[v14] Add extraLabels value in teleport-cluster chart

docs/pages/reference/helm-reference/teleport-cluster.mdx

@@ -801,11 +801,14 @@ To disable PSP creation, you can set `enabled` to `false`.
 |----------|---------------|
 | `object` | `{}`          |
 
-`labels` can be used to add a map of key-value pairs relating to the Teleport cluster being deployed. These labels can then be used with
-Teleport's RBAC policies to define access rules for the cluster.
+`labels` can be used to add a map of key-value pairs relating to the Teleport
+cluster being deployed. These labels can then be used with Teleport's RBAC
+policies to define access rules for the cluster.
 
 <Admonition type="note">
   These are Teleport-specific RBAC labels, not Kubernetes labels.
+  See [`extraLabels`](#extraLabels) for setting additional labels on Kubernetes
+  resources.
 </Admonition>
 
 `values.yaml` example:
@@ -1511,7 +1514,8 @@ Kubernetes affinity to set for pod assignments.
             - teleport
   ```
 
-## `annotations.config`
+## `annotations`
+### `annotations.config`
 
 | Type     | Default value | `teleport.yaml` equivalent |
 |----------|---------------|----------------------------|
@@ -1529,7 +1533,7 @@ Kubernetes annotations which should be applied to the `ConfigMap` created by the
       kubernetes.io/annotation: value
   ```
 
-## `annotations.deployment`
+### `annotations.deployment`
 
 | Type     | Default value |
 |----------|---------------|
@@ -1547,7 +1551,7 @@ Kubernetes annotations which should be applied to the `Deployment` created by th
       kubernetes.io/annotation: value
   ```
 
-## `annotations.pod`
+### `annotations.pod`
 
 | Type     | Default value |
 |----------|---------------|
@@ -1565,7 +1569,7 @@ Kubernetes annotations which should be applied to each `Pod` created by the char
       kubernetes.io/annotation: value
   ```
 
-## `annotations.service`
+### `annotations.service`
 
 | Type     | Default value |
 |----------|---------------|
@@ -1583,7 +1587,7 @@ Kubernetes annotations which should be applied to the `Service` created by the c
       kubernetes.io/annotation: value
   ```
 
-## `annotations.serviceAccount`
+### `annotations.serviceAccount`
 
 | Type     | Default value |
 |----------|---------------|
@@ -1601,7 +1605,7 @@ Kubernetes annotations which should be applied to the `serviceAccount` created b
       kubernetes.io/annotation: value
   ```
 
-## `annotations.certSecret`
+### `annotations.certSecret`
 
 | Type     | Default value |
 |----------|---------------|
@@ -1622,7 +1626,7 @@ Kubernetes annotations which should be applied to the `secret` generated by
       kubernetes.io/annotation: value
   ```
 
-## `annotations.ingress`
+### `annotations.ingress`
 
 | Type     | Default value |
 |----------|---------------|
@@ -1641,6 +1645,122 @@ Kubernetes annotations which should be applied to the `Ingress` created by the c
       alb.ingress.kubernetes.io/backend-protocol: HTTPS
   ```
 
