teleport-kube-agent Helm 차트는 원격 Kubernetes 클러스터에서 실행하여 인프라의 리소스에 대한 액세스를 제공하는 Teleport Agent를 구성하는 데 사용됩니다.

GitHub에서 소스를 탐색할 수 있습니다.

이 레퍼런스는 teleport-kube-agent 차트에서 사용 가능한 값들을 자세히 설명합니다.

차트가 배포하는 것#

Teleport 서비스#

teleport-kube-agent 차트는 세 가지 Teleport 서비스 중 하나 또는 모두를 실행할 수 있습니다:

Kubernetes 리소스#

teleport-kube-agent 차트는 다음 Kubernetes 리소스를 배포합니다:

roles#

roles is a comma-separated list of services which will be enabled when running the teleport-kube-agent chart.

For example:

roles: kube,app,discovery

proxyAddr#

proxyAddr provides the public-facing Teleport Proxy Service endpoint which should be used to join the cluster. This is the same URL used to access the web UI of your Teleport cluster. The port used is usually either 3080 or 443.

Here are a few examples:

relayAddr#

relayAddr defines the optional address of the Teleport Relay Service tunnel endpoint that this agent should use.

If set, the agent will open reverse tunnels to the specified Relay in addition to the tunnels to the control plane, for the protocols supported by the Relay.

relayAddr is available starting from Teleport v18.5.0, taking effect for the Kubernetes service.

enterprise#

enterprise controls if the teleport-kube-agent chart should deploy the OSS version or the enterprise version of the container image. This must be set to true when connecting to Teleport Cloud or self-hosted Teleport Enterprise clusters to allow the agent to leverage enterprise features.

authToken#

authToken provides a Teleport join token which will be used to join the Teleport instance to a Teleport cluster. authToken only supports the token join method.

For other methods such as kubernetes, iam or gcp, the value joinParams should be used as it supports more methods to join the Teleport cluster. joinParams takes precedence if both authToken and joinParams are set.

A token must be specified for the agent to join the Teleport cluster, either via authToken, joinParams, or an existing Kubernetes Secret.

The token used must at least grant the required system roles. For example, if the chart roles is kube,app, the token should allow the system roles App and Kube.

joinParams#

joinParams controls how the Teleport Agent joins the Teleport cluster. These sub-values must be configured for the agent to connect to a cluster.

This value serves the same purpose as authToken but supports all join methods. When set, it takes precedence over authToken. Its usage should be preferred.

joinParams.method#

joinParams.method controls which join method will be used by the instance to join the Teleport cluster.

See the join method reference for the list of possible values, the implications of each join method, and guides to set up each method.

Common join-methods for the teleport-kube-agent are:

• token: the most basic one, with regular ephemeral secret tokens
• kubernetes: either the in-cluster variant (if the agent runs in the same Kubernetes cluster as the teleport-cluster chart) or the JWKS/OIDC variants (work in every Kubernetes cluster, regardless of the Teleport Auth Service location).

joinParams.tokenName#

joinParams.tokenName controls which token is used by the agent to join the Teleport cluster.

When joinParams.method is a delegated join method, the value is not sensitive.

When joinParams.method is token (by default), joinParams.tokenName contains the secret token itself. In this case, the value is sensitive and is automatically stored in a Kubernetes Secret instead of being directly included in the agent's configuration.

If method is token, joinParams.tokenName can be empty if the token is provided through an existing Kubernetes Secret, see joinTokenSecret for more details and instructions.

If method is kubernetes, you must set teleportClusterName.

teleportClusterName#

teleportClusterName is the name of the joined Teleport cluster. Setting this value is required when joining via the Kubernetes JWKS or OIDC join method.

When this value is set, the chart mounts a kubernetes service account token via a projected volume and configures Teleport to use it for joining.

kubeClusterName#

kubeClusterName sets the name used for the Kubernetes cluster proxied by the Teleport Agent. This name will be shown to Teleport users connecting to the cluster.

This setting is required if the chart roles contains kube.

apps#

apps is a static list of applications that should be proxied by the agent. See the Teleport Application access documentation for more details.

Proxied applications can be defined statically (through this value) or dynamically (through the appResources value). One of apps and appResources is required if the chart roles contains app.

