "required": [], "properties": { diff --git a/examples/chart/teleport-kube-agent/values.yaml b/examples/chart/teleport-kube-agent/values.yaml index 36f7c3313bb68..c1554517953df 100644 --- a/examples/chart/teleport-kube-agent/values.yaml +++ b/examples/chart/teleport-kube-agent/values.yaml @@ -207,9 +207,9 @@ serviceAccount: # If create is false, the name will be used to reference an existing service account. name: "" -# Kubernetes ClusterRole and ClusterRoleBinding to create. +# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding. rbac: - # Specifies wheather a ClusterRole and ClusterRoleBindigs should be created. + # Specifies whether a ClusterRole and ClusterRoleBinding should be created. # Set to false if your cluster level resources are managed separately. create: true From d9ba7ae37509a8669d9857bc84540b7e0715f034 Mon Sep 17 00:00:00 2001 From: Alexey Dubkov Date: Mon, 7 Nov 2022 17:49:30 -0800 Subject: [PATCH 3/3] fixes values schema --- examples/chart/teleport-cluster/values.schema.json | 2 +- examples/chart/teleport-kube-agent/values.schema.json | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/examples/chart/teleport-cluster/values.schema.json b/examples/chart/teleport-cluster/values.schema.json index 80a517bfcfd72..f612d3f6c1e88 100644 --- a/examples/chart/teleport-cluster/values.schema.json +++ b/examples/chart/teleport-cluster/values.schema.json @@ -708,7 +708,7 @@ "required": [], "properties": { "create": { - "$id": "#properties/service/create", + "$id": "#properties/rbac/create", "type": "boolean", "default": true } diff --git a/examples/chart/teleport-kube-agent/values.schema.json b/examples/chart/teleport-kube-agent/values.schema.json index e332219d4a473..8f6581d846485 100644 --- a/examples/chart/teleport-kube-agent/values.schema.json +++ b/examples/chart/teleport-kube-agent/values.schema.json @@ -514,12 +514,12 @@ "required": [], "properties": { "name": { - "$id": "#properties/service/name", + "$id": "#properties/serviceAccount/name", "type": "string", "default": "" }, "create": { - "$id": "#properties/service/create", + "$id": "#properties/serviceAccount/create", "type": "boolean", "default": true } @@ -531,7 +531,7 @@ "required": [], "properties": { "create": { - "$id": "#properties/service/create", + "$id": "#properties/rbac/create", "type": "boolean", "default": true }