teleport-cluster upgrade 16.1.0

argocd-helm-charts/teleport-cluster/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: teleport-cluster
   repository: https://charts.releases.teleport.dev
-  version: 16.0.4
-digest: sha256:d214eab61b51bf3ec0b7c4393f9592258a1412c1fdf23625bfa6c2eed5dd6e51
-generated: "2024-07-09T02:58:28.383194786+05:30"
+  version: 16.1.0
+digest: sha256:8c176fe43a38b6d187def377a65ea7869982ca1ae605bf477f4a44f47b69977f
+generated: "2024-07-22T17:44:00.418137498+05:30"

argocd-helm-charts/teleport-cluster/Chart.yaml

@@ -7,6 +7,6 @@ keywords:
   - Teleport
 dependencies:
   - name: teleport-cluster
-    version: 15.4.9
+    version: 16.1.0
     repository: https://charts.releases.teleport.dev
     #repository: "oci://ghcr.io/Obmondo"

argocd-helm-charts/teleport-cluster/charts/teleport-cluster/.lint/auth-disable-passwordless.yaml

@@ -0,0 +1,5 @@
+clusterName: helm-lint
+authentication:
+  type: "github"
+  passwordless: false
+  secondFactor: "off"

argocd-helm-charts/teleport-cluster/charts/teleport-cluster/Chart.yaml

@@ -1,13 +1,13 @@
 apiVersion: v2
-appVersion: 15.4.9
+appVersion: 16.1.0
 dependencies:
 - alias: operator
   name: teleport-operator
   repository: ""
-  version: 15.4.9
+  version: 16.1.0
 description: Teleport is an access platform for your infrastructure
 icon: https://goteleport.com/static/teleport-symbol-bimi.svg
 keywords:
 - Teleport
 name: teleport-cluster
-version: 15.4.9
+version: 16.1.0

argocd-helm-charts/teleport-cluster/charts/teleport-cluster/charts/teleport-operator/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
-appVersion: 15.4.9
+appVersion: 16.1.0
 description: Teleport Operator provides management of select Teleport resources.
 icon: https://goteleport.com/static/teleport-symbol-bimi.svg
 keywords:
 - Teleport
 name: teleport-operator
-version: 15.4.9
+version: 16.1.0

argocd-helm-charts/teleport-cluster/charts/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_provisiontokens.yaml

@@ -70,8 +70,8 @@ spec:
                       type: array
                     aws_role:
                       description: AWSRole is used for the EC2 join method and is
-                        the the ARN of the AWS role that the auth server will assume
-                        in order to call the ec2 API.
+                        the ARN of the AWS role that the auth server will assume in
+                        order to call the ec2 API.
                       type: string
                   type: object
                 nullable: true

argocd-helm-charts/teleport-cluster/charts/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_roles.yaml

@@ -1155,7 +1155,6 @@ spec:
                   device_trust_mode:
                     description: DeviceTrustMode is the device authorization mode
                       used for the resources associated with the role. See DeviceTrust.Mode.
-                      Reserved for future use, not yet used by Teleport.
                     type: string
                   disconnect_expired_cert:
                     description: DisconnectExpiredCert sets disconnect clients on
@@ -2487,7 +2486,6 @@ spec:
                   device_trust_mode:
                     description: DeviceTrustMode is the device authorization mode
                       used for the resources associated with the role. See DeviceTrust.Mode.
-                      Reserved for future use, not yet used by Teleport.
                     type: string
                   disconnect_expired_cert:
                     description: DisconnectExpiredCert sets disconnect clients on

argocd-helm-charts/teleport-cluster/charts/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv6.yaml

@@ -1158,7 +1158,6 @@ spec:
                   device_trust_mode:
                     description: DeviceTrustMode is the device authorization mode
                       used for the resources associated with the role. See DeviceTrust.Mode.
-                      Reserved for future use, not yet used by Teleport.
                     type: string
                   disconnect_expired_cert:
                     description: DisconnectExpiredCert sets disconnect clients on

argocd-helm-charts/teleport-cluster/charts/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_rolesv7.yaml

