Update the helm chart for kube-agent.
The image swap logic was already there.
Update the UI to include `enterprise: <isEnterprise>` when installing
the kube-agent.
Clarify the usage of the `attributes_to_roles` parameter and reorder some
mapping keys for clarity in the example SAML connector resource.
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* Reuse auth token when upgrading an Helm chart without token
When upgrading an Helm chat and not providing the auth token because it
was previously set, Helm deleted the secret and Statefulset pods become
stuck because the secret does not exist.
This PR reads the secret value from the previous upgrade/install and
reuses it during the upgrade.
Fixes#20761
* remove secret lookup
* helm: allow to set `initSecurityContext` in `teleport-kube-agent`
* Apply suggestions from code review
Co-authored-by: Gus Luxton <gus@goteleport.com>
* fixup! helm: allow to set `initSecurityContext` in `teleport-kube-agent`
---------
Co-authored-by: Gus Luxton <gus@goteleport.com>
* helm: disbale PSPs on 1.23 and document PSA usage
In 1.25 Kubernetes removes PSP support, this has 2 consequences:
- Helm will break after upgrading if PSPs are deployed
- We cannot set security policies anymore
This commit documents those two behaviours and makes the chart disable
PSPs on 1.23 and higher to ensure a smooth upgrade path.
* helm: Remove stale 'migrate from legacy charts' guide
Fixes#20960
etcd had a previously unknown TTL limitation (TTL is stored as
nanoseconds in a signed int64, max TTL is ~= 29 years). Creating
very long-lived resources with expiry higher than the max TTL is not
supported and the process crashes on startup as it cannot apply the
token.
* helm: Expose ports on containers
Some Kubernetes tooling expects to see the ports that a container exposes registered on the individual containers themselves as well as the underlying Service. This change makes it a little easier for users to deploy the teleport-cluster chart behind their own load balancers or using a ClusterIP, by being explicit about exactly which ports are expected to be routed to each container.
* Expose tls port 3080
* Expose port 3080 before others
* Rename https -> tls
* Add 3021 for proxy peering when enterprise is true
Fixes an issue where the operator sidecar tries to mount the public TLS certificates but the volume is not declared.
```
$ helm install -n teleport teleport-repro /home/shaka/work/teleport/examples/chart/teleport-cluster --set teleportVersionOverride=12.0.0-alpha.1 --set clusterName=teleport.example.com --set tls.existingSecretName=my-tls-secret --set tls.existingCASecretName=my-root-ca --set operator.enabled=true
# [...]
Error: INSTALLATION FAILED: Deployment.apps "teleport-repro-auth" is invalid: spec.template.spec.containers[1].volumeMounts[0].name: Not found: "teleport-tls"
```
The operator does not need those certs to work.
This change adds support for FIDO2/webauthn/hardware tokens by default.
OTP 2fa fill remains functional. This is a major change and should be
part of a major release, even if this should be seamless for most users.
Warning: `webauthn.rp_id` should not change in the cluster life, else
2fa tokens will have to be re-registered.
Users accessing the cluster under a different name than `clusterName`
will have to set rp_id
(`auth.teleportConfig.auth_service.authentication.webauthn.rp_id`) to be
able to register second factors. As we strongly encourage users to have
a resolvable `clusterName` and `publicAddr` support got added recently,
this seems an acceptable edge case.
Part of [RFD-096](https://github.com/gravitational/teleport/pull/18274): managing the major upgrades safely
This commit's main purpose is to block proxies running a new Teleport major version from connecting to auth pods running an old Teleport version.
This commit does 3 things:
- adding initContainers and preStop hooks to the `teleport-cluster` Helm chart (initContainers were designed in RFD 096, preStop was a nice additoin coming from [the wait PR](https://github.com/gravitational/teleport/pull/19277))
- fixing a bug in the `wait` command (the DNS error was not properly unwrapped and not recognized as a DNS error)
- fixing missing override support on some auth Deployment values. As a rule of thumb for future review, we should not use .Values directly and prefer using $auth and $proxy
This PR adds a `post-delete` hook that cleans the state secret that each Pod creates when it receives the identity from the Teleport Auth Server.
