teleport-plugin-event-handler 차트 레퍼런스
teleport-plugin-event-handler Helm 차트는 Event Handler Teleport 플러그인을 구성하는 데 사용되며, 사용자가 이벤트와 세션 로그를 추가 처리 또는 저장을 위해 Fluentd 인스턴스로 전송할 수 있도록 합니다.
teleport-plugin-event-handler Helm 차트는 Event Handler Teleport 플러그인을 구성하는 데 사용되며,
사용자가 이벤트와 세션 로그를 추가 처리 또는 저장을 위해 Fluentd 인스턴스로 전송할 수 있도록 합니다.
GitHub에서 소스를 탐색할 수 있습니다.
이 레퍼런스는 teleport-plugin-event-handler 차트에서 사용 가능한 값들을 상세히 설명합니다.
teleport#
teleport contains the configuration describing how the plugin connects to
your Teleport cluster.
teleport.address#
| Type | Default |
|---|---|
string |
"" |
teleport.address is the address of the Teleport cluster the plugin
connects to. The address must contain both the domain name and the port of
the Teleport cluster. It can be either the address of the auth servers or the
proxy servers.
For example:
- joining a Proxy:
teleport.example.com:443orteleport.example.com:3080 - joining an Auth:
teleport-auth.example.com:3025
When the address is empty, tbot.teleportProxyAddress
or tbot.teleportAuthAddress will be used if they are set.
teleport.identitySecretName#
| Type | Default |
|---|---|
string |
"" |
teleport.identitySecretName is the name of the Kubernetes secret
that contains the credentials for the connection to your Teleport cluster.
The secret should be in the following format:
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: teleport-plugin-event-handler-identity
data:
auth_id: #...
Check out the Export Events with Fluentd guide for more information about how to acquire these credentials.
teleport.identitySecretPath#
| Type | Default |
|---|---|
string |
"auth_id" |
teleport.identitySecretPath is the key in the Kubernetes secret
specified by teleport.identitySecretName that holds the credentials for
the connection to your Teleport cluster. If the secret has the path,
"auth_id", you can omit this field.
eventHandler#
eventHandler contains the configuration used by the plugin to forward Teleport events.
eventHandler.storagePath#
| Type | Default |
|---|---|
string |
"/var/lib/teleport/plugins/event-handler/storage" |
eventHandler.storagePath is the storage directory for the event handler.
eventHandler.timeout#
| Type | Default |
|---|---|
string |
"10s" |
eventHandler.timeout is the polling timeout.
eventHandler.batch#
| Type | Default |
|---|---|
int |
20 |
eventHandler.batch is the fetch batch size.
eventHandler.windowSize#
| Type | Default |
|---|---|
string |
"24h" |
eventHandler.windowSize configures the duration of the time window for the event handler
to request events from Teleport. By default, this is set to 24 hours.
Reduce the window size if the events backend cannot manage the event volume
for the default window size.
The window size should be specified as a duration string, parsed by Go's time.ParseDuration.
eventHandler.debug#
| Type | Default |
|---|---|
bool |
false |
eventHandler.debug enables debug logging.
eventHandler.types#
| Type | Default |
|---|---|
list |
[] |
eventHandler.types is the list of event types to forward.
When unset, the event handler forwards all events.
eventHandler.skipEventTypes#
| Type | Default |
|---|---|
list |
[] |
eventHandler.skipEventTypes is the list of audit event types to skip.
eventHandler.skipSessionTypes#
| Type | Default |
|---|---|
list |
[] |
eventHandler.skipSessionTypes is the list of session recording event types to skip.
When unset, the event handler skips noisy and binary events.
See the Teleport-event-handler README for a list of default skipped events.
eventHandler.startTime#
| Type | Default |
|---|---|
string |
"" |
eventHandler.startTime is the start time to start ingestion from (RFC3339 format).
eventHandler.dryRun#
| Type | Default |
|---|---|
bool |
false |
eventHandler.dryRun enables dry run without sending events to Fluentd.
eventHandler.concurrency#
| Type | Default |
|---|---|
int |
5 |
eventHandler.concurrency is the number of concurrent sessions to process. By default, this is set to 5.
eventHandler.lock.enabled#
| Type | Default |
|---|---|
bool |
false |
eventHandler.lock.enabled controls whether user auto-locking is enabled.
eventHandler.lock.failedAttemptsCount#
| Type | Default |
|---|---|
int |
3 |
eventHandler.lock.failedAttemptsCount is the number of failed attempts in the lockPeriod which
triggers locking. By default, this is set to 3.