+## `extraLabels`
+
+`extraLabels` contains additional Kubernetes labels to apply on the resources
+created by the chart.
+
+See [the Kubernetes label documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
+for more information.
+
+Note: for PodMonitor labels, see `podMonitor.additionalLabels` instead.
+
+### `extraLabels.certSecret`
+
+| Type     | Default value |
+|----------|---------------|
+| `object` | `{}`          |
+
+`extraLabels.certSecret` are labels to set on the certificate secret
+generated by cert-manager v1.5+ when `highAvailability.certManager.enabled`
+is true.
+
+### `extraLabels.clusterRole`
+
+| Type     | Default value |
+|----------|---------------|
+| `object` | `{}`          |
+
+`extraLabels.clusterRole` are labels to set on the ClusterRole.
+
+### `extraLabels.clusterRoleBinding`
+
+| Type     | Default value |
+|----------|---------------|
+| `object` | `{}`          |
+
+`extraLabels.clusterRoleBinding` are labels to set on the ClusterRoleBinding.
+
+### `extraLabels.role`
+
+| Type     | Default value |
+|----------|---------------|
+| `object` | `{}`          |
+
+`extraLabels.role` are labels to set on the Role.
+
+### `extraLabels.deployment`
+
+| Type     | Default value |
+|----------|---------------|
+| `object` | `{}`          |
+
+`extraLabels.deployment` are labels to set on the Deployment.
+
+### `extraLabels.ingress`
+
+| Type     | Default value |
+|----------|---------------|
+| `object` | `{}`          |
+
+`extraLabels.ingress` are labels to set on the Ingress.
+
+### `extraLabels.job`
+
+| Type     | Default value |
+|----------|---------------|
+| `object` | `{}`          |
+
+`extraLabels.job` are labels to set on the Job run by the Helm hook.
+
+### `extraLabels.persistentVolumeClaim`
+
+| Type     | Default value |
+|----------|---------------|
+| `object` | `{}`          |
+
+`extraLabels.persistentVolumeClaim` are labels to set on the PersistentVolumeClaim.
+
+### `extraLabels.pod`
+
+| Type     | Default value |
+|----------|---------------|
+| `object` | `{}`          |
+
+`extraLabels.pod` are labels to set on the Pods created by the Deployment.
+
+### `extraLabels.podDisruptionBudget`
+
+| Type     | Default value |
+|----------|---------------|
+| `object` | `{}`          |
+
+`extraLabels.podDisruptionBudget` are labels to set on the podDisruptionBudget.
+
+### `extraLabels.secret`
+
+| Type     | Default value |
+|----------|---------------|
+| `object` | `{}`          |
+
+`extraLabels.secret` are labels to set on the Secret.
+
+### `extraLabels.service`
+
+| Type     | Default value |
+|----------|---------------|
+| `object` | `{}`          |
+
+`extraLabels.service` are labels to set on the Service.
+
+### `extraLabels.serviceAccount`
+
+| Type     | Default value |
+|----------|---------------|
+| `object` | `{}`          |
+
+`extraLabels.serviceAccount` are labels to set on the ServiceAccount.
+
 ## `serviceAccount.create`
 
 | Type      | Default value | Required? |

examples/chart/teleport-cluster/templates/auth/clusterrole.yaml

@@ -1,8 +1,14 @@
 {{- if .Values.rbac.create -}}
+{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: {{ .Release.Name }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.clusterRole }}
+    {{- toYaml $auth.extraLabels.clusterRole | nindent 4 }}
+    {{- end }}
 rules:
 - apiGroups:
   - ""

examples/chart/teleport-cluster/templates/auth/clusterrolebinding.yaml

@@ -1,9 +1,14 @@
 {{- if .Values.rbac.create -}}
+{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ .Release.Name }}
-  labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.clusterRoleBinding }}
+    {{- toYaml $auth.extraLabels.clusterRoleBinding | nindent 4 }}
+    {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -19,7 +24,11 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ .Release.Name }}-auth
-  labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.clusterRoleBinding }}
+    {{- toYaml $auth.extraLabels.clusterRoleBinding | nindent 4 }}
+    {{- end }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

examples/chart/teleport-cluster/templates/auth/config.yaml

@@ -5,7 +5,11 @@ kind: ConfigMap
 metadata:
   name: {{ .Release.Name }}-auth
   namespace: {{ .Release.Namespace }}
-  labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.config }}
+    {{- toYaml $auth.extraLabels.config | nindent 4 }}
+    {{- end }}
 {{- if $auth.annotations.config }}
   annotations: {{- toYaml $auth.annotations.config | nindent 4 }}
 {{- end }}

examples/chart/teleport-cluster/templates/auth/deployment.yaml

@@ -9,6 +9,9 @@ metadata:
   labels:
     {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
     app: {{ .Release.Name }}
+    {{- if $auth.extraLabels.deployment }}
+    {{- toYaml $auth.extraLabels.deployment | nindent 4 }}
+    {{- end }}
 {{- if $auth.annotations.deployment }}
   annotations: {{- toYaml $auth.annotations.deployment | nindent 4 }}
 {{- end }}
@@ -43,6 +46,9 @@ spec:
       labels:
         {{- include "teleport-cluster.auth.labels" . | nindent 8 }}
         app: {{ .Release.Name }}
+        {{- if $auth.extraLabels.pod }}
+        {{- toYaml $auth.extraLabels.pod | nindent 8 }}
+        {{- end }}
 {{- if eq $auth.chartMode "azure"}}
         azure.workload.identity/use: "true"
 {{- end }}