You can specify multiple apps by adding elements to the list. For example:

apps:
  - name: grafana
    uri: http://localhost:3000
    labels:
      purpose: monitoring
  - name: jenkins
    uri: http://jenkins:8080
    labels:
      purpose: ci

appResources#

appResources is a set of labels the agent will monitor. Any application matching those labels will be proxied by the agent. See the Teleport Application access documentation for more details.

Proxied applications can be defined statically (through apps) or dynamically (through this value). One of apps and appResources is required if the chart roles contains app.

You can specify multiple selectors by including additional list elements. For example:

appResources:
  - labels:
      "env": "prod"
  - labels:
      "env": "test"

clusterDomain#

clusterDomain sets the domain name used by the Kubernetes cluster. This value is used to build the FQDN application URIs. For example, if the cluster domain is anything.local, the agent will proxy the application myapp running in the default namespace at http://myapp.default.svc.anything.local. You must manually set this value to match your cluster domain if it is different from the default value cluster.local.

awsDatabases#

awsDatabases configures AWS database auto-discovery.

You can specify multiple database filters by adding elements to the list.

• types is a list containing the types of AWS databases that should be discovered.
• regions is a list of AWS regions which should be scanned for databases.
• tags can be used to set AWS tags that must be matched for databases to be discovered.

For example:

roles: db
awsDatabases:
  - types: ["rds"]
    regions: ["us-east-1", "us-west-2"]
    tags:
      "environment": "production"
  - types: ["rds"]
    regions: ["us-east-1"]
    tags:
      "environment": "dev"
  - types: ["rds"]
    regions: ["eu-west-1"]
    tags:
      "*": "*"
annotations:
  serviceAccount:
    eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/my-rds-autodiscovery-role

azureDatabases#

azureDatabases configures Azure database auto-discovery.

You can specify multiple database filters by adding elements to the list.

Required fields for each filter:

• types is a list containing the types of Azure databases that should be discovered.
• tags can be used to set Azure resource tags that must be matched for databases to be discovered.

Optional fields for each filter:

• regions is a list of Azure regions which should be scanned for databases.
• subscriptions can be used to discover databases within matching Azure subscriptions.
• resource_groups can be used to discover databases within matching Azure resource groups.

The default for each of these optional settings is *, which will auto-discover in all subscriptions, regions, or resource groups accessible by the Teleport service principal in Azure.

For example:

roles: db
azureDatabases:
  - types: ["mysql", "postgres"]
    tags:
      "*": "*"
  - types: ["mysql"]
    tags:
      "env": ["dev", "staging"]
      "origin": "alice"
    regions: ["eastus", "centralus"]
    subscriptions: ["subID1", "subID2"]
    resource_groups: ["group1", "group2"]
extraEnv:
  - name: AZURE_CLIENT_SECRET
    valueFrom:
      secretKeyRef:
      name: teleport-azure-client-secret
      key: client_secret
      optional: false
  - name: AZURE_TENANT_ID
    value: "11111111-2222-3333-4444-555555555555"
  - name: AZURE_CLIENT_ID
    value: "11111111-2222-3333-4444-555555555555"

databases#

databases is a static list of databases that should be proxied by the agent. See the Teleport Database access documentation for more details.

Proxied applications can be defined statically (through this value) or dynamically (through the databaseResources value).

You can specify multiple databases by adding additional list elements.

values.yaml example:

databases:
  - name: aurora-postgres
    uri: postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432
    protocol: postgres
    aws:
      region: us-east-1
    static_labels:
      env: staging
  - name: mysql
    uri: mysql-instance-1.xxx.us-east-1.rds.amazonaws.com:3306
    protocol: mysql
    aws:
      region: us-east-1
    static_labels:
      env: staging

databaseResources#

databaseResources is a set of labels the agent will monitor. Any database matching those labels will be proxied by the agent. See the Teleport Database access documentation for more details.

Proxied databases can be defined statically (through databases) or dynamically (through this value).

You can specify multiple selectors by including additional list elements. For example:

databaseResources:
  - labels:
      "env": "prod"
      "engine": "postgres"
  - labels:
      "env": "test"
      "engine": "mysql"

kubernetesDiscovery#

kubernetesDiscovery controls the Discovery Service configuration if it's enabled.