eventHandler.lock.period#
| Type | Default |
|---|---|
string |
"1m" |
eventHandler.lock.period is the time period where lock-failed-attempts-count failed attempts
will trigger locking. By default, this is set to 1 minute.
eventHandler.lock.for#
| Type | Default |
|---|---|
string |
"" |
eventHandler.lock.for is the time period for which user gets lock.
fluentd#
fluentd contains the configuration for the Fluentd forwarder.
fluentd.url#
| Type | Default |
|---|---|
string |
"" |
fluentd.url is the Fluentd URL where the events will be sent.
fluentd.sessionUrl#
| Type | Default |
|---|---|
string |
"" |
fluentd.sessionUrl is the Fluentd URL where the session logs will be sent.
fluentd.certificate#
fluentd.certificate contains the configuration for the plugin's Fluentd client certificates.
When certManager.enabled is true, cert-manager will use its own secrets, so this section is unused.
fluentd.certificate.secretName#
| Type | Default |
|---|---|
string |
"" |
fluentd.certificate.secretName is the secret containing the credentials to connect to Fluentd.
It must contain the CA certificate, the client key and the client certificate.
fluentd.certificate.caPath#
| Type | Default |
|---|---|
string |
"ca.crt" |
fluentd.certificate.caPath is the name of the key which contains the CA certificate inside the secret.
fluentd.certificate.certPath#
| Type | Default |
|---|---|
string |
"client.crt" |
fluentd.certificate.certPath is the name of the key which contains the client's certificate inside the secret.
fluentd.certificate.keyPath#
| Type | Default |
|---|---|
string |
"client.key" |
fluentd.certificate.keyPath is the name of the key which contains the client's private key inside the secret.
fluentd.maxConnections#
| Type | Default |
|---|---|
int |
0 |
fluentd.maxConnections is the maximum number of connections to Fluentd. By default, or when set to 0,
this becomes eventHandler.concurrency * 2.
tbot#
tbot controls the optional tbot deployment that obtains and renews
credentials for the plugin to connect to Teleport.
Only default and mandatory values are described here, see the tbot chart reference
for the full list of supported values.
tbot.enabled#
| Type | Default |
|---|---|
bool |
false |
tbot.enabled controls if tbot should be deployed with the event handler plugin.
tbot.clusterName#
| Type | Default |
|---|---|
string |
"" |
tbot.clusterName is the name of the Teleport cluster tbot and the event handler plugin will join.
Setting this value is mandatory when tbot is enabled.
tbot.teleportProxyAddress#
| Type | Default |
|---|---|
string |
"" |
tbot.teleportProxyAddress is the teleport Proxy Service address the bot will connect to.
This must contain the port number, usually 443 or 3080 for Proxy Service.
Connecting to the Proxy Service is the most common and recommended way to connect to Teleport.
This is mandatory to connect to Teleport Enterprise (Cloud).
This setting is mutually exclusive with teleportAuthAddress.
For example:
tbot:
teleportProxyAddress: "test.teleport.sh:443"
tbot.teleportAuthAddress#
| Type | Default |
|---|---|
string |
"" |
tbot.teleportAuthAddress is the teleport Auth Service address the bot will connect to.
This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection
should be used when you are deploying the bot in the same Kubernetes cluster than your teleport-cluster
Helm release and have direct access to the Auth Service.
Else, you should prefer connecting via the Proxy Service.
This setting is mutually exclusive with teleportProxyAddress.
For example:
teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025"
tbot.joinMethod#
| Type | Default |
|---|---|
string |
"kubernetes" |
tbot.joinMethod describes how tbot joins the Teleport cluster.
See the join method reference for a list of supported values and detailed explanations.
tbot.token#
| Type | Default |
|---|---|
string |
"" |
tbot.token is the name of the token used by tbot to join the Teleport cluster.
This value is not sensitive unless the joinMethod is set to "token".
If unset, defaults to [release name]-tbot.
If crd.create is set to true, then a TeleportProvisionToken will be created with the provided token name.
crd#
crd controls whether the chart creates custom resources managed by the Teleport Kubernetes Operator.
If enabled, the chart will create TeleportRoleV8, TeleportBotV1, and TeleportProvisionToken
resources to automatically connect the plugin to Teleport.
crd.create#
| Type | Default |
|---|---|
bool |
false |
crd.create controls if the chart should create
the Operator custom resources to automatically bootstrap the plugin.
crd.namespace#
| Type | Default |
|---|---|
string |
"" |
crd.namespace optionally overrides the Kubernetes namespace that the
custom resources are created in. This should match the namespace in which the
Teleport Kubernetes Operator is running. Defaults to the release namespace.
crd.tokenSpecOverride#
crd.tokenSpecOverride optionally overrides the join token spec for tbot to use to join the Teleport cluster.
