teleport-relay Helm 차트는 Kubernetes 클러스터에 Teleport Relay 서비스 그룹을 배포하는 데 사용되며, 클라이언트와 리소스 간의 연결을 Teleport 컨트롤 플레인을 거치지 않고 제공합니다.

teleport-relay 차트는 Teleport v18.3.0 이상에서 사용할 수 있습니다.

GitHub에서 소스를 확인할 수 있습니다.

이 레퍼런스는 teleport-relay 차트에서 사용 가능한 값들을 상세히 설명합니다.

차트가 배포하는 항목#

teleport-relay 차트는 다음 Kubernetes 리소스를 배포합니다:

레퍼런스#

relayGroup#

relayGroup sets the internal identifier for the group of Relay instances reachable through the same load balancer. Should be unique in the whole Teleport cluster.

publicHostnames#

publicHostnames a list of hostnames that this Relay group is publicly reachable at by clients.

publicHostnames:
  - relay.example.com

targetConnectionCount#

targetConnectionCount the amount of tunnel connections that agents will open to distinct Relay instances. It should not be bigger than the replica count.

proxyAddr#

proxyAddr provides the public-facing Teleport Proxy Service endpoint which should be used to join the cluster. This is the same URL used to access the web UI of your Teleport cluster. The port used is usually either 3080 or 443.

Here are a few examples:

enterprise#

enterprise controls if the teleport-relay chart should deploy the OSS version or the enterprise version of the container image. This must be set to true when connecting to Teleport Cloud or self-hosted Teleport Enterprise clusters to allow the agent to leverage enterprise features.

joinParams#

joinParams controls how the Teleport Agent joins the Teleport cluster. These sub-values must be configured for the agent to connect to a cluster.

The token used must grant the Relay role, and should be valid for the lifetime of the Helm release.

joinParams.method#

joinParams.method controls which join method will be used by the instance to join the Teleport cluster.

See the join method reference for the list of possible values, the implications of each join method, and guides to set up each method.

Common join-methods for the teleport-relay are:

• token: the most basic one, with regular ephemeral secret tokens
• kubernetes: either the in-cluster variant (if the agent runs in the same Kubernetes cluster as the teleport-cluster chart) or the JWKS/OIDC variants (work in every Kubernetes cluster, regardless of the Teleport Auth Service location).

joinParams.tokenName#

joinParams.tokenName controls which token is used by the agent to join the Teleport cluster.

When joinParams.method is a delegated join method, the value is not sensitive.

When joinParams.method is token (by default), joinParams.tokenName contains the secret token itself. In this case, the value is sensitive and is automatically stored in a Kubernetes Secret instead of being directly included in the agent's configuration.

If method is token, joinParams.tokenName can be empty if the token is provided through an existing Kubernetes Secret, see joinTokenSecret for more details and instructions.

If method is kubernetes, you must set teleportClusterName.

teleportClusterName#

teleportClusterName is the name of the joined Teleport cluster. Setting this value is required when joining via the Kubernetes JWKS or OIDC join method.

When this value is set, the chart mounts a kubernetes service account token via a projected volume and configures Teleport to use it for joining.

joinTokenSecret#

joinTokenSecret manages the join token secret creation and its name. See the joinParams section for more details.

joinTokenSecret.create#

joinTokenSecret.create controls whether the chart creates the Kubernetes Secret containing the Teleport join token. If false, you must create a Kubernetes Secret with the configured name in the Helm release namespace.

joinTokenSecret.name#

joinTokenSecret.name is the name of the Kubernetes Secret containing the Teleport join token used by the chart.

If joinTokenSecret.create is false, the chart will not attempt to create the secret itself. Instead, it will read the value from an existing secret. joinTokenSecret.name configures the name of this secret. This allows you to configure this secret externally and avoid having a plaintext join token stored in your Teleport chart values.

To create your own join token secret, you can use a command like this:

$ kubectl --namespace teleport create secret generic my-token-secret --from-literal=auth-token=<replace-with-actual-token>

joinTokenSecret:
  create: false
  name: my-token-secret

joinParams:
  method: "token"
  tokenName: ""

proxyProtocol#

proxyProtocol controls whether or not the connections coming from the load balancer will include a PROXY protocol v2 header.

log#

log controls the agent logging.

log.level#

log.level is the log level for the Teleport process. Available log levels are: DEBUG, INFO, WARNING, ERROR.