Fixes#20035Fixes#18854
This commit implements arbitrary configuration passing to Teleport, like what was done for the `teleport-cluster` in https://github.com/gravitational/teleport/pull/18857. This allows users to deploy services or set fields the chart does not support.
The huge snapshot diffs are caused by order changes in the config (the YAML export orders keys alphabetically). I validated that the old and new snapshots were strictly equivalent with the following python snippet:
```python
import yaml
import pathlib
import deepdiff
old = yaml.safe_load(Path("./config-snapshot.old").open())
new = yaml.safe_load(Path("./config-snapshot.new").open())
old_content = { k: yaml.safe_load(yaml.safe_load(v[1])["data"]["teleport.yaml"]) for (k,v) in old.items() }
new_content = { k: yaml.safe_load(yaml.safe_load(v[1])["data"]["teleport.yaml"]) for (k,v) in new.items() }
diff = deepdiff.DeepDiff(old_content, new_content)
print(diff)
```
This commit refactors the `teleport-cluster` Helm chart to deploy separately proxy and auth pods.
It allows users to pass raw teleport configuration to the deployed Teleport nodes.
Finally, it removes the `custom` chart mode as the mode was broken by the split. A new `scratch` mode has been introduced.
See [the corresponding RFD](https://github.com/gravitational/teleport/pull/18274) describing the design.
This PR includes a new Role resource version that is compatible with V5 spec.
The new resource introduces the `kubernetes_resources` definition that allows operators to limit the Kubernetes resources that each member can access. The `kubernetes_resources` entries must follow the following format: `{"kind":"<kind>", "namespace":"<namespace>","name":"<pod>"}`. Currently, it only supports objects of `kind` `pod`. Valid examples `<namespace>/<name>:
- `*/*`: matches all pods in all namespaces.
- `default/*`: matches all pods in the `default` namespace.
- `*/nginx-*`: matches every pod prefixed with `nginx-` in every namespace.
For older resource versions - V5, V4, V3 - `kubernetes_resources` is automatically populated with `{"kind":"pod","namespace":"*","name":"*"}` to keep compatibility. For the newest version, it's mandatory to define its value otherwise access to pods will be denied.
Part of #18434
Add missing roles to the tctl users add command and replace
the old admin role with the preset access and editor roles.
Signed-off-by: Zac Bergquist <zac.bergquist@goteleport.com>
Co-authored-by: Rob Langford <rob.langford1@gmail.com>
- Determine Go version for cache key automatically instead of hardcoding.
- Do not build ghcr CI images (etcd and buildboxes) on PRs to avoid unintended breakages.
- Only build/push them on push events which mirrors our current Drone setup. We might add ability to trigger them manually via workflow_dispatch events later.
- Add release branches pattern for buildbox images trigger as well.
- Remove packages: read permission from test jobs since buildbox images are now public.
Signed-off-by: Roman Tkachenko <roman@goteleport.com>
Co-authored-by: Victor Sokolov <gzigzigzeo@gmail.com>
* Include Go version in the cache key to prevent cache reuse when upgrading Go.
* Push buildboxes to Github container registry to avoid public ECR rate limiting.
Signed-off-by: Roman Tkachenko <roman@goteleport.com>
Co-authored-by: Victor Sokolov <gzigzigzeo@gmail.com>
* Add auth_connector api resources
- Add the go types in `operator/apis`
- Add the OIDCConnector, SAMLConnector and GithubConnector resources to `protoc-gen-crd`
- Add `wrappers.StringValues` support to `protoc-gen-crd`
- Update crdgen test fixtures
* Regenerate CRD manifests
* Introduce the teleport reconciler abstraction
* operator: Add auth_connector resources support
- Reconcile OIDC, SAML and Github authconnectors
- Make the oidc, saml and github interfaces implement `ResourceWithOrigin`
* operator: Add standard tests for auth connectors
This Commit introduces a set of default tests that can be reused for
each controller based on `TeleportResourceReconciler`.
* Bump CRD manifests to go 1.19
* operator: make Makefile OSX friendly
* Add newKubeResource tests and fix godocs
* Add Terraform provider links to Terraform module README
It's easy to confuse the Terraform modules with the Terraform provider. This PR adds a clarification to the README.