When tbot is enabled, the default configuration uses the kubernetes in_cluster join method.
By default, the service account for tbot will be allowed for all kubernetes join types: in_cluster, JWKS, OIDC.
You can also configure the token to use other supported join methods. The token specification
must match tbot.joinMethod for the plugin to correctly join the cluster.
See the join method reference for a list of supported values and detailed explanations.
Example (Kubernetes JWKS join method):
tokenSpecOverride:
join_method: kubernetes
kubernetes:
type: static_jwks
static_jwks:
jwks: |
# Place the kubernetes JWKS here (`kubectl get --raw /openid/v1/jwks`)
{"keys":[--snip--]}
Example (Kubernetes OIDC join method):
tokenSpecOverride:
join_method: kubernetes
kubernetes:
type: oidc
oidc:
# Insert the OIDC issuer value here, it will vary depending on your
# cluster and cloud provider.
issuer: https://oidc.eks.us-west-2.amazonaws.com/id/my-cluster
certManager#
certManager controls whether the chart uses cert-manager to provision TLS certificates
for mTLS connection between the plugin and Fluentd. If enabled, cert-manager will create two
Kubernetes secrets in the plugin's release namespace:
the Fluentd server credentials (CA cert, server cert, server key)
and the plugin client credentials (CA cert, client cert, client key).
The TLS certificates use PKCS#8 encoding and ECDSA encryption.
certManager.enabled#
| Type | Default |
|---|---|
bool |
false |
certManager.enabled controls if cert-manager should be used to provision TLS certificates for the plugin.
certManager.issuer#
certManager.issuer is the cert-manager Issuer or ClusterIssuer that will issue
the Fluentd server and client certificates.
certManager.issuer.create#
| Type | Default |
|---|---|
bool |
true |
certManager.issuer.create controls if the chart should create
a private CA issuer to issue the Fluentd server and client certificates.
See the cert-manager Bootstrapping CA Issuers documentation for more information.
certManager.issuer.name#
| Type | Default |
|---|---|
string |
"" |
certManager.issuer.name is the Name of the issuer. Unused if certManager.issuer.create is true.
certManager.issuer.kind#
| Type | Default |
|---|---|
string |
"Issuer" |
certManager.issuer.kind is the Kind of the issuer. Unused if certManager.issuer.create is true.
Defaults to 'Issuer' to keep permissions scoped to the plugin's release namespace.
certManager.issuer.group#
| Type | Default |
|---|---|
string |
"cert-manager.io" |
certManager.issuer.group is the Group of the issuer. Unused if certManager.issuer.create is true.
Defaults to 'cert-manager.io' to use built-in issuers.
certManager.dnsNames#
| Type | Default |
|---|---|
list |
[] |
certManager.dnsNames is the DNS names for the Fluentd forwarder, populating the SANs extension of the server certificate.
certManager.ipAddresses#
| Type | Default |
|---|---|
list |
[] |
certManager.ipAddresses is the IP addresses for the Fluentd forwarder, populating the SANs extension of the server certificate.
certManager.ttl#
| Type | Default |
|---|---|
string |
"87600h" |
certManager.ttl is the time-to-live duration for the TLS certificates. Defaults to 87600 hours (10 years).
certManager.renewBefore#
| Type | Default |
|---|---|
string |
"" |
certManager.renewBefore is the time before certManager.ttl to renew the TLS certificates.
This must be less than certManager.ttl. When empty, defaults to 1/3 of the issued
certificate's time-to-live duration. For example, if a certificate is valid for 60 minutes,
cert-manager will renew the certificate 20 minutes before expiration.
annotations#
annotations contains annotations to apply to the different Kubernetes
objects created by the chart. See the Kubernetes annotation
documentation
for more details.
annotations.config#
| Type | Default |
|---|---|
object |
{} |
annotations.config are annotations to set on the ConfigMap.
annotations.deployment#
| Type | Default |
|---|---|
object |
{} |
annotations.deployment are annotations to set on the Deployment.
annotations.pod#
| Type | Default |
|---|---|
object |
{} |
annotations.pod are annotations to set on the Pods.
annotations.certSecret#
| Type | Default |
|---|---|
object |
{} |
annotations.certSecret are annotations to set on the certificate secrets
generated by cert-manager v1.5+ when certManager.enabled is true
extraLabels#
extraLabels contains additional Kubernetes labels to apply on the resources
created by the chart. See the Kubernetes label documentation
for more information.
extraLabels.config#
| Type | Default |
|---|---|
object |
{} |
extraLabels.config are labels to set on the ConfigMap.
extraLabels.deployment#
| Type | Default |
|---|---|
object |
{} |
extraLabels.deployment are labels to set on the Deployment.
extraLabels.pod#
| Type | Default |
|---|---|
object |
{} |
extraLabels.pod are labels to set on the Pods.
extraLabels.certSecret#
| Type | Default |
|---|---|
object |
{} |
extraLabels.certSecret are labels to set on the certificate secrets
generated by cert-manager v1.5+ when certManager.enabled is true.
image#
image sets the container image used for plugin pods created by the chart.