The Discovery Service is enabled when the agent roles contains "discovery". The Discovery service automatically detects Kubernetes Services and configures the agent to provide access to them. See the Kubernetes App Discovery documentation for more details.

The default value will try to discover all apps running in Kubernetes. The discovery can be restricted through this value. For example:

kubernetesDiscovery:
- types: ["app"]
  namespaces: [ "toronto", "porto" ]
  labels:
    env: staging
- types: ["app"]
  namespaces: [ "seattle", "oakland" ]
  labels:
    env: testing

jamfApiEndpoint#

jamfApiEndpoint sets the Jamf Pro API endpoint used for Jamf service. Example: "https://yourtenant.jamfcloud.com/api".

This setting is required if the chart roles contains jamf.

jamfClientId#

jamfClientId sets the Jamf Pro API Client ID used for Jamf service.

This setting is required if the chart roles contains jamf.

jamfClientSecret#

jamfClientSecret sets the Jamf Pro API client secret used for Jamf service.

This setting is required if the chart roles contains jamf and jamfCredentialsSecret.create is set to true. If you provide your own Kubernetes Secret, this setting can remain unset.

jamfCredentialsSecret#

jamfCredentialsSecret manages the Kubernetes Secret containing the Jamf API credentials (either Jamf client secret or password).

jamfCredentialsSecret.create#

jamfCredentialsSecret.create controls whether the chart creates the Kubernetes Secret containing the Jamf Pro API Client Secret. If false, you must create a Kubernetes Secret with the configured name in the Helm release namespace.

jamfCredentialsSecret.name#

jamfCredentialsSecret.name is the name of the Kubernetes Secret containing the Jamf Pro API Client Secret used by the chart.

If jamfCredentialsSecret.create is false, the chart will not attempt to create the secret itself. Instead, it will read the value from an existing Kubernetes Secret. jamfCredentialsSecret.name configures the name of this secret. This allows you to configure this secret externally and avoid having a plaintext Jamf Pro API Client Secret stored in your Teleport chart values.

To create your own Kubernetes Secret containing Jamf Pro API Client Secret, run the command:

$ kubectl --namespace teleport create secret generic my-jamf-secret --from-literal=credential=<replace-with-actual-secret>

For example:

jamfCredentialsSecret:
  create: false
  name: my-jamf-secret

teleportVersionOverride#

teleportVersionOverride controls the Teleport Kubernetes Operator image version deployed by the chart.

Normally, the version of the Teleport Kubernetes Operator matches the version of the chart. If you install chart version 15.0.0, you'll use Teleport version 15.0.0. Upgrading the agent is done by upgrading the chart.

caPin#

caPin is a list of CA pins the agent must validate when joining the Teleport cluster to ensure it is connecting to the correct Auth Service.

This is only used when joining the Auth Service directly. When joining through a Proxy Service, authenticity is guaranteed by the x509 certificate used for the TLS connection.

Each list element can be the pin itself (recommended), or a path to a file containing the pin. For the latter, it is your responsibility to mount the file, using extraVolumes.

insecureSkipProxyTLSVerify#

insecureSkipProxyTLSVerify disables TLS verification of the TLS certificate presented by the Proxy Service.

This can be used for joining a Teleport instance to a Teleport cluster which does not have valid TLS certificates for testing.

teleportConfig#

teleportConfig contains YAML teleport configuration to pass to the Teleport pods. The configuration will be merged with the chart-generated configuration and will take precedence in case of conflict.

See the Teleport Configuration Reference for the list of supported fields.

teleportConfig:
  app_service:
    debug_app: true
  discovery_service:
    enabled: true
    azure:
    - types: ["aks"]
      tags:
        "*":"*"

terminationGracePeriodSeconds#

terminationGracePeriodSeconds is the time the pod has to do a graceful shutdown. If teleport has not existed after this delay, the process gets killed. Teleport will wait until every connection backed by the agent is over before exiting. If you want to reduce the disruption of rolling out agents at the price of a slower rollout, you can increase this value to an hour.

