Merge branch 'chart-fix-branch' into comparison-branch

helm/teleport-kube-agent/templates/_config.tpl

@@ -128,6 +128,16 @@ discovery_service:
   enabled: false
 {{- end }}
 
+jamf_service:
+  {{- if contains "jamf" (.Values.roles | toString) }}
+  enabled: true
+  api_endpoint: {{ required "jamfApiEndpoint is required in chart values when jamf role is enabled, see README" .Values.jamfApiEndpoint }}
+  client_id: {{ required "jamfClientId is required in chart values when jamf role is enabled, see README" .Values.jamfClientId }}
+  client_secret_file: "/etc/teleport-jamf-api-credentials/credential"
+  {{- else }}
+  enabled: false
+  {{- end }}
+
 auth_service:
   enabled: false
 ssh_service:

helm/teleport-kube-agent/templates/delete_hook.yaml

@@ -8,6 +8,10 @@ metadata:
     "helm.sh/hook": post-delete
     "helm.sh/hook-weight": "-4"
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+{{- if .Values.extraLabels.serviceAccount }}
+  labels:
+  {{- toYaml .Values.extraLabels.serviceAccount | nindent 4 }}
+{{- end }}
 ---
 {{- end }}
 {{- if .Values.rbac.create }}
@@ -20,6 +24,10 @@ metadata:
     "helm.sh/hook": post-delete
     "helm.sh/hook-weight": "-3"
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+{{- if .Values.extraLabels.role }}
+  labels:
+  {{- toYaml .Values.extraLabels.role | nindent 4 }}
+{{- end }}
 rules:
   - apiGroups: [""]
     resources: ["secrets",]
@@ -34,6 +42,10 @@ metadata:
     "helm.sh/hook": post-delete
     "helm.sh/hook-weight": "-2"
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+{{- if .Values.extraLabels.roleBinding }}
+  labels:
+  {{- toYaml .Values.extraLabels.roleBinding | nindent 4 }}
+{{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
@@ -53,6 +65,10 @@ metadata:
     "helm.sh/hook": post-delete
     "helm.sh/hook-weight": "-1"
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+{{- if .Values.extraLabels.job }}
+  labels:
+  {{- toYaml .Values.extraLabels.job | nindent 4 }}
+{{- end }}
 spec:
   template:
     metadata:

helm/teleport-kube-agent/templates/deployment.yaml

@@ -111,6 +111,11 @@ spec:
           name: "teleport-tls-ca"
           readOnly: true
           {{- end }}
+          {{- if contains "jamf" (.Values.roles | toString) }}
+        - mountPath: /etc/teleport-jamf-api-credentials
+          name: "jamf-api-credentials"
+          readOnly: true
+          {{- end }}
   {{- if .Values.extraVolumeMounts }}
     {{- toYaml .Values.extraVolumeMounts | nindent 8 }}
   {{- end }}
@@ -136,6 +141,10 @@ spec:
         - name: TELEPORT_EXT_UPGRADER_VERSION
           value: {{ include "teleport-kube-agent.version" . }}
         {{- end }}
+        {{- if .Values.clusterDomain }}
+        - name: TELEPORT_KUBE_CLUSTER_DOMAIN
+          value: {{ .Values.clusterDomain | quote }}
+        {{- end }}
         {{- if (gt (len .Values.extraEnv) 0) }}
           {{- toYaml .Values.extraEnv | nindent 8 }}
         {{- end }}
@@ -192,6 +201,11 @@ spec:
           name: "teleport-tls-ca"
           readOnly: true
           {{- end }}
+          {{- if contains "jamf" (.Values.roles | toString) }}
+        - mountPath: /etc/teleport-jamf-api-credentials
+          name: "jamf-api-credentials"
+          readOnly: true
+          {{- end }}
 {{- if .Values.extraVolumeMounts }}
   {{- toYaml .Values.extraVolumeMounts | nindent 8 }}
 {{- end }}
@@ -214,6 +228,11 @@ spec:
         secret:
           secretName: {{ .Values.tls.existingCASecretName }}
       {{- end }}
+      {{- if contains "jamf" (.Values.roles | toString) }}
+      - name: "jamf-api-credentials"
+        secret:
+          secretName: {{ .Values.jamfCredentialsSecret.name }}
+      {{- end }}
 {{- if .Values.extraVolumes }}
   {{- toYaml .Values.extraVolumes | nindent 6 }}
 {{- end }}

helm/teleport-kube-agent/templates/hook.yaml

@@ -79,7 +79,7 @@ spec:
 {{- end }}
       containers:
       - name: post-install-job
-        image: alpine/k8s:1.30.2
+        image: alpine/k8s:1.26.0
         command:
         - sh
         - "-c"

