diff --git a/docs/cspell.json b/docs/cspell.json index 58f9dfc5163b2..23b9fadd1a44f 100644 --- a/docs/cspell.json +++ b/docs/cspell.json @@ -514,6 +514,8 @@ "ioreg", "isnt", "isrgrootx", + "jamfapiendpoint", + "jamfclientid", "javapipeline", "jetbrains", "jiraapitoken", diff --git a/docs/pages/reference/helm-reference/includes/zz_generated.teleport-kube-agent.mdx b/docs/pages/reference/helm-reference/includes/zz_generated.teleport-kube-agent.mdx index ecd7a2ccaeb0f..58893d2bb87bc 100644 --- a/docs/pages/reference/helm-reference/includes/zz_generated.teleport-kube-agent.mdx +++ b/docs/pages/reference/helm-reference/includes/zz_generated.teleport-kube-agent.mdx @@ -14,6 +14,7 @@ when running the `teleport-kube-agent` chart. | Teleport Application service | `app` | [`apps`](#apps) or [`appResources`](#appresources) | | Teleport Database service | `db` | [`databases`](#databases) or [`databaseResources`](#databaseresources) | | Teleport Discovery service | `discovery` | [`kubeClusterName`](#kubeclustername) | +| Teleport Jamf service | `jamf` | [`jamfApiEndpoint`](#jamfapiendpoint), [`jamfClientId`](#jamfclientid) | For example: ```yaml @@ -454,6 +455,85 @@ kubernetesDiscovery: env: testing ``` +## `jamfApiEndpoint` + +| Type | Default | +|------|---------| +| `string` | `""` | + +`jamfApiEndpoint` sets the Jamf Pro API endpoint used for Jamf service. +Example: "https://yourtenant.jamfcloud.com/api". + +This setting is required if the chart `roles` contains `jamf`. + +## `jamfClientId` + +| Type | Default | +|------|---------| +| `string` | `""` | + +`jamfClientId` sets the Jamf Pro API Client ID used for Jamf service. + +This setting is required if the chart `roles` contains `jamf`. + +## `jamfClientSecret` + +| Type | Default | +|------|---------| +| `string` | `""` | + +`jamfClientSecret` sets the Jamf Pro API client secret used for Jamf service. + +This setting is required if the chart `roles` contains `jamf` and `jamfCredentialsSecret.create` is set to `true`. +If you provide your own Kubernetes Secret, this setting can remain unset. + +## `jamfCredentialsSecret` + +`jamfCredentialsSecret` manages the Kubernetes Secret containing the Jamf API credentials (either Jamf client secret or password). + +### `jamfCredentialsSecret.create` + +| Type | Default | +|------|---------| +| `bool` | `true` | + +`jamfCredentialsSecret.create` controls whether the chart creates the +Kubernetes `Secret` containing the Jamf Pro API Client Secret. +If false, you must create a Kubernetes Secret with the configured name in +the Helm release namespace. + +### `jamfCredentialsSecret.name` + +| Type | Default | +|------|---------| +| `string` | `"teleport-jamf-api-credentials"` | + +`jamfCredentialsSecret.name` is the name of the Kubernetes Secret +containing the Jamf Pro API Client Secret used by the chart. + +If `jamfCredentialsSecret.create` is `false`, the chart will not attempt to create the secret itself. +Instead, it will read the value from an existing Kubernetes Secret. `jamfCredentialsSecret.name` +configures the name of this secret. This allows you to configure this secret externally and avoid having a plaintext +Jamf Pro API Client Secret stored in your Teleport chart values. + +To create your own Kubernetes Secret containing Jamf Pro API Client Secret, run the command: + +```code +$ kubectl --namespace teleport create secret generic my-jamf-secret --from-literal=credential= +``` + + + The key used for the Jamf Pro API Client Secret inside the secret must be `credential`, as in the command above. + + +For example: + +```yaml +jamfCredentialsSecret: + create: false + name: my-jamf-secret +``` + ## `teleportVersionOverride` | Type | Default | diff --git a/docs/pages/reference/helm-reference/teleport-kube-agent.mdx b/docs/pages/reference/helm-reference/teleport-kube-agent.mdx index a6458eaa8bf70..6bef048503233 100644 --- a/docs/pages/reference/helm-reference/teleport-kube-agent.mdx +++ b/docs/pages/reference/helm-reference/teleport-kube-agent.mdx @@ -20,12 +20,13 @@ This reference details available values for the `teleport-kube-agent` chart. The `teleport-kube-agent` chart can run any or all of three Teleport services: -| Teleport service | Name for `roles` and `tctl tokens add` | Purpose | -|--------------------------------------------------------------|----------------------------------------|----------------------------------------------------------------------------------------| -| [`kubernetes_service`](../../kubernetes-access/introduction.mdx) | `kube` | Uses Teleport to handle authentication
with and proxy access to a Kubernetes cluster | -| [`application_service`](../../application-access/guides.mdx) | `app` | Uses Teleport to handle authentication
with and proxy access to web-based applications | -| [`database_service`](../../database-access/guides.mdx) | `db` | Uses Teleport to handle authentication
with and proxy access to databases | -| [`discovery_service`](../../auto-discovery/introduction.mdx) | `discovery` | Uses Teleport to discover new resources
and dynamically add them to the cluster | +| Teleport service | Name for `roles` and `tctl tokens add` | Purpose | +|---------------------------------------------------------------------------|----------------------------------------|----------------------------------------------------------------------------------------------| +| [`kubernetes_service`](../../kubernetes-access/introduction.mdx) | `kube` | Uses Teleport to handle authentication
with and proxy access to a Kubernetes cluster | +| [`application_service`](../../application-access/guides.mdx) | `app` | Uses Teleport to handle authentication
with and proxy access to web-based applications | +| [`database_service`](../../database-access/guides.mdx) | `db` | Uses Teleport to handle authentication
with and proxy access to databases | +| [`discovery_service`](../../auto-discovery/introduction.mdx) | `discovery` | Uses Teleport to discover new resources