See the Kubernetes Pod Lifecycle docs for more details.

tls#

tls contains settings for mounting your own TLS material in the agent pod. The agent does not expose a TLS server, so this is only used to trust CAs.

tls.existingCASecretName#

tls.existingCASecretName sets the SSL_CERT_FILE environment variable to load a trusted CA or bundle in PEM format into Teleport pods. The injected CA will be used to validate TLS communications, with the Proxy Service, with upstream applications or databases.

You must create a secret containing the CA certs in the same namespace as Teleport using a command like:

$ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem

tls.existingCASecretKeyName#

tls.existingCASecretKeyName determines which key in the CA secret will be used as a trusted CA bundle file.

updater#

updater controls whether the Kube Agent Updater should be deployed alongside the teleport-kube-agent. The updater fetches the target version, validates the image signature, and updates the teleport deployment.

The updater can fetch the update information using two protocols:

• the webapi update protocol (in this case the Teleport Proxy Service is the one driving the version rollout)
• the version server protocol (this is an HTTP server serving static files specifying the version and if the update is critical).

The webapi protocol takes precedence over the version server one if the Teleport Proxy Service supports it. The version server protocol failover can be disabled by unsetting updater.versionServer. The webapi protocol can be disabled by setting updater.proxyAddr to "". For backward compatibility reasons, the webapi protocol is not enabled if a custom updater.versionServer is set.

All Kubernetes-specific fields such as tolerations, affinity, nodeSelector, ... default to the agent values. However, they can be overridden from the updater object. For example:

# the agent pod requests 1cpu and 2 GiB of memory. It also has a memory limit.
resources:
  requests:
    cpu: "1"
    memory: "2Gi"
  limits:
    memory: "2Gi"

# the updater pod requests 0.5 cpu and 512MiB of memory. The memory limit has also been unset.
updater:
  resources:
    requests:
      cpu: "0.5"
      memory: "512Mi"
    limits: ~

Other updater-specific values that can be defined in updater are described below.

updater.enabled#

updater.enabled Enables the Kube Agent Updater and deploys it alongside the Teleport Agent. You can enable this when:

• using Teleport Cloud and your tenant is enrolled into automatic updates. (You can check this through the web UI, choose Add Kubernetes and Enroll New Resource of type Kubernetes, and check if the value is turned on.)
• using self-hosted Teleport and you maintain your own version server.

You must not enable this when:

• you are a Teleport Cloud customer not enrolled in automatic updates.
• you are a self-hosted Teleport user and have not set up your Teleport cluster to support automatic updates.

updater.versionServer#

updater.versionServer is the URL of the version server the agent fetches the target version from. The complete version endpoint is built by concatenating versionServer and releaseChannel . This field supports gotemplate.

Setting this field makes the updater fetch the version using the version server protocol. Setting this field to a custom value disables the webapi update protocol to ensure backward compatibility.

updater.releaseChannel#

updater.releaseChannel is the release channel the updater subscribes to.

The complete version endpoint is built by concatenating versionServer and releaseChannel. You must not change the default value if you are a Teleport Cloud user unless instructed by Teleport support.

This value is used when the updater is fetching the version using the version server protocol. It is also used as a failover when fetching the version using the webapi protocol if updater.group is unset.

updater.group#

updater.group is the update group used when fetching the version using the webapi protocol. When unset, the group defaults to default.

updater.image#

updater.image sets the container image used for Teleport updater pods run when updater.enabled is true.

You can override this to use your own Teleport Kube Agent Updater image rather than a Teleport-published image.

updater.serviceAccount#

updater.serviceAccount.name#

updater.serviceAccount.name is the updater Kubernetes Service Account name. When unset, it defaults to <kube agent sa name>-updater

updater.pullCredentials#

updater.pullCredentials configures how the updater attempts to get the image pull credentials used to validate the image signature.

This is not required when pulling images from official public Teleport registries (chart's default).

Supported values are amazon, google, docker and none.

updater.extraArgs#

updater.extraArgs contains additional arguments to pass to the updater binary.

updater.extraVolumes#

updater.extraVolumes contains extra volumes to mount into the Updater pods. See the Kubernetes volume documentation for more details.

For example:

updater:
  extraVolumes:
  - name: myvolume
    secret:
      secretName: testSecret

updater.extraVolumeMounts#

updater.extraVolumeMounts contains extra volumes mounts for the updater. See the Kubernetes volume documentation for more details.

