teleport-operator Helm 차트는 Teleport Kubernetes Operator를 배포합니다. 차트를 통해 배포하면 operator는 Kubernetes에 있거나 원격 클러스터(Teleport Cloud 등)에 있는 Teleport 클러스터에 참여할 수 있습니다. 자세한 내용은 원격 Teleport 클러스터용 Kubernetes Operator 가이드를 참조하세요.

GitHub에서 소스를 탐색할 수 있습니다.

enabled#

enabled controls if the operator should be enabled and deployed.

• When true, the chart creates both the CustomResourceDefinition and operator Deployment Kubernetes resources.
• When false, the chart creates the CustomResourceDefinition resources without the operator Deployment.

installCRDs#

installCRDs controls if the chart should install the CRDs. There are 3 possible values: dynamic, always, never.

• "dynamic" means the CRDs are installed if the operator is enabled or if the CRDs are already present in the cluster. The presence check is here to avoid all CRDs to be removed if you temporarily disable the operator. Removing CRDs triggers a cascading deletion, which removes CRs, and all the related resources in Teleport.
• "always" means the CRDs are always installed
• "never" means the CRDs are never installed

teleportAddress#

teleportAddress is the address of the Teleport cluster whose resources are managed by the operator. The address must contain both the domain name and the port of the Teleport cluster. It can be either the address of the Auth Service or the Proxy Service.

For example:

• joining a Proxy: teleport.example.com:443 or teleport.example.com:3080
• joining an Auth: teleport-auth.example.com:3025
• joining a Cloud-hosted Teleport: example.teleport.sh:443

caPins#

caPins is a list of Teleport CA fingerprints that is used by the operator to validate the identity of the Teleport Auth Service. This is only used when joining an Auth Service directly (on port 3025) and is ignored when joining through a Proxy (port 443 or 3080).

joinMethod#

joinMethod describes how the Teleport Kubernetes Operator joins the Teleport cluster. The operator does not store its Teleport-issued identity, it must be able to join the cluster again on each pod restart. To achieve this, it needs to use a delegated join method. kubernetes is the most common one.

teleportClusterName#

teleportClusterName is the name of the joined Teleport cluster. Setting this value is required when joining via the Kubernetes JWKS join method.

token#

token is the name of the token used by the operator to join the Teleport cluster.

teleportVersionOverride#

teleportVersionOverride controls the Teleport Kubernetes Operator image version deployed by the chart.

Normally, the version of the Teleport Kubernetes Operator matches the version of the chart. If you install chart version 15.0.0, you'll use Teleport Kubernetes Operator version 15.0.0. Upgrading the operator is done by upgrading the chart.

image#

image sets the container image used for Teleport Kubernetes Operator pods run by the chart.

You can override this to use your own Teleport Kubernetes Operator image rather than a Teleport-published image.

annotations#

annotations.deployment#

annotations.deployment contains the Kubernetes annotations put on the Deployment resource created by the chart.

annotations.pod#

annotations.pod contains the Kubernetes annotations put on the Pod resources created by the chart.

annotations.serviceAccount#

annotations.serviceAccount contains the Kubernetes annotations put on the Deployment resource created by the chart.

labels#

labels.deployment#

labels.deployment contains the Kubernetes labels put on the Deployment resource created by the chart.

labels.pod#

labels.pod contains the Kubernetes labels put on the Pod resources created by the chart.

serviceAccount#

serviceAccount.create#

serviceAccount.create controls if the chart should create the Kubernetes ServiceAccount resource for the operator.

• When true, the chart creates a ServiceAccount resource for the operator.
• When false, the chart does not create the ServiceAccount resource. The user is responsible for deploying and maintaining it separately.

This value can be set to false when deploying in constrained environments where the user deploying the operator is not allowed to edit ServiceAccount resources.

serviceAccount.name#

serviceAccount.name controls the name of the operator Kubernetes ServiceAccount. The operator pods use by default a ServiceAccount named after the Helm chart release. This value overrides this behaviour, this is useful when serviceAccount.create is false and the operator must use an existing ServiceAccount.

rbac#

rbac.create#

rbac.create controls if the chart should create RBAC Kubernetes resources.

• When true, the chart creates both Role and RoleBinding resources for the operator.
• When false, the chart does not create the Role and RoleBinding resources. The user is responsible for deploying and maintaining them separately.

This value can be set to false when deploying in constrained environments where the user deploying the operator is not allowed to edit RBAC resources.

extraEnv#

extraEnv contains extra environment to be configured on the pod.

extraArgs#

extraArgs contains extra arguments to pass to the operator

imagePullPolicy#

imagePullPolicy sets the pull policy for any pods created by the chart. See the Kubernetes documentation for more details.

resources#

resources sets the resource requests/limits for any pods created by the chart. See the Kubernetes documentation for more details.

priorityClassName#

priorityClassName sets the priority class used by any pods created by the chart. The user is responsible for creating the PriorityClass resource before deploying the chart. See the Kubernetes documentation for more details.

tolerations#

tolerations sets the tolerations for any pods created by the chart. See the Kubernetes documentation for more details.

nodeSelector#

nodeSelector sets the node selector for any pods created by the chart. See the Kubernetes documentation for more details.

affinity#

affinity sets the affinities for any pods created by the chart. See the Kubernetes documentation for more details.

imagePullSecrets#

imagePullSecrets sets the image pull secrets for any pods created by the chart. See the Kubernetes documentation for more details.

highAvailability#

highAvailability.replicaCount#

highAvailability.replicaCount controls the amount of operator pod replicas deployed by the chart.

When multiple pods are running, all pods join the Teleport cluster on startup but a single pod actively reconciles resources.

The operator replicas elect a replica leader using Kubernetes leases. If the leader fails, its lease will expire and another replica will start reconciling resources.

tls#

tls.existingCASecretName#

tls.existingCASecretName makes the operator pods trust an additional CA certificate. This is used to trust Proxy certificates if they're signed by a private CA. The operator trusts by default CAs part of Mozilla's Web PKI (the ca-certificates package).

To use this value, you must create a Kubernetes Secret containing the CA certs in the same namespace as the Teleport Kubernetes Operator using a command such as:

$ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem

tls.existingCASecretKeyName#

tls.existingCASecretKeyName determines which key in the CA secret will be used as a trusted CA bundle file.

podSecurityContext#

podSecurityContext sets the pod security context for any pods created by the chart. See the Kubernetes documentation for more details.

The default value supports running under the restricted Pod Security Standard.

securityContext#

securityContext sets the container security context for any pods created by the chart. See the Kubernetes documentation for more details.

The default value supports running under the restricted Pod Security Standard.