examples/chart/teleport-cluster/templates/auth/pdb.yaml

@@ -9,7 +9,11 @@ kind: PodDisruptionBudget
 metadata:
   name: {{ .Release.Name }}-auth
   namespace: {{ .Release.Namespace }}
-  labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.podDisruptionBudget }}
+    {{- toYaml $auth.extraLabels.podDisruptionBudget | nindent 4 }}
+    {{- end }}
 spec:
   minAvailable: {{ $auth.highAvailability.podDisruptionBudget.minAvailable }}
   selector:

examples/chart/teleport-cluster/templates/auth/predeploy_config.yaml

@@ -6,7 +6,11 @@ kind: ConfigMap
 metadata:
   name: {{ .Release.Name }}-auth-test
   namespace: {{ .Release.Namespace }}
-  labels: {{- include "teleport-cluster.labels" . | nindent 4 }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.config }}
+    {{- toYaml $auth.extraLabels.config | nindent 4 }}
+    {{- end }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade
     "helm.sh/hook-weight": "4"

examples/chart/teleport-cluster/templates/auth/predeploy_job.yaml

@@ -5,7 +5,11 @@ kind: Job
 metadata:
   name: {{ .Release.Name }}-auth-test
   namespace: {{ .Release.Namespace }}
-  labels: {{- include "teleport-cluster.labels" . | nindent 4 }}
+  labels:
+    {{- include "teleport-cluster.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.job }}
+    {{- toYaml $auth.extraLabels.job | nindent 4 }}
+    {{- end }}
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade
     "helm.sh/hook-weight": "5"

examples/chart/teleport-cluster/templates/auth/pvc.yaml

@@ -9,7 +9,11 @@ kind: PersistentVolumeClaim
 metadata:
   name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
-  labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.persistentVolumeClaim }}
+    {{- toYaml $auth.extraLabels.persistentVolumeClaim | nindent 4 }}
+    {{- end }}
 spec:
   accessModes:
   - ReadWriteOnce

examples/chart/teleport-cluster/templates/auth/service-previous-version.yaml

@@ -1,9 +1,14 @@
+{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
 apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "teleport-cluster.auth.previousVersionServiceName" . }}
   namespace: {{ .Release.Namespace }}
-  labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.service }}
+    {{- toYaml $auth.extraLabels.service | nindent 4 }}
+    {{- end }}
 spec:
   # This is a headless service. Resolving it will return the list of all auth pods running the previous major version
   # Proxies should not connect to auth pods from the previous major version
@@ -20,7 +25,11 @@ kind: Service
 metadata:
   name: {{ include "teleport-cluster.auth.currentVersionServiceName" . }}
   namespace: {{ .Release.Namespace }}
-  labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.service }}
+    {{- toYaml $auth.extraLabels.service | nindent 4 }}
+    {{- end }}
 spec:
   # This is a headless service. Resolving it will return the list of all auth pods running the current major version
   clusterIP: "None"

examples/chart/teleport-cluster/templates/auth/service.yaml

@@ -4,7 +4,11 @@ kind: Service
 metadata:
   name: {{ include "teleport-cluster.auth.serviceName" . }}
   namespace: {{ .Release.Namespace }}
-  labels: {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.service }}
+    {{- toYaml $auth.extraLabels.service | nindent 4 }}
+    {{- end }}
 {{- if $auth.annotations.service }}
   annotations: {{- toYaml $auth.annotations.service | nindent 4 }}
 {{- end }}

examples/chart/teleport-cluster/templates/auth/serviceaccount.yaml

@@ -5,6 +5,11 @@ kind: ServiceAccount
 metadata:
   name: {{ template "teleport-cluster.auth.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
+    {{- if $auth.extraLabels.serviceAccount }}
+    {{- toYaml $auth.extraLabels.serviceAccount | nindent 4 }}
+    {{- end }}
   {{- if or $auth.annotations.serviceAccount $auth.azure.clientID }}
   annotations:
     {{- if $auth.annotations.serviceAccount }}