For example:

updater:
  extraVolumesMounts:
  - name: myvolume
    mountPath: /path/on/host

existingDataVolume#

existingDataVolume is the name of an existing Kubernetes Persistent Volume that should be mounted at /var/lib/teleport.

This is only useful if you had a previous agent running with persistence enabled and want for a new agent to reuse the volume.

podSecurityPolicy#

podSecurityPolicy.enabled#

podSecurityPolicy.enabled controls if the chart should deploy a Kubernetes PodSecurityPolicy.

By default, Teleport charts used to install a podSecurityPolicy.

PodSecurityPolicy resources (PSP) have been removed in Kubernetes 1.25 and replaced since 1.23 by PodSecurityAdmission (PSA). If you are running on Kubernetes 1.23 or later, it is recommended to disable PSPs and use PSAs. The steps are documented in the PSP removal guide.

This value will be removed in a future chart version.

labels#

labels is the map of key-value pairs that will be applied on the Teleport resource representing the Kubernetes cluster. These labels can then be used with Teleport's RBAC policies to define access rules for the cluster. This is only used when the roles contains kube.

For example:

labels:
  environment: production
  region: us-east

highAvailability#

highAvailability contains settings controlling the availability of the Teleport Agent deployed by the chart.

The availability can be increased by:

• running more replicas with replicaCount
• requiring that the Pods are not scheduled on the same Kubernetes Node with requireAntiAffinity
• by asking Kubernetes not to delete all pods at the same time with podDisruptionBudget.

Even with highAvailability settings Restarting/rolling-out pods can still cause disruption for established long-lived sessions, like kubectl exec or database shells.

highAvailability.replicaCount#

highAvailability.replicaCount is the number of agent replicas deployed by the Chart.

Set to a number higher than 1 for a high availability mode where multiple Teleport pods will be deployed.

When adding new replicas to an existing agent, you must ensure the provided token (via authToken, joinParams, or joinTokenSecret) is still valid. Each replica has its own identity and needs to join the Teleport cluster on its first startup.

highAvailability.requireAntiAffinity#

highAvailability.requireAntiAffinity configures Kubernetes requiredDuringSchedulingIgnoredDuringExecution to require that multiple Teleport pods must not be scheduled on the same physical host.

Setting highAvailability.requireAntiAffinity to false (the default) uses preferredDuringSchedulingIgnoredDuringExecution to make node anti-affinity a soft requirement.

highAvailability.podDisruptionBudget#

highAvailability.podDisruptionBudget controls how the chart creates and configures a Kubernetes PodDisruptionBudget to ensure Kubernetes does not delete all agent replicas at the same time.

highAvailability.podDisruptionBudget.enabled#

highAvailability.podDisruptionBudget.enabled makes the chart create a Kubernetes PodDisruptionBudget for the agent pods.

highAvailability.podDisruptionBudget.minAvailable#

highAvailability.podDisruptionBudget.minAvailable is the minimum available pod specified on the PodDisruptionBudget.

podMonitor#

podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1) This CRD is managed by the prometheus-operator and allows workload to get monitored. To use this value, you need to run a prometheus-operator in the cluster for this value to take effect. See https://prometheus-operator.dev/docs/getting-started/introduction/

podMonitor.enabled#

podMonitor.enabled controls if the chart deploys a PodMonitor. This is disabled by default as it requires the PodMonitor CRD to be installed.

podMonitor.additionalLabels#

podMonitor.additionalLabels adds labels on the PodMonitor. This is used to be selected by a specific prometheus instance.

For example:

podMonitor:
  additionalLabels:
    prometheus: default

podMonitor.interval#

podMonitor.interval is the interval between two metrics scrapes.

storage#

storage controls how the agent stores data in a Kubernetes Persistent Volume.

Since Teleport 12, the agent does not need PV storage to keep its identity across restarts: it stores it in a Kubernetes Secret. This means the teleport-kubernetes-agent can use one-time and short-lived join tokens, it will retain its identity and secrets even after a restart.