* Update README.md
* Add callouts to docs and Helm values for Kubernetes 1.23+ on EKS
Kubernetes 1.23 introduced a requirement for EKS clusters to use a CSI (container storage interface) driver addon to provision EBS volumes as persistent volumes. Kubernetes 1.23 is now the default for new EKS clusters and since our chart uses persistence in its default mode, it will fail to deploy on EKS without this additional driver being installed.
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* helm: Handle setting teleportVersionOverride to <11 when using v11 teleport-kube-agent chart
The instructions for adding a teleport-kube-agent in Teleport's web UI always use the latest version of the Helm
chart from the repo. This works fine when installing v11 agents, but causes errors if you set `teleportVersionOverride`
to anything <11 because config version `v3` is not supported. This will cause issues for Teleport Cloud customers trying
to add new agents following the web UI's instructions, as Cloud is not on v11 yet and won't be for a few weeks.
Actual LimitNOFILE varies greatly between the systems as it depends on the
systemd version and the go version used to build Teleport. The goal of this
commit is to run Teleport in the same setup, regardless of the distro nor
Teleport version.
New systemd defaults are 1024:524288, and starting with go 1.19, go process can
increase their soft limit up to the hard limmit dynamically. Old systemd
versions don't suppoprt `soft:hard` notation and old go versions don't
automatically increase up to the hard limit. For this reasons, the most
compatible setting is to set softlimit=hardlimit=524288.
* Update teleport-kube-agent readme
* Add values.yaml and schema changes for azure dbs
* Add azure discovery helm lint
* Add azure discovery helm tests
* Fix schema and update snapshot
* Update lint
* Update helm chart docs reference
* Update readme
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com>
* Move yaml lint note to include snippet
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com>
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com>
* Add azureDatabases to list of required resources for db role in docs
* Update readme to link to docs
* Provide complete example yaml for azure db discovery helm chart
* s|dbResources|databaseResources|g in helm chart reference
* Remove --set tabs for aws and azure databases from chart reference
* Update lint to use secret as example too
* Update azure db discovery helm chart snapshot
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Remove shell vars in readme since we dont provide a command
Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com>
Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com>
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
This contribution adds the following feature
- support for `joinParams` value to join using EC2 and IAM tokens
The PR contains the following fixes
- Fix previous secretName documentation that was incorect
- Reword authToken and joinParams documentation to explicit how values interact together
- Add unit test with `joinParams.method = token`
- Add unit tests checking secret creation
- Mark joinParams.method mandatory in JSONSchema
- Always use join_params to pass tokens
* Document requirements for IAM joining
Co-authored-by: Guilherme Sponda <sponda@archlinux.com.br>
Co-authored-by: Guilherme Sponda <guilherme.sponda@audibene.de>
When assigning AWS IAM permissions to Teleport, `eksctl create iamserviceaccount` command manages the ServiceAccount lifecycle.
This PR allows any user to configure an existing Kubernetes ServiceAccount used by the agent.
Part of #11866
Fixes#13129
This PR sets minReadySeconds to 15 by default. During a rollout we still have proxies that don't have tunnels to all agents, but at least agents don't end up with 0 active tunnels.
Replace role/authPref RequireSessionMFA (bool) with RequireMFAType
(string).
- Add new RequireMFAType constant values with custom boolean marshalling.
- Add RequireMFAType to role and auth preference and deprecate
RequireSessionMFA.
- Add session-mfa override login when hardware_key_touch is enforced.
- Add protobuf enum for RequireMFAType.
- Add support for proto enums in protoc-gen-crd and update Kubernetes
Operator manifests.
Provides a solution for #9298
This removes an unnecessary limitation of the Helm chart: `.Values.tls.existingCASecretName` can now be used without `.Values.tls.existingSecretName`. This allows users to trust their own CAs without building custom images.
Context:
- go's x509 library supports loading system certs based on the SSL_CERTS_FILE environment variable
- we are already using this in the chart to trust private CAs (teleport proxy needs to trust its own certs to start)
- users might want to trust custom CAs to
- speak with a S3 backend (minio)
- validate upstream app certs (unlike DB access you can't trust certs per-application)
- trust another cluster
- call an OIDC provider
- teleport-kube-agent chart already has the feature
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>