and dynamically add them to the cluster | +| [`jamf_service`](../../access-controls/device-trust/jamf-integration.mdx) | `jamf` | Uses Teleport to integrate with Jamf Pro
and sync devices with Device Trust inventory | ### Legacy releases @@ -49,24 +50,25 @@ list](#kubernetes-resources). The `teleport-kube-agent` chart deploys the following Kubernetes resources: -| Kind | Default Name | Description | When Deployed | -|-----------------------|------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------| -| `StatefulSet` | The release name | Running a user-configured Teleport pod. | Always. | -| `Secret` | `joinTokenSecret.name` (default: `teleport-kube-agent-join-token`) | Used for managing the state of the Teleport pod. | `joinTokenSecret.secret` is `true`. | -| `Deployment` | The release name | Runs a user-configured Teleport pod. | `storage.enabled` is `false` and the chart is being upgraded. Fresh installs will deploy a `StatefulSet` instead. | -| `Role` | The `roleName` option, if given, or the release name. | Used to manage the state of the Teleport pod via Kubernetes secrets. | Always. | -| `ClusterRole` | `clusterRoleName`, if given, or the release name. | Allows impersonating users, groups, and service accounts, getting pods, and creating [`SelfSubjectAccessReview`s](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/self-subject-access-review-v1/) so the Teleport pod can manage access to resources in its Kubernetes cluster. | Always. | -| `ClusterRoleBinding` | `clusterRoleBindingName`, if provided, or the release name | Enables the Teleport pod to manage access to resources in the Kubernetes cluster. | Always. | -| `RoleBinding` | `roleBindingName`, if given, or the release name | Enables the Teleport pod to manage access to resources in the Kubernetes cluster. | Always. | -| `ServiceAccount` | `serviceAccount.name`, if given, or the release name | Enables the Teleport pod to manage access to resources in the Kubernetes cluster. | `serviceAccount.create` is `true` | -| `PodDisruptionBudget` | The release name | Ensure high availability for the Teleport pod. | `highAvailability.podDisruptionBudget.enabled` is `true`. | -| `ServiceAccount` | The release name, suffixed by `-hook` | Used to delete legacy `Deployment`s in order to deploy a `StatefulSet` instead. Removed once the upgrade is complete. | If the `teleport-kube-agent` release contains a legacy `Deployment` resource. | -| `Role` | The release name, suffixed by `-hook` | Used to delete legacy `Deployment`s in order to deploy a `StatefulSet` instead. Removed once the upgrade is complete. | If the `teleport-kube-agent` release contains a legacy `Deployment` resource. | -| `RoleBinding` | The release name, suffixed by `-hook` | Used to delete legacy `Deployment`s in order to deploy a `StatefulSet` instead. Removed once the upgrade is complete. | If the `teleport-kube-agent` release contains a legacy `Deployment` resource. | -| `Job` | The release name, suffixed by `-hook` | Used to delete legacy `Deployment`s in order to deploy a `StatefulSet` instead. Removed once the upgrade is complete. | If the `teleport-kube-agent` release contains a legacy `Deployment` resource. | -| `ConfigMap` | The release name | Contains the configuration for the Teleport pod. | Always. | -| `PodSecurityPolicy` | The release name | Enforces security requirements for pods deployed by `teleport-kube-agent`. | `podSecurityPolicy.enabled` is `true` and the Kubernetes cluster version is < 1.23. | -| `Role` | The release name, suffixed by `-psp` | Enforces security requirements for pods deployed by `teleport-kube-agent`. | `podSecurityPolicy.enabled` is `true` and the Kubernetes cluster version is < 1.23. | -| `RoleBinding` | The release name, suffixed by `-psp` | Enforces security requirements for pods deployed by `teleport-kube-agent`. | `podSecurityPolicy.enabled` is `true` and the Kubernetes cluster version is < 1.23. | +| Kind | Default Name | Description | When Deployed | +|-----------------------|--------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------| +| `StatefulSet` | The release name | Running a user-configured Teleport pod. | Always. | +| `Secret` | `joinTokenSecret.name` (default: `teleport-kube-agent-join-token`) | Used for managing the state of the Teleport pod. | `joinTokenSecret.secret` is `true`. | +| `Secret` | `jamfCredentialsSecret.name` (default: `teleport-jamf-api-credentials`) | Used for integrating Jamf Prod with Teleport (`jamf_service`). | `jamfCredentialsSecret.create` is `true` | +| `Deployment` | The release name | Runs a user-configured Teleport pod. | `storage.enabled` is `false` and the chart is being upgraded. Fresh installs will deploy a `StatefulSet` instead. | +| `Role` | The `roleName` option, if given, or the release name. | Used to manage the state of the Teleport pod via Kubernetes secrets. | Always. | +| `ClusterRole` | `clusterRoleName`, if given, or the release name. | Allows impersonating users, groups, and service accounts, getting pods, and creating [`SelfSubjectAccessReview`s](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/self-subject-access-review-v1/) so the Teleport pod can manage access to resources in its Kubernetes cluster. | Always. | +| `ClusterRoleBinding` | `clusterRoleBindingName`, if provided, or the release name | Enables the Teleport pod to manage access to resources in the Kubernetes cluster. | Always. | +| `RoleBinding` | `roleBindingName`, if given, or the release name | Enables the Teleport pod to manage access to resources in the Kubernetes cluster. | Always. | +| `ServiceAccount` | `serviceAccount.name`, if given, or the release name | Enables the Teleport pod to manage access to resources in the Kubernetes cluster. | `serviceAccount.create` is `true` | +| `PodDisruptionBudget` | The release name | Ensure high availability for the Teleport pod. | `highAvailability.podDisruptionBudget.enabled` is `true`. | +| `ServiceAccount` | The