The main benefit of enabling storage is to persist not-yet-uploaded session recordings after Pod termination, when the Teleport session recording mode is not synchronous.

storage.enabled#

storage.enabled enables the creation of a Kubernetes persistent volume to hold Teleport instance state.

storage.storageClassName#

storage.storageClassName controls which Kubernetes StorageClass the chart uses when creating Persistent Volume Claims. A StorageClass with the provided name must exist on the Kubernetes cluster.

storage.requests#

storage.requests is the size of the persistent volume to create.

adminClusterRoleBinding#

adminClusterRoleBinding optionally creates a cluster admin role binding. This is useful for granting cluster admin permissions to a Kubernetes Group other than the default system:masters group.

GKE Autopilot clusters forbid using the system:masters group for impersonation and require a custom group to be used instead.

adminClusterRoleBinding.create#

adminClusterRoleBinding.create controls if the chart should create an additional admin cluster role binding.

adminClusterRoleBinding.name#

adminClusterRoleBinding.name is the name of the created admin cluster role binding.

image#

image sets the container image used for Teleport Community Edition Agent pods created by the chart.

You can override this to use your own Teleport image rather than a Teleport-published image.

By default, the image contains only the Teleport application and its runtime dependencies, and does not contain a shell. This setting only takes effect when enterprise is false. When running an enterprise version, you must use enterpriseImage instead.

enterpriseImage#

enterpriseImage sets the container image used for Teleport Enterprise agent pods created by the chart.

You can override this to use your own Teleport image rather than a Teleport-published image.

By default, the image contains only the Teleport application and its runtime dependencies, and does not contain a shell. This setting only takes effect when enterprise is true. When running an OSS version, you must use image instead.

imagePullSecrets#

imagePullSecrets is a list of secrets containing authorization tokens which can be optionally used to access a private Docker registry.

See the Kubernetes reference for more details.

clusterRoleName#

clusterRoleName can be optionally used to override the name of the Kubernetes ClusterRole used by the agent's ServiceAccount.

clusterRoleBindingName#

clusterRoleBindingName can be optionally used to override the name of the Kubernetes ClusterRoleBinding used by the agent's ServiceAccount.

roleName#

roleName provides a custom name for the Role resource that the teleport-kube-agent chart creates for the Teleport pod. By default, the Role has the name of the Helm release.

You should set this value if there is a Role resource in the namespace of your teleport-kube-agent resources with the same name as your teleport-kube-agent release.

roleBindingName#

roleBindingName provides a custom name for the RoleBinding resource that the teleport-kube-agent chart creates for the Teleport pod. By default, the RoleBinding has the name of the Helm release.

You should set this value if there is a RoleBinding resource in the namespace of your teleport-kube-agent resources with the same name as your teleport-kube-agent release.

serviceAccountName#

serviceAccountName is deprecated and will be removed in a future version. Use serviceAccount.name instead.

serviceAccount#

serviceAccount controls the Kubernetes ServiceAccounts deployed and used by the chart.

serviceAccount.create#

serviceAccount.create controls whether Helm Chart creates the Kubernetes ServiceAccount resources for the agent and optionally for the updater. When off, you are responsible for creating the appropriate ServiceAccount resources.

serviceAccount.name#

serviceAccount.name sets the name of the ServiceAccount resource used by the chart. By default, the ServiceAccount has the name of the Helm release.

rbac#

rbac.create#

rbac.create controls if the chart should create RBAC Kubernetes resources.

• When true, the chart creates both ClusterRole and ClusterRoleBinding resources for the agent, and Role/RoleBinding for the updater if enabled.
• When false, the chart does not create the Role and RoleBinding resources. The user is responsible for deploying and maintaining them separately.

This value can be set to false when deploying in constrained environments where the user deploying the operator is not allowed to edit RBAC resources.

joinTokenSecret#

joinTokenSecret manages the join token secret creation and its name. See the joinParams section for more details.

joinTokenSecret.create#

joinTokenSecret.create controls whether the chart creates the Kubernetes Secret containing the Teleport join token. If false, you must create a Kubernetes Secret with the configured name in the Helm release namespace.

joinTokenSecret.name#

joinTokenSecret.name is the name of the Kubernetes Secret containing the Teleport join token used by the chart.

