이 차트는 머신 및 워크로드 아이덴티티 에이전트인 TBot 인스턴스를 Kubernetes 클러스터에 배포합니다.

사용하려면 다음을 알아야 합니다:

• Teleport Proxy Service 또는 Auth Service의 주소
• Teleport 클러스터의 이름
• Kubernetes의 머신 및 워크로드 아이덴티티 가이드에 설명된 대로 머신 및 워크로드 아이덴티티 및 Kubernetes 클러스터에 대해 구성된 조인 토큰의 이름

기본적으로 이 차트는 kubernetes 조인 방법을 사용하도록 설계되었지만, 위임된 조인 방법을 사용하도록 사용자 지정할 수 있습니다. 이 차트에서 token 조인 방법을 사용하는 것은 권장하지 않습니다.

최소 구성#

이 기본 구성은 Teleport 자격증명 파일을 배포 네임스페이스에서 <helm-release-name>-out이라는 시크릿에 씁니다. 예를 들어 tbot-out입니다.

clusterName: "test.teleport.sh"
teleportProxyAddress: "test.teleport.sh:443"
token: "my-token"

전체 레퍼런스#

image#

image sets the container image used for tbot pods created by this chart.

You can override this to use your own tbot image rather than a Teleport-published image.

clusterName#

clusterName should be the name of the Teleport cluster that your Bot will join. You can retrieve it by running tctl status.

For example: clusterName: "test.teleport.sh"

teleportProxyAddress#

teleportProxyAddress is the teleport Proxy Service address the bot will connect to. This must contain the port number, usually 443 or 3080 for Proxy Service. Connecting to the Proxy Service is the most common and recommended way to connect to Teleport. This is mandatory to connect to Teleport Enterprise (Cloud)

This setting is mutually exclusive with teleportProxyAddress and is ignored if tbotConfig is set.

For example:

teleportProxyAddress: "test.teleport.sh:443"

teleportAuthAddress#

teleportAuthAddress is the teleport Auth Service address the bot will connect to. This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection should be used when you are deploying the bot in the same Kubernetes cluster than your teleport-cluster Helm release and have direct access to the Auth Service. Else, you should prefer connecting via the Proxy Service.

This setting is mutually exclusive with teleportProxyAddress and is ignored if tbotConfig is set.

For example:

teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025"

defaultOutput#

defaultOutput controls the default output configured for the tbot agent. Ignored if tbotConfig is set.

defaultOutput.enabled#

defaultOutput.enabled controls whether the default output is enabled.

argocd#

argocd configures tbot to synchronize Teleport-managed Kubernetes clusters to Argo CD. Ignored if tbotConfig is set.

argocd.enabled#

argocd.enabled controls whether the Argo CD output is enabled.

argocd.clusterSelectors#

argocd.clusterSelectors determines which Kubernetes clusters will be synchronized to Argo CD.

For example:

clusterSelectors:
  - name: my-cluster-1
  - labels:
      environment: production

argocd.secretNamespace#

argocd.secretNamespace determines to which Kubernetes namespace cluster secrets will be written (it must be the namespace in which Argo CD is running). Defaults to the current namespace.

argocd.secretNamePrefix#

argocd.secretNamePrefix overrides the string that cluster secret names will be prefixed with. Defaults to "teleport.argocd-cluster".

argocd.secretLabels#

argocd.secretLabels provides a set of labels that will be applied to cluster secrets. Label values can be Go template strings (rendered by tbot, not Helm) with the following variables:

• {{.ClusterName}} - Name of the Teleport cluster
• {{.KubeName}} - Name of the Kubernetes cluster resource
• {{.Labels}} - Map of labels applied to the Kubernetes cluster resource that can be indexed using \{\{index .Labels "key"\}\}

If the label value is empty, the label will not be added to the secret.

argocd.secretAnnotations#

argocd.secretAnnotations provides a set of annotations that will be applied to cluster secrets. Annotation values can be Go template strings (rendered by tbot, not Helm) with the following variables:

• {{.ClusterName}} - Name of the Teleport cluster
• {{.KubeName}} - Name of the Kubernetes cluster resource
• {{.Labels}} - Map of labels applied to the Kubernetes cluster resource that can be indexed using \{\{index .Labels "key"\}\}

If the annotation value is empty, the annotation will not be added to the secret.

argocd.project#

argocd.project sets the Argo CD project with which the Kubernetes clusters will be associated.

argocd.namespaces#

argocd.namespaces controls which Kubernetes namespaces the Argo CD clusters will be allowed to operate on.

argocd.clusterResources#

argocd.clusterResources determines whether the Argo CD cluster is allowed to operate on cluster-scoped resources (only when argocd.namespaces is non-empty).

argocd.clusterNameTemplate#

argocd.clusterNameTemplate determines the format of cluster names in Argo CD. It is a Go template string (rendered by tbot, not Helm) that supports the following variables:

• {{.ClusterName}} - Name of the Teleport cluster
• {{.KubeName}} - Name of the Kubernetes cluster resource
• {{.Labels}} - Map of labels applied to the Kubernetes cluster resource that can be indexed using \{\{index .Labels "key"\}\}

By default, the following template will be used: "{{.ClusterName}}-{{.KubeName}}".

persistence#

persistence controls how the tbot agent stores its data.