release name, suffixed by `-hook` | Used to delete legacy `Deployment`s in order to deploy a `StatefulSet` instead. Removed once the upgrade is complete. | If the `teleport-kube-agent` release contains a legacy `Deployment` resource. | +| `Role` | The release name, suffixed by `-hook` | Used to delete legacy `Deployment`s in order to deploy a `StatefulSet` instead. Removed once the upgrade is complete. | If the `teleport-kube-agent` release contains a legacy `Deployment` resource. | +| `RoleBinding` | The release name, suffixed by `-hook` | Used to delete legacy `Deployment`s in order to deploy a `StatefulSet` instead. Removed once the upgrade is complete. | If the `teleport-kube-agent` release contains a legacy `Deployment` resource. | +| `Job` | The release name, suffixed by `-hook` | Used to delete legacy `Deployment`s in order to deploy a `StatefulSet` instead. Removed once the upgrade is complete. | If the `teleport-kube-agent` release contains a legacy `Deployment` resource. | +| `ConfigMap` | The release name | Contains the configuration for the Teleport pod. | Always. | +| `PodSecurityPolicy` | The release name | Enforces security requirements for pods deployed by `teleport-kube-agent`. | `podSecurityPolicy.enabled` is `true` and the Kubernetes cluster version is < 1.23. | +| `Role` | The release name, suffixed by `-psp` | Enforces security requirements for pods deployed by `teleport-kube-agent`. | `podSecurityPolicy.enabled` is `true` and the Kubernetes cluster version is < 1.23. | +| `RoleBinding` | The release name, suffixed by `-psp` | Enforces security requirements for pods deployed by `teleport-kube-agent`. | `podSecurityPolicy.enabled` is `true` and the Kubernetes cluster version is < 1.23. | (!docs/pages/reference/helm-reference/includes/zz_generated.teleport-kube-agent.mdx!) diff --git a/examples/chart/teleport-kube-agent/.lint/all-v6.yaml b/examples/chart/teleport-kube-agent/.lint/all-v6.yaml index 7b8f28bce3cc0..09ce83df0f026 100644 --- a/examples/chart/teleport-kube-agent/.lint/all-v6.yaml +++ b/examples/chart/teleport-kube-agent/.lint/all-v6.yaml @@ -1,6 +1,6 @@ authToken: auth-token proxyAddr: proxy.example.com:3080 -roles: kube,app,db +roles: kube,app,db,jamf kubeClusterName: test-kube-cluster-name labels: cluster: testing @@ -15,6 +15,9 @@ databases: protocol: "postgres" labels: database: staging +jamfApiEndpoint: "testjamf.jamfcloud.com/api" +jamfClientId: teleport-jamf-client-id +jamfClientSecret: secret-jamf-client-secret annotations: config: kubernetes.io/config: "test-annotation" diff --git a/examples/chart/teleport-kube-agent/.lint/jamf-service-existing-secret.yaml b/examples/chart/teleport-kube-agent/.lint/jamf-service-existing-secret.yaml new file mode 100644 index 0000000000000..bcc353c4b82f3 --- /dev/null +++ b/examples/chart/teleport-kube-agent/.lint/jamf-service-existing-secret.yaml @@ -0,0 +1,8 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: jamf +jamfApiEndpoint: "https://testjamf.jamfcloud.com/api" +jamfClientId: teleport-jamf-client-id +jamfCredentialsSecret: + create: false + name: existing-teleport-jamf-secret diff --git a/examples/chart/teleport-kube-agent/.lint/jamf-service.yaml b/examples/chart/teleport-kube-agent/.lint/jamf-service.yaml new file mode 100644 index 0000000000000..bdb4f83351795 --- /dev/null +++ b/examples/chart/teleport-kube-agent/.lint/jamf-service.yaml @@ -0,0 +1,6 @@ +authToken: auth-token +proxyAddr: proxy.example.com:3080 +roles: jamf +jamfApiEndpoint: "https://testjamf.jamfcloud.com/api" +jamfClientId: teleport-jamf-client-id +jamfClientSecret: secret-jamf-client-secret diff --git a/examples/chart/teleport-kube-agent/README.md b/examples/chart/teleport-kube-agent/README.md index a536d8efa0d60..16b0be2004012 100644 --- a/examples/chart/teleport-kube-agent/README.md +++ b/examples/chart/teleport-kube-agent/README.md @@ -6,6 +6,7 @@ with an existing Teleport cluster: - Teleport Application access - Teleport Database access - Teleport Kubernetes App Discovery +- Teleport Jamf service To use it, you will need: - an existing Teleport cluster (at least proxy and auth services) @@ -133,14 +134,14 @@ Set the values in the above command as appropriate for your setup. These are the supported values for the `apps` map: -| Key | Description | Example | Default | Required | -| --- | --- | --- | --- | --- | -| `name` | Name of the app to be accessed | `apps[0].name=grafana` | | Yes | -| `uri` | URI of the app to be accessed | `apps[0].uri=http://localhost:3000` | | Yes | -| `public_addr` | Public address used to access the app | `apps[0].public_addr=grafana.teleport.example.com` | | No | -| `labels.[name]` | Key-value pairs to set against the app for grouping/RBAC | `apps[0].labels.env=local,apps[0].labels.region=us-west-1` | | No | -| `insecure_skip_verify` | Whether to skip validation of TLS certificates presented by backend apps | `apps[0].insecure_skip_verify=true` | `false` | No | -| `rewrite.redirect` | A list of URLs to rewrite to the public address of the app service | `apps[0].rewrite.redirect[0]=https://192.168.1.1` | | No +| Key | Description | Example | Default | Required | +| ---------------------- | ------------------------------------------------------------------------ | ---------------------------------------------------------- | ------- | -------- | +| `name` | Name of the app to be accessed | `apps[0].name=grafana` | | Yes | +| `uri` | URI of the app to be accessed | `apps[0].uri=http://localhost:3000` | | Yes | +| `public_addr` | Public address used to access the app | `apps[0].public_addr=grafana.teleport.example.com` | | No | +| `labels.