If joinTokenSecret.create is false, the chart will not attempt to create the secret itself. Instead, it will read the value from an existing secret. joinTokenSecret.name configures the name of this secret. This allows you to configure this secret externally and avoid having a plaintext join token stored in your Teleport chart values.

To create your own join token secret, you can use a command like this:

$ kubectl --namespace teleport create secret generic my-token-secret --from-literal=auth-token=<replace-with-actual-token>

For example:

joinTokenSecret:
  create: false
  name: my-token-secret

joinParams:
  method: "token"
  tokenName: ""

log#

log controls the agent logging.

log.level#

log.level is the log level for the Teleport process. Available log levels are: DEBUG, INFO, WARNING, ERROR.

The default is INFO, which is recommended in production. DEBUG is useful during first-time setup or to see more detailed logs for debugging.

log.output#

log.output sets the output destination for the Teleport process. This can be set to any of the built-in values: stdout, stderr or syslog to use that destination.

The value can also be set to a file path (such as /var/log/teleport.log) to write logs to a file. Bear in mind that a few service startup messages will still go to stderr for resilience.

log.format#

log.format sets the log output format for the Teleport process. Possible values are text (default) or json.

log.extraFields#

log.extraFields sets the fields used in logging for the Teleport process.

See the Teleport config file reference for more details on possible values for extra_fields.

affinity#

affinity sets the affinities for any pods created by the chart. See the Kubernetes documentation for more details.

disableTopologySpreadConstraints#

disableTopologySpreadConstraints turns off the topology spread constraints. The feature is automatically turned off on Kubernetes versions below 1.18.

topologySpreadConstraints#

topologySpreadConstraints sets the topology spread constraints for any pods created by the chart. See the Kubernetes documentation for more details.

When unset, the chart defaults to a soft topology spread constraint that tries to spread pods across hosts and zones.

topologySpreadConstraints:
  - maxSkew: 1
    topologyKey: kubernetes.io/hostname
    whenUnsatisfiable: ScheduleAnyway
    labelSelector:
      matchLabels: # dynamically computed
  - maxSkew: 1
    topologyKey: topology.kubernetes.io/zone
    whenUnsatisfiable: ScheduleAnyway
    labelSelector:
      matchLabels: # dynamically computed

dnsConfig#

dnsConfig contains custom Pod DNS Configuration for the agent pods. This value is useful if you need to reduce the DNS load: set "ndots" to 0 and only use FQDNs to refer to applications and databases.

See the Kubernetes pod DNS documentation for more information.

For example:

 nameservers:
   - 1.2.3.4
 searches:
   - ns1.svc.cluster-domain.example
   - my.dns.search.suffix
 options:
   - name: ndots
     value: "2"

dnsPolicy#

dnsPolicy sets the Pod's DNS Policy

See the Kubernetes pod DNS documentation for more information.

nodeSelector#

nodeSelector sets the node selector for any pods created by the chart. See the Kubernetes documentation for more details.

extraLabels#

extraLabels contains additional Kubernetes labels to apply on the resources created by the chart. See the Kubernetes label documentation for more information.

extraLabels.clusterRole#

extraLabels.clusterRole are labels to set on the ClusterRole.

extraLabels.clusterRoleBinding#

extraLabels.clusterRoleBinding are labels to set on the ClusterRoleBinding.

extraLabels.role#

extraLabels.role are labels to set on the Role.

extraLabels.roleBinding#

extraLabels.roleBinding are labels to set on the RoleBinding.

extraLabels.config#

extraLabels.config are labels to set on the ConfigMap.

extraLabels.deployment#

extraLabels.deployment are labels to set on the Deployment or StatefulSet.

extraLabels.job#

extraLabels.job are labels to set on the post-delete Job created by the chart.

extraLabels.pod#

extraLabels.pod are labels to set on the Pods created by the Deployment, StatefulSet, or Job.

extraLabels.podDisruptionBudget#

extraLabels.podDisruptionBudget are labels to set on the podDisruptionBudget.

extraLabels.podSecurityPolicy#

extraLabels.podSecurityPolicy are labels to set on the podSecurityPolicy.

extraLabels.secret#

extraLabels.secret are labels to set on the Secret.

extraLabels.serviceAccount#

extraLabels.serviceAccount are labels to set on the ServiceAccount.