You can override this to use your own plugin image rather than a Teleport-published image.
image.repository#
| Type | Default |
|---|---|
string |
"public.ecr.aws/gravitational/teleport-plugin-event-handler" |
image.repository is the image repository.
image.pullPolicy#
| Type | Default |
|---|---|
string |
"IfNotPresent" |
image.pullPolicy is the Kubernetes image pull policy.
image.tag#
| Type | Default |
|---|---|
string |
"" |
image.tag Overrides the image tag whose default is the chart appVersion.
Normally, the version of the Teleport plugin matches the version of the chart. If you install chart version 15.0.0, you'll use the plugin version 15.0.0. Upgrading the plugin is done by upgrading the chart.
imagePullSecrets#
| Type | Default |
|---|---|
list |
[] |
imagePullSecrets is a list of secrets containing authorization tokens
which can be optionally used to access a private Docker registry.
See the Kubernetes reference for more details.
nameOverride#
| Type | Default |
|---|---|
string |
"" |
nameOverride optionally overrides the name of the chart, used
together with the release name when giving a name to resources.
fullnameOverride#
| Type | Default |
|---|---|
string |
"" |
fullnameOverride optionally overrides the full name of resources.
podSecurityContext#
| Type | Default |
|---|---|
object |
{} |
podSecurityContext sets the pod security context for any pods created by the chart.
See the Kubernetes documentation
for more details.
To unset the security context, set it to null or ~.
securityContext#
| Type | Default |
|---|---|
object |
{} |
securityContext sets the container security context for any pods created by the chart.
See the Kubernetes documentation
for more details.
To unset the security context, set it to null or ~.
resources#
| Type | Default |
|---|---|
object |
{} |
resources sets the resource requests/limits for any pods created by the chart.
See the Kubernetes documentation
for more details.
nodeSelector#
| Type | Default |
|---|---|
object |
{} |
nodeSelector sets the node selector for any pods created by the chart.
See the Kubernetes documentation
for more details.
tls#
tls contains settings for mounting your own TLS material in the event-handler pod.
The event-handler does not expose a TLS server, so this is only used to trust CAs.
tls.existingCASecretName#
| Type | Default |
|---|---|
string |
"" |
tls.existingCASecretName sets the SSL_CERT_FILE environment
variable to load a trusted CA or bundle in PEM format into Teleport pods.
The injected CA will be used to validate TLS communications with the Proxy
Service.
You must create a secret containing the CA certs in the same namespace as Teleport using a command like:
$ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
tls.existingCASecretKeyName#
| Type | Default |
|---|---|
string |
"ca.pem" |
tls.existingCASecretKeyName determines which key in the CA secret
will be used as a trusted CA bundle file.
tolerations#
| Type | Default |
|---|---|
list |
[] |
tolerations sets the tolerations for any pods created by the chart.
See the Kubernetes documentation
for more details.
affinity#
| Type | Default |
|---|---|
object |
{} |
affinity sets the affinities for any pods created by the chart.
See the Kubernetes documentation
for more details.
volumes#
| Type | Default |
|---|---|
list |
[] |
volumes sets the volumes mounted into the main event-handler pod.
See the Kubernetes volume
documentation for more
details.
For example:
- name: storage
persistentVolumeClaim:
claimName: teleport-plugin-event-handler
volumeMounts#
| Type | Default |
|---|---|
list |
[] |
volumeMounts sets the volume mounts for the main event-handler container.
See the Kubernetes volume
documentation for more
details.
For example:
- name: storage
mountPath: "/var/lib/teleport/plugins/event-handler/storage"
extraArgs#
| Type | Default |
|---|---|
list |
[] |
extraArgs contains extra arguments to pass to teleport-plugin start for
the main event-handler container.
extraEnv#
| Type | Default |
|---|---|
list |
[] |
extraEnv contains extra environment variables to set in the main
event-handler container.
For example:
extraEnv:
- name: HTTPS_PROXY
value: "http://username:password@my.proxy.host:3128"