[name]` | Key-value pairs to set against the app for grouping/RBAC | `apps[0].labels.env=local,apps[0].labels.region=us-west-1` | | No | +| `insecure_skip_verify` | Whether to skip validation of TLS certificates presented by backend apps | `apps[0].insecure_skip_verify=true` | `false` | No | +| `rewrite.redirect` | A list of URLs to rewrite to the public address of the app service | `apps[0].rewrite.redirect[0]=https://192.168.1.1` | | No | You can add multiple apps using `apps[1].name`, `apps[1].uri`, `apps[2].name`, `apps[2].uri` etc. @@ -219,14 +220,14 @@ Set the values in the above command as appropriate for your setup. These are the supported values for the `databases` map: -| Key | Description | Example | Default | Required | -| --- | --- | --- | --- | --- | -| `name` | Name of the database to be accessed | `databases[0].name=aurora` | | Yes | -| `uri` | URI of the database to be accessed | `databases[0].uri=postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432` | | Yes | -| `protocol` | Database protocol | `databases[0].protocol=postgres` | | Yes | -| `description` | Free-form description of the database proxy instance | `databases[0].description='AWS Aurora instance of PostgreSQL 13.0'` | | No | -| `aws.region` | AWS-specific region configuration (only used for RDS/Aurora) | `databases[0].aws.region=us-east-1` | | No | -| `labels.[name]` | Key-value pairs to set against the database for grouping/RBAC | `databases[0].labels.db=postgres-dev,apps[0].labels.region=us-east-1` | | No | +| Key | Description | Example | Default | Required | +| --------------- | ------------------------------------------------------------- | ---------------------------------------------------------------------------------- | ------- | -------- | +| `name` | Name of the database to be accessed | `databases[0].name=aurora` | | Yes | +| `uri` | URI of the database to be accessed | `databases[0].uri=postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432` | | Yes | +| `protocol` | Database protocol | `databases[0].protocol=postgres` | | Yes | +| `description` | Free-form description of the database proxy instance | `databases[0].description='AWS Aurora instance of PostgreSQL 13.0'` | | No | +| `aws.region` | AWS-specific region configuration (only used for RDS/Aurora) | `databases[0].aws.region=us-east-1` | | No | +| `labels.[name]` | Key-value pairs to set against the database for grouping/RBAC | `databases[0].labels.db=postgres-dev,apps[0].labels.region=us-east-1` | | No | You can add multiple databases using `databases[1].name`, `databases[1].uri`, `databases[1].protocol`, `databases[2].name`, `databases[2].uri`, `databases[2].protocol` etc. @@ -255,6 +256,62 @@ to use for discovery you can use `kubernetesDiscovery` property of the chart. When discovery is running, `kubeClusterName` should be set in values, since it is used as a name for discovery field and as a target label for the app service, so it can expose discovered apps. +## Jamf service + +To use [Teleport Jamf service](https://goteleport.com/docs/access-controls/device-trust/jamf-integration/), +you will also need: +- provide your Jamf Pro API endpoint +- provide your Jamf Pro API credentials + +To install the agent with Jamf API credentials, run: + +```sh +$ helm install teleport-kube-agent . \ + --create-namespace \ + --namespace teleport \ + --set roles=jamf \ + --set proxyAddr=${PROXY_ENDPOINT?} \ + --set authToken=${JOIN_TOKEN?} \ + --set jamfApiEndpoint=${JAMF_API_ENDPOINT?} \ + --set jamfClientId=${JAMF_CLIENT_ID?} \ + --set jamfClientSecret=${JAMF_CLIENT_SECRET?} +``` + +Set the values in the above command as appropriate for your setup. + +The Helm chart will install Secrets by default. To avoid specifying the Jamf API credentials in plain text, it's possible to create a secret containing the password beforehand. To do so, run: + +```sh +export JAMF_CLIENT_SECRET=` | base64 -w0` +export JAMF_SECRET_NAME=teleport-jamf-api-credentials +export TELEPORT_NAMESPACE=teleport + +cat < secrets.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: ${JAMF_SECRET_NAME} + namespace: ${TELEPORT_NAMESPACE?} +type: Opaque +data: + jamfSecret: ${JAMF_CLIENT_SECRET?} +EOF + +$ kubectl apply -f secret.yaml + +$ helm install teleport-kube-agent . \ + --create-namespace \ + --namespace ${TELEPORT_NAMESPACE?} \ + --set roles=jamf \ + --set proxyAddr=${PROXY_ENDPOINT?} \ + --set authToken=${JOIN_TOKEN?} \ + --set jamfApiEndpoint=${JAMF_API_ENDPOINT?} \ + --set jamfClientId=${JAMF_CLIENT_ID?} \ + --set jamfCredentialsSecret.name=${JAMF_SECRET_NAME?} \ + --set jamfCredentialsSecret.create=false +``` + ## Troubleshooting If the service for a given role doesn't show up, look into the agent logs with: diff --git a/examples/chart/teleport-kube-agent/templates/_config.tpl b/examples/chart/teleport-kube-agent/templates/_config.tpl index 565e80923a40b..adb708ddfa4b5 100644 --- a/examples/chart/teleport-kube-agent/templates/_config.tpl +++ b/examples/chart/teleport-kube-agent/templates/_config.tpl @@ -128,6 +128,16 @@ discovery_service: enabled: false {{- end }} +jamf_service: + {{- if contains "jamf" (.Values.roles | toString) }} + enabled: true + api_endpoint: {{ required "jamfApiEndpoint is required in chart values when jamf role is enabled, see README" .Values.jamfApiEndpoint }} + client_id: {{ required "jamfClientId is required in chart values when jamf role is enabled, see README" .Values.jamfClientId }} + client_secret_file: "/etc/teleport-jamf-api-credentials/credential" + {{- else }} + enabled: false + {{- end }} + auth_service: enabled: false ssh_service: diff --git a/examples/chart/teleport-kube-agent/templates/deployment.yaml b/examples/chart/teleport-kube-agent/templates/deployment.yaml index 3b57789c0f33f..43f317233474d 100644 --- a/examples/chart/teleport-kube-agent/templates/deployment.yaml +++ b/examples/chart/teleport-kube-agent/templates/deployment.yaml @@ -111,6 +111,11 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} + {{- if contains "jamf" (.Values.roles | toString) }} + - mountPath: /etc/teleport-jamf-api-credentials + name: "jamf-api-credentials" + readOnly: true + {{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} @@ -192,6 +197,11 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} + {{- if contains "jamf" (.Values.roles | toString) }} + - mountPath: /etc/teleport-jamf-api-credentials + name: "jamf-api-credentials" + readOnly: true + {{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} @@ -214,6 +224,11 @@ spec: secret: secretName: {{ .Values.tls.existingCASecretName }} {{- end }} + {{- if contains "jamf" (.Values.roles | toString) }} + - name: "jamf-api-credentials" + secret: + secretName: {{ .Values.jamfCredentialsSecret.name }} + {{- end }} {{- if .Values.extraVolumes }} {{- toYaml .Values.extraVolumes | nindent 6 }} {{- end }} diff --git a/examples/chart/teleport-kube-agent/templates/secret.yaml b/examples/chart/teleport-kube-agent/templates/secret.yaml index 0b23ec16ff164..348996831f1db 100644 --- a/examples/chart/teleport-kube-agent/templates/secret.yaml +++ b/examples/chart/teleport-kube-agent/templates/secret.yaml @@ -17,3 +17,23 @@ stringData: auth-token: | {{ coalesce .Values.joinParams.tokenName .Values.authToken }} {{- end}} + +{{- if and (contains "jamf" (.Values.roles | toString)) .Values.jamfCredentialsSecret.create }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.jamfCredentialsSecret.name }} + namespace: {{ .Release.Namespace }} + {{- if .Values.extraLabels.secret }} + labels: + {{- toYaml .Values.extraLabels.secret | nindent 4 }} + {{- end }} + {{- if .Values.annotations.secret }} + annotations: + {{- toYaml .Values.annotations.secret | nindent 4 }} + {{- end }} +type: Opaque +stringData: + credential: {{ required "jamfClientSecret is required in chart values when jamf role is enabled, see README" .Values.jamfClientSecret }} +{{- end}} diff --git a/examples/chart/teleport-kube-agent/templates/statefulset.yaml b/examples/chart/teleport-kube-agent/templates/statefulset.yaml index 1d7ab8ce58ea9..1df3dcd4c2cad 100644 --- a/examples/chart/teleport-kube-agent/templates/statefulset.yaml +++ b/examples/chart/teleport-kube-agent/templates/statefulset.yaml @@ -107,6 +107,11 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} + {{- if contains "jamf" (.Values.roles | toString) }} + - mountPath: /etc/teleport-jamf-api-credentials + name: "jamf-api-credentials" + readOnly: true + {{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} @@ -207,6 +212,11 @@ spec: name: "teleport-tls-ca" readOnly: true {{- end }} +{{- if contains "jamf" (.Values.roles | toString) }} + - mountPath: /etc/teleport-jamf-api-credentials + name: "jamf-api-credentials" + readOnly: true +{{- end }} {{- if .Values.extraVolumeMounts }} {{- toYaml .Values.extraVolumeMounts | nindent 8 }} {{- end }} @@ -229,6 +239,11 @@ spec: secret: secretName: {{ .Values.tls.existingCASecretName }} {{- end }} +{{- if contains "jamf" (.Values.roles | toString) }} + - name: "jamf-api-credentials" + secret: + secretName: {{ .Values.jamfCredentialsSecret.name }} +{{- end }} {{- if .Values.extraVolumes }} {{- toYaml .Values.extraVolumes | nindent 6 }} {{- end }} diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap index a245dd08d44d1..ad817a9498ce3 100644 --- a/examples/chart/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap +++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/config_test.yaml.snap @@ -11,6 +11,8 @@ does not generate a config for clusterrole.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster @@ -51,6 +53,8 @@ does not generate a config for pdb.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -91,6 +95,8 @@ matches snapshot and tests for annotations.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster @@ -134,6 +140,8 @@ matches snapshot and tests for extra-labels.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster @@ -177,6 +185,8 @@ matches snapshot for affinity.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster @@ -229,6 +239,11 @@ matches snapshot for all-v6.yaml: enabled: true discovery_service: enabled: false + jamf_service: + api_endpoint: testjamf.jamfcloud.com/api + client_id: teleport-jamf-client-id + client_secret_file: /etc/teleport-jamf-api-credentials/credential + enabled: true kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -293,6 +308,8 @@ matches snapshot for app-discovery-full.yaml: - '*' types: - app + jamf_service: + enabled: false kubernetes_service: enabled: false proxy_service: @@ -344,6 +361,8 @@ matches snapshot for app-discovery-minimal.yaml: - '*' types: - app + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster @@ -397,6 +416,8 @@ matches snapshot for aws-databases.yaml: enabled: true discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: false proxy_service: @@ -458,6 +479,8 @@ matches snapshot for azure-databases.yaml: enabled: true discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: false proxy_service: @@ -497,6 +520,8 @@ matches snapshot for backwards-compatibility.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -537,6 +562,8 @@ matches snapshot for ca-pin.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster @@ -585,6 +612,8 @@ matches snapshot for db.yaml: enabled: true discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: false proxy_service: @@ -627,6 +656,8 @@ matches snapshot for dynamic-app.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: false proxy_service: @@ -669,6 +700,8 @@ matches snapshot for dynamic-db.yaml: '*': '*' discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: false proxy_service: @@ -708,6 +741,8 @@ matches snapshot for imagepullsecrets.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster @@ -748,6 +783,8 @@ matches snapshot for initcontainers.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster @@ -775,6 +812,94 @@ matches snapshot for initcontainers.yaml: metadata: name: RELEASE-NAME namespace: NAMESPACE +matches snapshot for jamf-service-existing-secret.