* Expose diagnostic endpoint and add liveness/ready checks to pods to enable automatic restart if Teleport shuts down
* Force add OIDC connector to suppress error message when container restarts, also add missing echo to errors
* Force adding of trusted cluster on restart
* Add resest for buffers to close watchers
and reset buffer the state.
* Add reconnect logic to DynamoDB
* Add tests for cache watchers, make sure
the errors of the cache internal watcher propagate to
external watchers.
* Create wildcard DNS record for the main cluster as well as single A record so we can use Kubernetes forwarding to remote clusters via proxy properly
* Automatically delete created Cloudflare DNS records via pre-delete hook when the chart is deleted to keep the zone tidy
* Don't explicitly print Cloudflare API credentials in debug mode (they're logged along with the curl commands anyway)
* Add a function to handle Cloudflare API calls rather than copy/pasting code
* Initial commit with split Helm chart for proxy/auth and node elements
* Many, many changes to add all required features
* Remove cert-manager and nginx-ingress
* Update TTL
* Add build-essential and python-dev to cloudflare-agent Docker build and set exit on error
* Add --force-upgrade flag to Tiller for potentially different Helm versions
* Enable Letsencrypt by default
* Overhaul naming to allow better multi-tenancy on k8s clusters
* Add NOTES.txt to provide cluster usage instructions
* Make the use of trusted clusters entirely optional
* Actually make the use of trusted clusters entirely optional this time
* Update .gitignore
* Update whitespace formatting in NOTES.txt
* Enable Letsencrypt by default
* Move secrets to git submodule
* Fix README typo and add secrets to .gitignore
* Update documentation
* Add some extra details to NOTES.txt
* Address PR comments plus update all references to Teleport 3.1.4 -> 3.1.7
* Make Cloudflare TTL optional (use Cloudflare's auto value when it's not provided)
* - Explicitly add admin role to clusters with use of kubernetes_groups
- Fix use of claims_to_roles so it can be specified in values.yaml
- Improve Minikube/NodePort support
- Replace use of containerPort with service port for LoadBalancer objects
* Update secrets in submodule to use Kubernetes-enabled license
* Add admin role script to containers
* Ignore all secrets files
* Update k8s RBAC to fix proxy functionality, also create 'clusteradmin' and 'admin' roles in Teleport to split permissions
* Update default version to 3.1.8
* Add k8s cluster roles and bindings to allow use of CSR APIs and limited permission scope
* Restrict admin role from seeing/updating auth_connectors
* Fix whitespace and naming bug
* Change from using k8s CSR API to impersonation API
* Update from kubectl 1.12.4 -> 1.12.5 for security fix
* Updated build scripts to use Docker cache properly, also using version tags for all containers now to keep things tidier
* Use docker build --pull rather than manual pull, also remove unused TELEPORT_VERSION arguments
This commit switches Teleport proxy to use impersonation
API instead of the CSR API.
This allows Teleport to work on EKS clusters, GKE and all
other CNCF compabitble clusters.
This commit updates helm chart RBAC as well.
It introduces extra configuration flag to proxy_service
configuration parameter:
```yaml
proxy_service:
# kubeconfig_file is used for scenarios
# when Teleport Proxy is deployed outside
# of the kubernetes cluster
kubeconfig_file: /path/to/kube/config
```
It deprecates similar flag in auth_service:
```yaml
auth_service:
# DEPRECATED. THIS FLAG IS IGNORED
kubeconfig_file: /path/to/kube/config
```
This commit moves proxy kubernetes configuration
to a separate nested block to provide more fine
grained settings:
```yaml
auth:
kubernetes_ca_cert_path: /tmp/custom-ca
proxy:
enabled: yes
kubernetes:
enabled: yes
public_addr: [custom.example.com:port]
api_addr: kuberentes.example.com:443
listen_addr: localhost:3026
```
1. Kubernetes config section is explicitly enabled
and disabled. It is disabled by default.
2. Public address in kubernetes section
is propagated to tsh profile
The other part of the commit updates Ping
endpoint to send proxy configuration back to
the client, including kubernetes public address
and ssh listen address.
Clients updates profile accordingly to configuration
received from the proxy.
This is a helm chart for Teleport that conforms to [helm chart best practices](https://docs.helm.sh/chart_best_practices/) and various conventions seen in the official charts repository, so that it becomes easy-to-use and flexible enough to support many deployment scenarios.
Features:
- Locally testable on minikube
- Chart values for flexible configuration, instead of sourcing the raw teleport.yaml contained in the chart
- Automatically rolling-update the pods on configuration change according to the helm best practices
- Service and deplyment ports more finely configurable
- Customizable service and ingress for exposing the proxy to the private network or the internet
- Use service annotatinos for integration with e.g. [external-dns](https://github.com/kubernetes-incubator/external-dns)
- Use ingress for integration with e.g.[aws-alb-ingress-controller](https://github.com/kubernetes-sigs/aws-alb-ingress-controller)
- Configurable pod annotations. Uesful for IAM integration with kube2iam/kiam for example.
- Customizable pod assignment for security and availability
This issue updates #1986.
This is intial, experimental implementation that will
be updated with tests and edge cases prior to production 2.7.0 release.
Teleport proxy adds support for Kubernetes API protocol.
Auth server uses Kubernetes API to receive certificates
issued by Kubernetes CA.
Proxy intercepts and forwards API requests to the Kubernetes
API server and captures live session traffic, making
recordings available in the audit log.
Tsh login now updates kubeconfig configuration to use
Teleport as a proxy server.