@@ -1158,7 +1158,6 @@ spec:
                   device_trust_mode:
                     description: DeviceTrustMode is the device authorization mode
                       used for the resources associated with the role. See DeviceTrust.Mode.
-                      Reserved for future use, not yet used by Teleport.
                     type: string
                   disconnect_expired_cert:
                     description: DisconnectExpiredCert sets disconnect clients on

argocd-helm-charts/teleport-cluster/charts/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_samlconnectors.yaml

@@ -80,7 +80,7 @@ spec:
                 type: string
               cert:
                 description: Cert is the identity provider certificate PEM. IDP signs
-                  <Response> responses using this certificate.
+                  `<Response>` responses using this certificate.
                 type: string
               client_redirect_settings:
                 description: ClientRedirectSettings defines which client redirect

argocd-helm-charts/teleport-cluster/charts/teleport-cluster/templates/auth/_config.common.tpl

@@ -27,6 +27,9 @@ auth_service:
   authentication:
     type: "{{ required "authentication.type is required in chart values" (coalesce .Values.authenticationType $authentication.type) }}"
     local_auth: {{ $authentication.localAuth }}
+{{- if $authentication.passwordless }}
+    passwordless: {{ $authentication.passwordless }}
+{{- end }}
 {{- if $authentication.connectorName }}
     connector_name: "{{ $authentication.connectorName }}"
 {{- end }}

argocd-helm-charts/teleport-cluster/charts/teleport-cluster/templates/proxy/ingress.yaml

@@ -3,21 +3,22 @@
   {{- if (not (eq .Values.proxyListenerMode "multiplex")) -}}
     {{- fail "Use of an ingress requires TLS multiplexing to be enabled, so you must also set proxyListenerMode=multiplex - see https://goteleport.com/docs/architecture/tls-routing/" -}}
   {{- end -}}
-  {{- $publicAddr := coalesce .Values.publicAddr (list .Values.clusterName) -}}
-  {{- /* Trim ports from all public addresses if present */ -}}
-  {{- range $publicAddr -}}
-    {{- $address := . -}}
-    {{- if (contains ":" $address) -}}
-      {{- $split := split ":" $address -}}
-      {{- $address = $split._0 -}}
-      {{- $publicAddr = append (mustWithout $publicAddr .) $address -}}
+  {{- if not .Values.ingress.useExisting }}
+    {{- $publicAddr := coalesce .Values.publicAddr (list .Values.clusterName) -}}
+    {{- /* Trim ports from all public addresses if present */ -}}
+    {{- range $publicAddr -}}
+      {{- $address := . -}}
+      {{- if (contains ":" $address) -}}
+        {{- $split := split ":" $address -}}
+        {{- $address = $split._0 -}}
+        {{- $publicAddr = append (mustWithout $publicAddr .) $address -}}
+      {{- end -}}
+      {{- $wildcard := printf "*.%s" $address -}}
+      {{- /* Add wildcard versions of all public addresses to ingress, unless 1) suppressed or 2) wildcard version already exists */ -}}
+      {{- if and (not $.Values.ingress.suppressAutomaticWildcards) (not (hasPrefix "*." $address)) (not (has $wildcard $publicAddr)) -}}
+        {{- $publicAddr = append $publicAddr (printf "*.%s" $address) -}}
+      {{- end -}}
     {{- end -}}
-    {{- $wildcard := printf "*.%s" $address -}}
-    {{- /* Add wildcard versions of all public addresses to ingress, unless 1) suppressed or 2) wildcard version already exists */ -}}
-    {{- if and (not $.Values.ingress.suppressAutomaticWildcards) (not (hasPrefix "*." $address)) (not (has $wildcard $publicAddr)) -}}
-      {{- $publicAddr = append $publicAddr (printf "*.%s" $address) -}}
-    {{- end -}}
-  {{- end -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -58,4 +59,5 @@ spec:
             port:
               number: 443
     {{- end }}
+  {{- end }}
 {{- end }}

argocd-helm-charts/teleport-cluster/charts/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap

@@ -8,9 +8,9 @@ adds operator permissions to ClusterRole:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 15.4.9
-        helm.sh/chart: teleport-cluster-15.4.9
-        teleport.dev/majorVersion: "15"
+        app.kubernetes.io/version: 16.1.0
+        helm.sh/chart: teleport-cluster-16.1.0
+        teleport.dev/majorVersion: "16"
       name: RELEASE-NAME
     rules:
     - apiGroups:

argocd-helm-charts/teleport-cluster/charts/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap

@@ -1848,9 +1848,9 @@ sets clusterDomain on Configmap:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 15.4.9
-        helm.sh/chart: teleport-cluster-15.4.9
-        teleport.dev/majorVersion: "15"
+        app.kubernetes.io/version: 16.1.0
+        helm.sh/chart: teleport-cluster-16.1.0
+        teleport.dev/majorVersion: "16"
       name: RELEASE-NAME-auth
       namespace: NAMESPACE
 uses athena as primary backend when configured:

argocd-helm-charts/teleport-cluster/charts/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap

@@ -8,7 +8,7 @@
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:15.4.9
+      image: public.ecr.aws/gravitational/teleport-distroless:16.1.0
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -141,7 +141,7 @@ should set nodeSelector when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:15.4.9
+      image: public.ecr.aws/gravitational/teleport-distroless:16.1.0
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -238,7 +238,7 @@ should set resources when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:15.4.9
+      image: public.ecr.aws/gravitational/teleport-distroless:16.1.0
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -324,7 +324,7 @@ should set securityContext when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:15.4.9
+      image: public.ecr.aws/gravitational/teleport-distroless:16.1.0
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:

argocd-helm-charts/teleport-cluster/charts/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap

@@ -567,8 +567,8 @@ sets clusterDomain on Configmap:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 15.4.9
-        helm.sh/chart: teleport-cluster-15.4.9
-        teleport.dev/majorVersion: "15"
+        app.kubernetes.io/version: 16.1.0
+        helm.sh/chart: teleport-cluster-16.1.0
+        teleport.dev/majorVersion: "16"
       name: RELEASE-NAME-proxy
       namespace: NAMESPACE

argocd-helm-charts/teleport-cluster/charts/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap

@@ -11,9 +11,9 @@ sets clusterDomain on Deployment Pods:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 15.4.9
-        helm.sh/chart: teleport-cluster-15.4.9
-        teleport.dev/majorVersion: "15"
+        app.kubernetes.io/version: 16.1.0
+        helm.sh/chart: teleport-cluster-16.1.0
+        teleport.dev/majorVersion: "16"
       name: RELEASE-NAME-proxy
       namespace: NAMESPACE
     spec:
@@ -26,25 +26,25 @@ sets clusterDomain on Deployment Pods:
       template:
         metadata:
           annotations:
-            checksum/config: 07a444fafcfdc473fd73e732291177b65af2c746df9de6334062432079bbdcb6
+            checksum/config: 77797663ab04d615b921cf993092cf34694ce91db18e0e88196049e73b051d5e
             kubernetes.io/pod: test-annotation
             kubernetes.io/pod-different: 4
           labels:
             app.kubernetes.io/component: proxy
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-cluster
-            app.kubernetes.io/version: 15.4.9
-            helm.sh/chart: teleport-cluster-15.4.9
-            teleport.dev/majorVersion: "15"
+            app.kubernetes.io/version: 16.1.0
+            helm.sh/chart: teleport-cluster-16.1.0
+            teleport.dev/majorVersion: "16"
         spec:
           affinity:
             podAntiAffinity: null
           automountServiceAccountToken: false
           containers:
           - args:
             - --diag-addr=0.0.0.0:3000
-            image: public.ecr.aws/gravitational/teleport-distroless:15.4.9
+            image: public.ecr.aws/gravitational/teleport-distroless:16.1.0
             imagePullPolicy: IfNotPresent
             lifecycle:
               preStop:
@@ -104,8 +104,8 @@ sets clusterDomain on Deployment Pods:
             - teleport
             - wait
             - no-resolve
-            - RELEASE-NAME-auth-v14.NAMESPACE.svc.test.com
-            image: public.ecr.aws/gravitational/teleport-distroless:15.4.9
+            - RELEASE-NAME-auth-v15.NAMESPACE.svc.test.com
+            image: public.ecr.aws/gravitational/teleport-distroless:16.1.0
             name: wait-auth-update
           serviceAccountName: RELEASE-NAME-proxy
           terminationGracePeriodSeconds: 60
@@ -136,8 +136,8 @@ should provision initContainer correctly when set in values:
       - teleport
       - wait
       - no-resolve
-      - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:15.4.9
+      - RELEASE-NAME-auth-v15.NAMESPACE.svc.cluster.local
+      image: public.ecr.aws/gravitational/teleport-distroless:16.1.0
       name: wait-auth-update
       resources:
         limits:
@@ -201,7 +201,7 @@ should set nodeSelector when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:15.4.9
+      image: public.ecr.aws/gravitational/teleport-distroless:16.1.0
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -261,8 +261,8 @@ should set nodeSelector when set in values:
       - teleport
       - wait
       - no-resolve
-      - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:15.4.9
+      - RELEASE-NAME-auth-v15.NAMESPACE.svc.cluster.local
+      image: public.ecr.aws/gravitational/teleport-distroless:16.1.0
       name: wait-auth-update
     nodeSelector:
       environment: security
@@ -313,7 +313,7 @@ should set resources for wait-auth-update initContainer when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:15.4.9
+      image: public.ecr.aws/gravitational/teleport-distroless:16.1.0
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -380,8 +380,8 @@ should set resources for wait-auth-update initContainer when set in values:
       - teleport
       - wait
       - no-resolve
-      - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:15.4.9
+      - RELEASE-NAME-auth-v15.NAMESPACE.svc.cluster.local
+      image: public.ecr.aws/gravitational/teleport-distroless:16.1.0
       name: wait-auth-update
       resources:
         limits:
@@ -421,7 +421,7 @@ should set resources when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:15.4.9
+      image: public.ecr.aws/gravitational/teleport-distroless:16.1.0
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -488,8 +488,8 @@ should set resources when set in values:
       - teleport
       - wait
       - no-resolve
-      - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:15.4.9
+      - RELEASE-NAME-auth-v15.NAMESPACE.svc.cluster.local
+      image: public.ecr.aws/gravitational/teleport-distroless:16.1.0
       name: wait-auth-update
       resources:
         limits:
@@ -529,7 +529,7 @@ should set securityContext for initContainers when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:15.4.9
+      image: public.ecr.aws/gravitational/teleport-distroless:16.1.0
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -596,8 +596,8 @@ should set securityContext for initContainers when set in values:
       - teleport
       - wait
       - no-resolve
-      - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:15.4.9
+      - RELEASE-NAME-auth-v15.NAMESPACE.svc.cluster.local
+      image: public.ecr.aws/gravitational/teleport-distroless:16.1.0
       name: wait-auth-update
       securityContext:
         allowPrivilegeEscalation: false
@@ -637,7 +637,7 @@ should set securityContext when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:15.4.9
+      image: public.ecr.aws/gravitational/teleport-distroless:16.1.0
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -704,8 +704,8 @@ should set securityContext when set in values:
       - teleport
       - wait
       - no-resolve
-      - RELEASE-NAME-auth-v14.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:15.4.9
+      - RELEASE-NAME-auth-v15.NAMESPACE.svc.cluster.local
+      image: public.ecr.aws/gravitational/teleport-distroless:16.1.0
       name: wait-auth-update
       securityContext:
         allowPrivilegeEscalation: false