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + discovery_service: + enabled: false + jamf_service: + api_endpoint: https://testjamf.jamfcloud.com/api + client_id: teleport-jamf-client-id + client_secret_file: /etc/teleport-jamf-api-credentials/credential + enabled: true + kubernetes_service: + enabled: false + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE +matches snapshot for jamf-service.yaml: + 1: | + apiVersion: v1 + data: + teleport.yaml: |- + app_service: + enabled: false + auth_service: + enabled: false + db_service: + enabled: false + discovery_service: + enabled: false + jamf_service: + api_endpoint: https://testjamf.jamfcloud.com/api + client_id: teleport-jamf-client-id + client_secret_file: /etc/teleport-jamf-api-credentials/credential + enabled: true + kubernetes_service: + enabled: false + proxy_service: + enabled: false + ssh_service: + enabled: false + teleport: + join_params: + method: token + token_name: /etc/teleport-secrets/auth-token + log: + format: + extra_fields: + - timestamp + - level + - component + - caller + output: text + output: stderr + severity: INFO + proxy_server: proxy.example.com:3080 + version: v3 + kind: ConfigMap + metadata: + name: RELEASE-NAME + namespace: NAMESPACE matches snapshot for join-params-iam.yaml: 1: | apiVersion: v1 @@ -788,6 +913,8 @@ matches snapshot for join-params-iam.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -828,6 +955,8 @@ matches snapshot for join-params-token.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -868,6 +997,8 @@ matches snapshot for log-basic.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -908,6 +1039,8 @@ matches snapshot for log-extra.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -948,6 +1081,8 @@ matches snapshot for log-legacy.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -988,6 +1123,8 @@ matches snapshot for node-selector.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -1028,6 +1165,8 @@ matches snapshot for pdb.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -1068,6 +1207,8 @@ matches snapshot for resources.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster @@ -1108,6 +1249,8 @@ matches snapshot for stateful.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -1148,6 +1291,8 @@ matches snapshot for tolerations.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster @@ -1188,6 +1333,8 @@ matches snapshot for v10.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -1228,6 +1375,8 @@ matches snapshot for v11.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster-name @@ -1268,6 +1417,8 @@ matches snapshot for volumes.yaml: enabled: false discovery_service: enabled: false + jamf_service: + enabled: false kubernetes_service: enabled: true kube_cluster_name: test-kube-cluster diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap index 78440a7964bc6..ba9db36cd8114 100644 --- a/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap +++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap @@ -18,7 +18,7 @@ sets Deployment annotations when specified if action is Upgrade: template: metadata: annotations: - checksum/config: e2a099e6eeb24c94a395c55fa6cc7ba6cbf4502ab9ed6e9c47233adc40b7927e + checksum/config: 310911b3e71e9339802aeca1d182e1acf5153470f507ce4af423a73e6e06eaba kubernetes.io/pod: test-annotation kubernetes.io/pod-different: 4 labels: @@ -93,7 +93,7 @@ sets Deployment labels when specified if action is Upgrade: template: metadata: annotations: - checksum/config: 759fbcfcd1e9750bb5682ac3777c0e6146b5228d7ae9bba03136f7989eafd12d + checksum/config: 9e9cb2e4d76c492bccf0b1e2be4a5acffc8fe747484eb62e615c5ed8dc8c3fc6 labels: app: RELEASE-NAME app.kubernetes.io/name: teleport-kube-agent @@ -828,6 +828,142 @@ should mount extraVolumes and extraVolumeMounts if action is Upgrade: - name: my-mount secret: secretName: mySecret +should mount jamfCredentialsSecret if it already exists and when role is jamf and action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:17.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /etc/teleport-jamf-api-credentials + name: jamf-api-credentials + readOnly: true + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data + - name: jamf-api-credentials + secret: + secretName: existing-teleport-jamf-secret +should mount jamfCredentialsSecret.name when role is jamf and action is Upgrade: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + image: public.ecr.aws/gravitational/teleport-distroless:17.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /etc/teleport-jamf-api-credentials + name: jamf-api-credentials + readOnly: true + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data + - name: jamf-api-credentials + secret: + secretName: teleport-jamf-api-credentials should mount tls.existingCASecretName and set environment when set in values if action is Upgrade: 1: | containers: diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/secret_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/secret_test.yaml.snap index 551299dd8d1ac..04c4a9c679c3b 100644 --- a/examples/chart/teleport-kube-agent/tests/__snapshot__/secret_test.yaml.snap +++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/secret_test.yaml.snap @@ -19,6 +19,16 @@ generates a secret when authToken is provided: auth-token: | sample-auth-token-dont-use-this type: Opaque +generates a secret when jamfCredentialsSecret.create is true: + 1: | + apiVersion: v1 + kind: Secret + metadata: + name: teleport-jamf-api-credentials + namespace: NAMESPACE + stringData: + credential: secret-jamf-client-secret + type: Opaque generates a secret when joinParams.tokenName is provided: 1: | apiVersion: v1 diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap index a9fef98e8376e..7c9b428f891c8 100644 --- a/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap +++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap @@ -158,7 +158,7 @@ sets StatefulSet labels when specified: template: metadata: annotations: - checksum/config: 759fbcfcd1e9750bb5682ac3777c0e6146b5228d7ae9bba03136f7989eafd12d + checksum/config: 9e9cb2e4d76c492bccf0b1e2be4a5acffc8fe747484eb62e615c5ed8dc8c3fc6 labels: app: RELEASE-NAME app.kubernetes.io/name: teleport-kube-agent @@ -422,7 +422,7 @@ should add volumeClaimTemplate for data volume when using StatefulSet and is Fre template: metadata: annotations: - checksum/config: 98a7bc8bca7ccc7b9b16552b81cfec61134d375b7a6fb3dc897f3f07bd1164e2 + checksum/config: 5784fa709686cf9d0818ad218ab23bb886fa3877e4a84eb1bdeb25acbe8e6b3c labels: app: RELEASE-NAME spec: @@ -1097,6 +1097,162 @@ should mount extraVolumes and extraVolumeMounts: - name: my-mount secret: secretName: mySecret +should mount jamfCredentialsSecret if it already exists and when role is jamf: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:17.