Part of [RFD-096](https://github.com/gravitational/teleport/pull/18274): managing the major upgrades safely
This commit's main purpose is to block proxies running a new Teleport major version from connecting to auth pods running an old Teleport version.
This commit does 3 things:
- adding initContainers and preStop hooks to the `teleport-cluster` Helm chart (initContainers were designed in RFD 096, preStop was a nice additoin coming from [the wait PR](https://github.com/gravitational/teleport/pull/19277))
- fixing a bug in the `wait` command (the DNS error was not properly unwrapped and not recognized as a DNS error)
- fixing missing override support on some auth Deployment values. As a rule of thumb for future review, we should not use .Values directly and prefer using $auth and $proxy
This PR adds a `post-delete` hook that cleans the state secret that each Pod creates when it receives the identity from the Teleport Auth Server.
Fixes#20035Fixes#18854
This commit implements arbitrary configuration passing to Teleport, like what was done for the `teleport-cluster` in https://github.com/gravitational/teleport/pull/18857. This allows users to deploy services or set fields the chart does not support.
The huge snapshot diffs are caused by order changes in the config (the YAML export orders keys alphabetically). I validated that the old and new snapshots were strictly equivalent with the following python snippet:
```python
import yaml
import pathlib
import deepdiff
old = yaml.safe_load(Path("./config-snapshot.old").open())
new = yaml.safe_load(Path("./config-snapshot.new").open())
old_content = { k: yaml.safe_load(yaml.safe_load(v[1])["data"]["teleport.yaml"]) for (k,v) in old.items() }
new_content = { k: yaml.safe_load(yaml.safe_load(v[1])["data"]["teleport.yaml"]) for (k,v) in new.items() }
diff = deepdiff.DeepDiff(old_content, new_content)
print(diff)
```
This commit refactors the `teleport-cluster` Helm chart to deploy separately proxy and auth pods.
It allows users to pass raw teleport configuration to the deployed Teleport nodes.
Finally, it removes the `custom` chart mode as the mode was broken by the split. A new `scratch` mode has been introduced.
See [the corresponding RFD](https://github.com/gravitational/teleport/pull/18274) describing the design.
This PR includes a new Role resource version that is compatible with V5 spec.
The new resource introduces the `kubernetes_resources` definition that allows operators to limit the Kubernetes resources that each member can access. The `kubernetes_resources` entries must follow the following format: `{"kind":"<kind>", "namespace":"<namespace>","name":"<pod>"}`. Currently, it only supports objects of `kind` `pod`. Valid examples `<namespace>/<name>:
- `*/*`: matches all pods in all namespaces.
- `default/*`: matches all pods in the `default` namespace.
- `*/nginx-*`: matches every pod prefixed with `nginx-` in every namespace.
For older resource versions - V5, V4, V3 - `kubernetes_resources` is automatically populated with `{"kind":"pod","namespace":"*","name":"*"}` to keep compatibility. For the newest version, it's mandatory to define its value otherwise access to pods will be denied.
Part of #18434
Add missing roles to the tctl users add command and replace
the old admin role with the preset access and editor roles.
Signed-off-by: Zac Bergquist <zac.bergquist@goteleport.com>
Co-authored-by: Rob Langford <rob.langford1@gmail.com>
- Determine Go version for cache key automatically instead of hardcoding.
- Do not build ghcr CI images (etcd and buildboxes) on PRs to avoid unintended breakages.
- Only build/push them on push events which mirrors our current Drone setup. We might add ability to trigger them manually via workflow_dispatch events later.
- Add release branches pattern for buildbox images trigger as well.
- Remove packages: read permission from test jobs since buildbox images are now public.
Signed-off-by: Roman Tkachenko <roman@goteleport.com>
Co-authored-by: Victor Sokolov <gzigzigzeo@gmail.com>
* Include Go version in the cache key to prevent cache reuse when upgrading Go.
* Push buildboxes to Github container registry to avoid public ECR rate limiting.