Options:

• "secret": uses a Kubernetes Secret.
• "disabled": does not persist data. May impact ability to track bot deployment across its lifetime.

tbotConfig#

tbotConfig contains YAML teleport configuration to pass to the tbot pods. The configuration will be merged with the chart-generated configuration and will take precedence in case of conflict. Try to prefer to use the more specific configuration values throughout this chart.

outputs#

outputs contains additional outputs to configure for the tbot agent. These should be in the same format as the outputs field in the tbot.yaml. Ignored if tbotConfig is set.

services#

services contains additional services to configure for the tbot agent. These should be in the same format as the services field in the tbot.yaml. Ignored if tbotConfig is set.

joinMethod#

joinMethod describes how tbot joins the Teleport cluster. See the join method reference for a list of supported values and detailed explanations. Ignored if tbotConfig is set.

token#

token is the name of the token used by tbot to join the Teleport cluster. This value is not sensitive unless the joinMethod is set to "token". Defaults to release name. Ignored if tbotConfig is set.

teleportVersionOverride#

teleportVersionOverride controls the tbot image version deployed by the chart.

Normally, the version of tbot matches the version of the chart. If you install chart version 15.0.0, you'll use tbot version 15.0.0. Upgrading tbot is done by upgrading the chart.

anonymousTelemetry#

anonymousTelemetry controls whether anonymous telemetry is enabled.

debug#

debug controls whether the tbot agent runs in debug mode.

serviceAccount#

serviceAccount controls the Kubernetes ServiceAccounts deployed and used by the chart.

serviceAccount.create#

serviceAccount.create controls whether Helm Chart creates the Kubernetes ServiceAccount resources for the agent. When off, you are responsible for creating the appropriate ServiceAccount resources.

serviceAccount.name#

serviceAccount.name sets the name of the ServiceAccount resource used by the chart. By default, the ServiceAccount has the name of the Helm release.

rbac#

rbac controls the Kubernetes Role and RoleBinding creation used by the serviceAccount

rbac.create#

rbac.create controls whether Helm Chart creates the Kubernetes Role & RoleBindings resources for the Kubernetes SA. When off, you are responsible for creating the appropriate resources.

imagePullPolicy#

imagePullPolicy sets the pull policy for any pods created by the chart. See the Kubernetes documentation for more details.

extraLabels#

extraLabels contains additional Kubernetes labels to apply on the resources created by the chart. See the Kubernetes label documentation for more information.

extraLabels.role#

extraLabels.role are labels to set on the Role.

extraLabels.roleBinding#

extraLabels.roleBinding are labels to set on the RoleBinding.

extraLabels.config#

extraLabels.config are labels to set on the ConfigMap.

extraLabels.deployment#

extraLabels.deployment are labels to set on the Deployment or StatefulSet.

extraLabels.pod#

extraLabels.pod are labels to set on the Pods created by the Deployment or StatefulSet.

extraLabels.serviceAccount#

extraLabels.serviceAccount are labels to set on the ServiceAccount.

annotations#

annotations contains annotations to apply to the different Kubernetes objects created by the chart. See the Kubernetes annotation documentation for more details.

annotations.role#

annotations.role are annotations to set on the Role.

annotations.roleBinding#

annotations.roleBinding are annotations to set on the RoleBinding.

annotations.config#

annotations.config contains the Kubernetes annotations put on the ConfigMap resource created by the chart.

annotations.deployment#

annotations.deployment contains the Kubernetes annotations put on the Deployment or StatefulSet resource created by the chart.

annotations.pod#

annotations.pod contains the Kubernetes annotations put on the Pod resources created by the chart.

annotations.serviceAccount#

annotations.serviceAccount contains the Kubernetes annotations put on the ServiceAccount resource created by the chart.

resources#

resources sets the resource requests/limits for any pods created by the chart. See the Kubernetes documentation for more details.

affinity#

affinity sets the affinities for any pods created by the chart. See the Kubernetes documentation for more details.

tolerations#

tolerations sets the tolerations for any pods created by the chart. See the Kubernetes documentation for more details.

nodeSelector#

nodeSelector sets the node selector for any pods created by the chart. See the Kubernetes documentation for more details.

imagePullSecrets#

imagePullSecrets sets the image pull secrets for any pods created by the chart. See the Kubernetes documentation for more details.

extraVolumes#

extraVolumes contains extra volumes to mount into the Teleport pods. See the Kubernetes volume documentation for more details.

For example:

extraVolumes:
- name: myvolume
  secret:
    secretName: testSecret

extraVolumeMounts#

extraVolumeMounts contains extra volumes mounts for the main Teleport container. See the Kubernetes volume documentation for more details.

For example:

extraVolumesMounts:
- name: myvolume
  mountPath: /path/on/host

extraArgs#

extraArgs contains extra arguments to pass to tbot start for the main tbot pod

extraEnv#

extraEnv contains extra environment variables to set in the main tbot pod.

For example:

extraEnv:
  - name: HTTPS_PROXY
    value: "http://username:password@my.proxy.host:3128"

securityContext#

securityContext sets the container security context for any pods created by the chart. See the Kubernetes documentation for more details.

By default, this is unset.

podSecurityContext#

podSecurityContext sets the pod security context for any pods created by the chart. See the Kubernetes documentation for more details.

By default, this is unset.