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /etc/teleport-jamf-api-credentials + name: jamf-api-credentials + readOnly: true + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data + - name: jamf-api-credentials + secret: + secretName: existing-teleport-jamf-secret +should mount jamfCredentialsSecret.name when role is jamf: + 1: | + containers: + - args: + - --diag-addr=0.0.0.0:3000 + env: + - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT + value: "true" + - name: TELEPORT_REPLICA_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: KUBE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: RELEASE_NAME + value: RELEASE-NAME + image: public.ecr.aws/gravitational/teleport-distroless:17.0.0-dev + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 6 + httpGet: + path: /healthz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + name: teleport + ports: + - containerPort: 3000 + name: diag + protocol: TCP + readinessProbe: + failureThreshold: 12 + httpGet: + path: /readyz + port: diag + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 9807 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /etc/teleport + name: config + readOnly: true + - mountPath: /etc/teleport-secrets + name: auth-token + readOnly: true + - mountPath: /var/lib/teleport + name: data + - mountPath: /etc/teleport-jamf-api-credentials + name: jamf-api-credentials + readOnly: true + securityContext: + fsGroup: 9807 + serviceAccountName: RELEASE-NAME + volumes: + - configMap: + name: RELEASE-NAME + name: config + - name: auth-token + secret: + secretName: teleport-kube-agent-join-token + - emptyDir: {} + name: data + - name: jamf-api-credentials + secret: + secretName: teleport-jamf-api-credentials should mount tls.existingCASecretName and set environment when set in values: 1: | containers: diff --git a/examples/chart/teleport-kube-agent/tests/config_test.yaml b/examples/chart/teleport-kube-agent/tests/config_test.yaml index f7a8eb1e0c32a..fcf4606a82e9e 100644 --- a/examples/chart/teleport-kube-agent/tests/config_test.yaml +++ b/examples/chart/teleport-kube-agent/tests/config_test.yaml @@ -150,6 +150,26 @@ tests: of: ConfigMap - matchSnapshot: {} + - it: matches snapshot for jamf-service.yaml + values: + - ../.lint/jamf-service.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + + - it: matches snapshot for jamf-service-existing-secret.yaml + values: + - ../.lint/jamf-service-existing-secret.yaml + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ConfigMap + - matchSnapshot: {} + - it: matches snapshot for join-params-iam.yaml values: - ../.lint/join-params-iam.yaml diff --git a/examples/chart/teleport-kube-agent/tests/deployment_test.yaml b/examples/chart/teleport-kube-agent/tests/deployment_test.yaml index 3d8211d0e5c69..060dda94e2e56 100644 --- a/examples/chart/teleport-kube-agent/tests/deployment_test.yaml +++ b/examples/chart/teleport-kube-agent/tests/deployment_test.yaml @@ -500,6 +500,54 @@ tests: - matchSnapshot: path: spec.template.spec + - it: should mount jamfCredentialsSecret.name when role is jamf and action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/jamf-service.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: jamf-api-credentials + secret: + secretName: teleport-jamf-api-credentials + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-jamf-api-credentials + name: jamf-api-credentials + readOnly: true + - matchSnapshot: + path: spec.template.spec + + - it: should mount jamfCredentialsSecret if it already exists and when role is jamf and action is Upgrade + template: deployment.yaml + set: + # unit test does not support lookup functions, so to test the behavior we use this undoc value + # https://github.com/helm/helm/issues/8137 + unitTestUpgrade: true + values: + - ../.lint/jamf-service-existing-secret.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: jamf-api-credentials + secret: + secretName: existing-teleport-jamf-secret + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-jamf-api-credentials + name: jamf-api-credentials + readOnly: true + - matchSnapshot: + path: spec.template.spec + - it: should mount tls.existingCASecretName and set environment when set in values if action is Upgrade template: deployment.yaml set: diff --git a/examples/chart/teleport-kube-agent/tests/secret_test.yaml b/examples/chart/teleport-kube-agent/tests/secret_test.yaml index 086e2e42bcccb..ebd61d174e7e7 100644 --- a/examples/chart/teleport-kube-agent/tests/secret_test.yaml +++ b/examples/chart/teleport-kube-agent/tests/secret_test.yaml @@ -66,6 +66,18 @@ tests: value: some-other-secret-name - matchSnapshot: {} + - it: generates a secret when jamfCredentialsSecret.create is true + values: + - ../.lint/jamf-service.yaml + asserts: + - containsDocument: + kind: Secret + apiVersion: v1 + name: teleport-jamf-api-credentials + - matchSnapshot: {} + # documentIndex: 0=Secret(joinToken) 1=Secret(jamfSecret) + documentIndex: 1 + - it: does not create a secret when joinTokenSecret.create is false set: authToken: sample-auth-token-dont-use-this @@ -76,6 +88,13 @@ tests: - hasDocuments: count: 0 + - it: does not create a secret when jamfCredentialsSecret.create is false + values: + - ../.lint/jamf-service-existing-secret.yaml + asserts: + - hasDocuments: + count: 1 # only joinToken secret is created + - it: sets Secret labels when specified values: - ../.lint/extra-labels.yaml diff --git a/examples/chart/teleport-kube-agent/tests/statefulset_test.yaml b/examples/chart/teleport-kube-agent/tests/statefulset_test.yaml index b0e4cb6997583..4423ce87f36b7 100644 --- a/examples/chart/teleport-kube-agent/tests/statefulset_test.yaml +++ b/examples/chart/teleport-kube-agent/tests/statefulset_test.yaml @@ -506,6 +506,46 @@ tests: - matchSnapshot: path: spec.template.spec + - it: should mount jamfCredentialsSecret.name when role is jamf + template: statefulset.yaml + values: + - ../.lint/jamf-service.