This commit implements #1935, fixes#2038
Auth server now supports global
defaults for timeout behavior:
```
auth_service:
client_idle_timeout: 15m
disconnect_expired_cert: no
```
New role options were introduced:
```
kind: role
version: v3
metadata:
name: intern
spec:
options:
# these two settings override the global ones:
client_idle_timeout: 1m
disconnect_expired_cert: yes
```
This is a helm chart for Teleport that conforms to [helm chart best practices](https://docs.helm.sh/chart_best_practices/) and various conventions seen in the official charts repository, so that it becomes easy-to-use and flexible enough to support many deployment scenarios.
Features:
- Locally testable on minikube
- Chart values for flexible configuration, instead of sourcing the raw teleport.yaml contained in the chart
- Automatically rolling-update the pods on configuration change according to the helm best practices
- Service and deplyment ports more finely configurable
- Customizable service and ingress for exposing the proxy to the private network or the internet
- Use service annotatinos for integration with e.g. [external-dns](https://github.com/kubernetes-incubator/external-dns)
- Use ingress for integration with e.g.[aws-alb-ingress-controller](https://github.com/kubernetes-sigs/aws-alb-ingress-controller)
- Configurable pod annotations. Uesful for IAM integration with kube2iam/kiam for example.
- Customizable pod assignment for security and availability
This commit adds two extensions to template variables
in roles and adds support for regular expressions
and group captures in role mapping of trusted clusters.
1. Roles node_labels can expand variables from traits:
allow:
node_labels:
'{{external.key}}': '{{external.val}}'
deny:
node_labels:
'{{external.key}}': '{{external.val}}'
If traits variable is not found, label key pair in allow or
deny rule will be set to empty key or value, so if 'external.val'
trait is missing, the resulting role will not match
allow or deny rule:
allow:
node_labels:
'': 'val'
deny:
node_labels:
'': 'val'
Same thing will happen for missing value:
allow:
node_labels:
'key': ''
deny:
node_labels:
'key': ''
2. Trusted cluster role mapping can now
support advanced expressions:
a. Glob values will math any string, including
empty one
role_map:
- remote: 'cluster-*'
local: [clusteradmin]
a. Regular expression syntax is supported:
Syntax: https://github.com/google/re2/wiki/Syntax
Brackets can be used as a capture group and referred
to with expand variable:
role_map:
- remote: '^clusteradmin-(.*)$'
local: [unprivileged-$1]
Will map incoming role 'clusteradmin-account-1' to 'guest-account-1'.
3. Same regular expression syntax is supported for SAML and OIDC
mappings:
a. Glob matches of values instead of static matches:
claims_to_roles:
- {claim: "roles", value: "gravitational/*", roles: ["clusteradmin"]}
b. Regexp matches with subgroup expands:
attributes_to_roles:
- {name: "roles", value: "^gravitational/(.*)$", roles: ["cluster-$1"]}
This commit serializes requests for certificates
arrigiving for the same user, concurrent requests
will wait for the first request to finish.
This is done to fix kubectl usage problem that tends
to issue many requests in parallel on first use.
The following changes have been introduced
to tsh login behavior:
1. tsh login now accepts cluster name
as an optional positional argument:
$ tsh login clustername
2. If tsh login is called without arguments
and the current credentials are valid,
tsh login now prints status, previous behavior
always forced login:
$ tsh login
... print status if logged in...
2. If tsh login is called with the proxy
equal to current, tsh login selects cluster,
otherwise it will re-login to another proxy:
$ tsh login one
... selected cluster one
$ tsh login two
... selected cluster two
$ tsh login --proxy=example.com three
... selected cluster three because
proxy is the same
$ tsh login --proxy=acme.example.com four
...will switch to proxy acme.example.com
and cluster four