Signed-off-by: Roman Tkachenko <roman@goteleport.com>
Co-authored-by: Victor Sokolov <gzigzigzeo@gmail.com>
* Add auth_connector api resources
- Add the go types in `operator/apis`
- Add the OIDCConnector, SAMLConnector and GithubConnector resources to `protoc-gen-crd`
- Add `wrappers.StringValues` support to `protoc-gen-crd`
- Update crdgen test fixtures
* Regenerate CRD manifests
* Introduce the teleport reconciler abstraction
* operator: Add auth_connector resources support
- Reconcile OIDC, SAML and Github authconnectors
- Make the oidc, saml and github interfaces implement `ResourceWithOrigin`
* operator: Add standard tests for auth connectors
This Commit introduces a set of default tests that can be reused for
each controller based on `TeleportResourceReconciler`.
* Bump CRD manifests to go 1.19
* operator: make Makefile OSX friendly
* Add newKubeResource tests and fix godocs
* Add Terraform provider links to Terraform module README
It's easy to confuse the Terraform modules with the Terraform provider. This PR adds a clarification to the README.
* Update README.md
* Add callouts to docs and Helm values for Kubernetes 1.23+ on EKS
Kubernetes 1.23 introduced a requirement for EKS clusters to use a CSI (container storage interface) driver addon to provision EBS volumes as persistent volumes. Kubernetes 1.23 is now the default for new EKS clusters and since our chart uses persistence in its default mode, it will fail to deploy on EKS without this additional driver being installed.
* Apply suggestions from code review
Co-authored-by: Paul Gottschling <paul.gottschling@goteleport.com>
* helm: Handle setting teleportVersionOverride to <11 when using v11 teleport-kube-agent chart
The instructions for adding a teleport-kube-agent in Teleport's web UI always use the latest version of the Helm
chart from the repo. This works fine when installing v11 agents, but causes errors if you set `teleportVersionOverride`
to anything <11 because config version `v3` is not supported. This will cause issues for Teleport Cloud customers trying
to add new agents following the web UI's instructions, as Cloud is not on v11 yet and won't be for a few weeks.
Actual LimitNOFILE varies greatly between the systems as it depends on the
systemd version and the go version used to build Teleport. The goal of this
commit is to run Teleport in the same setup, regardless of the distro nor
Teleport version.
New systemd defaults are 1024:524288, and starting with go 1.19, go process can
increase their soft limit up to the hard limmit dynamically. Old systemd
versions don't suppoprt `soft:hard` notation and old go versions don't
automatically increase up to the hard limit. For this reasons, the most
compatible setting is to set softlimit=hardlimit=524288.
* Update teleport-kube-agent readme
* Add values.yaml and schema changes for azure dbs
* Add azure discovery helm lint
* Add azure discovery helm tests
* Fix schema and update snapshot
* Update lint
* Update helm chart docs reference
* Update readme
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com>
* Move yaml lint note to include snippet
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com>
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com>
* Add azureDatabases to list of required resources for db role in docs
* Update readme to link to docs
* Provide complete example yaml for azure db discovery helm chart
* s|dbResources|databaseResources|g in helm chart reference
* Remove --set tabs for aws and azure databases from chart reference
* Update lint to use secret as example too
* Update azure db discovery helm chart snapshot
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Update docs/pages/reference/helm-reference/teleport-kube-agent.mdx
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
* Remove shell vars in readme since we dont provide a command
Co-authored-by: Isaiah Becker-Mayer <isaiah@goteleport.com>
Co-authored-by: Hugo Shaka <hugo.hervieux@goteleport.com>
Co-authored-by: Alex Fornuto <alex.fornuto@goteleport.com>
This contribution adds the following feature
- support for `joinParams` value to join using EC2 and IAM tokens
The PR contains the following fixes
- Fix previous secretName documentation that was incorect
- Reword authToken and joinParams documentation to explicit how values interact together
- Add unit test with `joinParams.method = token`
- Add unit tests checking secret creation
- Mark joinParams.method mandatory in JSONSchema
- Always use join_params to pass tokens
* Document requirements for IAM joining
Co-authored-by: Guilherme Sponda <sponda@archlinux.com.br>
Co-authored-by: Guilherme Sponda <guilherme.sponda@audibene.de>
When assigning AWS IAM permissions to Teleport, `eksctl create iamserviceaccount` command manages the ServiceAccount lifecycle.
This PR allows any user to configure an existing Kubernetes ServiceAccount used by the agent.
Part of #11866