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: jamf-api-credentials + secret: + secretName: teleport-jamf-api-credentials + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-jamf-api-credentials + name: jamf-api-credentials + readOnly: true + - matchSnapshot: + path: spec.template.spec + + - it: should mount jamfCredentialsSecret if it already exists and when role is jamf + template: statefulset.yaml + values: + - ../.lint/jamf-service-existing-secret.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: jamf-api-credentials + secret: + secretName: existing-teleport-jamf-secret + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-jamf-api-credentials + name: jamf-api-credentials + readOnly: true + - matchSnapshot: + path: spec.template.spec + - it: should mount tls.existingCASecretName and set environment when set in values template: statefulset.yaml values: @@ -562,7 +602,6 @@ tests: - matchSnapshot: path: spec.template.spec - - it: should set serviceAccountName when set in values template: statefulset.yaml values: diff --git a/examples/chart/teleport-kube-agent/values.schema.json b/examples/chart/teleport-kube-agent/values.schema.json index 53f02f0c210a8..33e9fdcd7b208 100644 --- a/examples/chart/teleport-kube-agent/values.schema.json +++ b/examples/chart/teleport-kube-agent/values.schema.json @@ -739,6 +739,39 @@ }, "additionalProperties": false } + }, + "jamfCredentialsSecret": { + "$id": "#/properties/jamfCredentialsSecret", + "type": "object", + "required": ["create", "name"], + "properties": { + "create": { + "$id": "#/properties/jamfCredentialsSecret/create", + "type": "boolean", + "default": true + }, + "name": { + "$id": "#/properties/jamfCredentialsSecret/name", + "type": "string", + "default": "teleport-jamf-api-credentials" + }, + "additionalProperties": false + } + }, + "jamfApiEndpoint": { + "$id": "#/properties/jamfApiEndpoint", + "type": "string", + "default": "" + }, + "jamfClientId": { + "$id": "#/properties/jamfClientId", + "type": "string", + "default": "" + }, + "jamfClientSecret": { + "$id": "#/properties/jamfSecret", + "type": "string", + "default": "" } } } diff --git a/examples/chart/teleport-kube-agent/values.yaml b/examples/chart/teleport-kube-agent/values.yaml index c9292b421bad2..d0ea5a4a03702 100644 --- a/examples/chart/teleport-kube-agent/values.yaml +++ b/examples/chart/teleport-kube-agent/values.yaml @@ -11,6 +11,7 @@ # | Teleport Application service | `app` | [`apps`](#apps) or [`appResources`](#appresources) | # | Teleport Database service | `db` | [`databases`](#databases) or [`databaseResources`](#databaseresources) | # | Teleport Discovery service | `discovery` | [`kubeClusterName`](#kubeclustername) | +# | Teleport Jamf service | `jamf` | [`jamfApiEndpoint`](#jamfapiendpoint), [`jamfClientId`](#jamfclientid) | # # For example: # ```yaml @@ -408,6 +409,61 @@ kubernetesDiscovery: labels: "*": "*" +################################################################ +# Values that must be provided if Jamf service is enabled. +################################################################ + +# jamfApiEndpoint(string) -- sets the Jamf Pro API endpoint used for Jamf service. +# Example: "https://yourtenant.jamfcloud.com/api". +# +# This setting is required if the chart `roles` contains `jamf`. +jamfApiEndpoint: "" + +# jamfClientId(string) -- sets the Jamf Pro API Client ID used for Jamf service. +# +# This setting is required if the chart `roles` contains `jamf`. +jamfClientId: "" + +# jamfClientSecret(string) -- sets the Jamf Pro API client secret used for Jamf service. +# +# This setting is required if the chart `roles` contains `jamf` and `jamfCredentialsSecret.create` is set to `true`. +# If you provide your own Kubernetes Secret, this setting can remain unset. +jamfClientSecret: "" + +# jamfCredentialsSecret -- manages the Kubernetes Secret containing the Jamf API credentials (either Jamf client secret or password). +jamfCredentialsSecret: + # jamfCredentialsSecret.create(bool) -- controls whether the chart creates the + # Kubernetes `Secret` containing the Jamf Pro API Client Secret. + # If false, you must create a Kubernetes Secret with the configured name in + # the Helm release namespace. + create: true + # jamfCredentialsSecret.name(string) -- is the name of the Kubernetes Secret + # containing the Jamf Pro API Client Secret used by the chart. + # + # If `jamfCredentialsSecret.create` is `false`, the chart will not attempt to create the secret itself. + # Instead, it will read the value from an existing Kubernetes Secret. `jamfCredentialsSecret.name` + # configures the name of this secret. This allows you to configure this secret externally and avoid having a plaintext + # Jamf Pro API Client Secret stored in your Teleport chart values. + # + # To create your own Kubernetes Secret containing Jamf Pro API Client Secret, run the command: + # + # ```code + # $ kubectl --namespace teleport create secret generic my-jamf-secret --from-literal=credential= + # ``` + # + # + # The key used for the Jamf Pro API Client Secret inside the secret must be `credential`, as in the command above. + # + # + # For example: + # + # ```yaml + # jamfCredentialsSecret: + # create: false + # name: my-jamf-secret + # ``` + name: teleport-jamf-api-credentials + ################################################################ # Values that you may need to change. ################################################################