annotations#

annotations contains annotations to apply to the different Kubernetes objects created by the chart. See the Kubernetes annotation documentation for more details.

annotations.config#

annotations.config contains the Kubernetes annotations put on the ConfigMap resource created by the chart.

annotations.deployment#

annotations.deployment contains the Kubernetes annotations put on the Deployment or StatefulSet resource created by the chart.

annotations.pod#

annotations.pod contains the Kubernetes annotations put on the Pod resources created by the chart.

annotations.secret#

annotations.secret contains the Kubernetes annotations put on the Secret resource created by the chart. This has no effect when joinTokenSecret.create is false.

annotations.serviceAccount#

annotations.serviceAccount contains the Kubernetes annotations put on the ServiceAccount resource created by the chart.

extraArgs#

extraArgs contains extra arguments to pass to teleport start for the main Teleport pod

extraEnv#

extraEnv contains extra environment variables to set in the main Teleport pod.

For example:

extraEnv:
  - name: HTTPS_PROXY
    value: "http://username:password@my.proxy.host:3128"

extraContainers#

extraContainers contains extra containers to add in the main Teleport pod.

For example:

extraContainers:
- name: debug-sidecar
  command:
    - busybox
    - sh
    - -c
    - "echo waiting && sleep infinity"
  image: busybox:latest
  imagePullPolicy: IfNotPresent
  securityContext:
    privileged: true
    runAsNonRoot: false

extraVolumes#

extraVolumes contains extra volumes to mount into the Teleport pods. See the Kubernetes volume documentation for more details.

For example:

extraVolumes:
- name: myvolume
  secret:
    secretName: testSecret

extraVolumeMounts#

extraVolumeMounts contains extra volumes mounts for the main Teleport container. See the Kubernetes volume documentation for more details.

For example:

extraVolumesMounts:
- name: myvolume
  mountPath: /path/on/host

hostAliases#

hostAliases sets Host aliases in the Teleport Pod. See the Kubernetes hosts file documentation for more details.

For example:

hostAliases:
  - ip: "127.0.0.1"
    hostnames:
      - "foo.local"
      - "bar.local"
  - ip: "10.1.2.3"
    hostnames:
      - "foo.remote"
      - "bar.remote"

imagePullPolicy#

imagePullPolicy sets the pull policy for any pods created by the chart. See the Kubernetes documentation for more details.

initContainers#

initContainers sets the Teleport Pod's init-containers. See the Kubernetes init-container documentation for more details.

For example:

initContainers:
- name: "teleport-init"
  image: "alpine"
  args: ["echo test"]

resources#

resources sets the resource requests/limits for any pods created by the chart. See the Kubernetes documentation for more details.

goMemLimitRatio#

goMemLimitRatio configures the GOMEMLIMIT env var set by the chart. GOMEMLIMIT instructs the go garbage collector to try to keep allocated memory below a given threshold. This is a best-effort attempt, but this helps to prevent OOMs in case of bursts.

When the memory limits are set and goMemLimitRatio is non-zero, the chart sets the GOMEMLIMIT to resources.memory.limits * goMemLimitRatio. The value must be between 0 and 1. Set to 0 to unset GOMEMLIMIT. This has no effect if GOMEMLIMIT is already set through extraEnv.

initSecurityContext#

initSecurityContext sets the init container security context for any pods created by the chart. See the Kubernetes documentation for more details.

The default value is compatible with the restricted PSS.

To unset the security context, set it to null or ~.

securityContext#

securityContext sets the container security context for any pods created by the chart. See the Kubernetes documentation for more details.

The default value is compatible with the restricted PSS.

To unset the security context, set it to null or ~.

podSecurityContext#

podSecurityContext sets the pod security context for any pods created by the chart. See the Kubernetes documentation for more details.

To unset the security context, set it to null or ~.

priorityClassName#

priorityClassName sets the priority class used by any pods created by the chart. The user is responsible for creating the PriorityClass resource before deploying the chart. See the Kubernetes documentation for more details.

tolerations#

tolerations sets the tolerations for any pods created by the chart. See the Kubernetes documentation for more details.

probeTimeoutSeconds#

probeTimeoutSeconds sets the timeout for the readiness and liveness probes https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/