helm/teleport-kube-agent/templates/pdb.yaml

@@ -2,7 +2,7 @@
 {{- if .Capabilities.APIVersions.Has "policy/v1" }}
 apiVersion: policy/v1
 {{- else }}
-apiVersion: policy/v1
+apiVersion: policy/v1beta1
 {{- end }}
 kind: PodDisruptionBudget
 metadata:

helm/teleport-kube-agent/templates/role.yaml

@@ -11,4 +11,4 @@ rules:
 - apiGroups: [""]
   # objects is "secrets"
   resources: ["secrets"]
-  verbs: ["create", "get", "update","patch"]
+  verbs: ["create", "get", "update", "patch"]

helm/teleport-kube-agent/templates/secret.yaml

@@ -17,3 +17,23 @@ stringData:
   auth-token: |
     {{ coalesce .Values.joinParams.tokenName .Values.authToken }}
 {{- end}}
+
+{{- if and (contains "jamf" (.Values.roles | toString)) .Values.jamfCredentialsSecret.create }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.jamfCredentialsSecret.name }}
+  namespace: {{ .Release.Namespace }}
+  {{- if .Values.extraLabels.secret }}
+  labels:
+  {{- toYaml .Values.extraLabels.secret | nindent 4 }}
+  {{- end }}
+  {{- if .Values.annotations.secret }}
+  annotations:
+  {{- toYaml .Values.annotations.secret | nindent 4 }}
+  {{- end }}
+type: Opaque
+stringData:
+  credential: {{ required "jamfClientSecret is required in chart values when jamf role is enabled, see README" .Values.jamfClientSecret }}
+{{- end}}

helm/teleport-kube-agent/templates/statefulset.yaml

@@ -107,6 +107,11 @@ spec:
           name: "teleport-tls-ca"
           readOnly: true
           {{- end }}
+          {{- if contains "jamf" (.Values.roles | toString) }}
+        - mountPath: /etc/teleport-jamf-api-credentials
+          name: "jamf-api-credentials"
+          readOnly: true
+          {{- end }}
   {{- if .Values.extraVolumeMounts }}
     {{- toYaml .Values.extraVolumeMounts | nindent 8 }}
   {{- end }}
@@ -140,7 +145,7 @@ spec:
             value: {{ $proxy.https }}
           - name: https_proxy
             value: {{ $proxy.https }}
-          {{- end }}        
+          {{- end }}
           # This variable is set for telemetry purposes.
           # Telemetry is opt-in and controlled at the auth level.
           - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT
@@ -222,6 +227,11 @@ spec:
           name: "teleport-tls-ca"
           readOnly: true
 {{- end }}
+{{- if contains "jamf" (.Values.roles | toString) }}
+        - mountPath: /etc/teleport-jamf-api-credentials
+          name: "jamf-api-credentials"
+          readOnly: true
+{{- end }}
 {{- if .Values.extraVolumeMounts }}
   {{- toYaml .Values.extraVolumeMounts | nindent 8 }}
 {{- end }}
@@ -244,6 +254,11 @@ spec:
         secret:
           secretName: {{ .Values.tls.existingCASecretName }}
 {{- end }}
+{{- if contains "jamf" (.Values.roles | toString) }}
+      - name: "jamf-api-credentials"
+        secret:
+          secretName: {{ .Values.jamfCredentialsSecret.name }}
+{{- end }}
 {{- if .Values.extraVolumes }}
   {{- toYaml .Values.extraVolumes | nindent 6 }}
 {{- end }}

helm/teleport-kube-agent/values.yaml

@@ -1,7 +1,6 @@
 ################################################################
 # Values that must always be provided by the user.
 ################################################################
-
 global:
   podSecurityStandards:
     enforced: false
@@ -449,7 +448,7 @@ jamfCredentialsSecret:
   # Kubernetes `Secret` containing the Jamf Pro API Client Secret.
   # If false, you must create a Kubernetes Secret with the configured name in
   # the Helm release namespace.
-  create: true
+  create: false
   # jamfCredentialsSecret.name(string) -- is the name of the Kubernetes Secret
   # containing the Jamf Pro API Client Secret used by the chart.
   #
@@ -897,7 +896,6 @@ adminClusterRoleBinding:
 image:
   registry: &registry gsoci.azurecr.io
   repository: giantswarm/teleport-distroless
-
 # enterpriseImage(string) -- sets the container image used for Teleport Enterprise
 # agent pods created by the chart.
 #
@@ -1330,9 +1328,6 @@ podSecurityContext:
 # for more details.
 priorityClassName: ""
 
-# tolerations(list) -- sets the tolerations for any pods created by the chart.
-# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/)
-# for more details.
 tolerations:
   - effect: NoSchedule
     key: node-role.kubernetes.io/control-plane