The default is INFO, which is recommended in production. DEBUG is useful during first-time setup or to see more detailed logs for debugging.

log.format#

log.format sets the log output format for the Teleport process. Possible values are text or json.

preStopDelay#

preStopDelay the optional time that will pass between the pod entering the Terminating state and the Teleport instance getting signaled to begin its shutdown advertisement. Useful to allow load balancers to stop routing connections to the terminating pod.

shutdownDelay#

shutdownDelay the optional time that the Teleport instance will wait after advertising its shutdown and before it will stop serving new inbound connections.

terminationGracePeriodSeconds#

terminationGracePeriodSeconds the time allotted to a Teleport instance pod for termination. It should be longer than the sum of preStopDelay and shutdownDelay.

highAvailability#

highAvailability contains settings controlling the availability of the Teleport Agent deployed by the chart.

The availability can be increased by:

• running more replicas with replicaCount
• requiring that the Pods are not scheduled on the same Kubernetes Node with requireAntiAffinity
• by asking Kubernetes not to delete all pods at the same time with podDisruptionBudget.

Even with highAvailability settings Restarting/rolling-out pods can still cause disruption for established long-lived sessions.

highAvailability.replicaCount#

highAvailability.replicaCount is the number of agent replicas deployed by the Chart.

Set to a number higher than 1 for a high availability mode where multiple Teleport pods will be deployed.

highAvailability.podDisruptionBudget#

highAvailability.podDisruptionBudget controls how the chart creates and configures a Kubernetes PodDisruptionBudget to ensure Kubernetes does not delete all agent replicas at the same time.

highAvailability.podDisruptionBudget.enabled#

highAvailability.podDisruptionBudget.enabled makes the chart create a Kubernetes PodDisruptionBudget for the agent pods.

highAvailability.podDisruptionBudget.minAvailable#

highAvailability.podDisruptionBudget.minAvailable is the minimum available pod count specified on the PodDisruptionBudget.

resources#

resources sets the resource requests/limits for any pods created by the chart. See the Kubernetes documentation for more details.

goMemLimitRatio#

goMemLimitRatio configures the GOMEMLIMIT env var set by the chart. GOMEMLIMIT instructs the go garbage collector to try to keep allocated memory below a given threshold. This is a best-effort attempt, but this helps to prevent OOMs in case of bursts.

When the memory limits are set and goMemLimitRatio is non-zero, the chart sets the GOMEMLIMIT to resources.memory.limits * goMemLimitRatio. The value must be between 0 and 1. Set to 0 to unset GOMEMLIMIT. This has no effect if GOMEMLIMIT is already set through extraEnv.

service#

service options for the Service that points to the Teleport Relay instances.

service.type#

service.type the type of the Service. Unless you have specific needs, it should probably be set to LoadBalancer.

service.spec#

service.spec any additional entries here will be added to the Service spec.

spec:
  loadBalancerIP: "1.2.3.4"
  loadBalancerClass: service.k8s.aws/nlb

serviceAccount#

serviceAccount contains settings related to the Kubernetes service account used by pods.

serviceAccount.create#

serviceAccount.create specifies whether a ServiceAccount should be created or if an existing one should be used.

serviceAccount.name#

serviceAccount.name the name of the ServiceAccount to use. If not set and serviceAccount.create is true, the name is generated using the release name. If create is false, the name will be used to reference an existing service account.

extraLabels#

extraLabels contains additional Kubernetes labels to apply on the resources created by the chart. See the Kubernetes label documentation for more information.

extraLabels.config#

extraLabels.config are labels to set on the ConfigMap.

extraLabels.deployment#

extraLabels.deployment are labels to set on the Deployment.

extraLabels.pod#

extraLabels.pod are labels to set on the Pods.

extraLabels.podDisruptionBudget#

extraLabels.podDisruptionBudget are labels to set on the PodDisruptionBudget.

extraLabels.secret#

extraLabels.secret are labels to set on the Secret.

extraLabels.service#

extraLabels.service are labels to set on the Service.

extraLabels.serviceAccount#

extraLabels.serviceAccount are labels to set on the ServiceAccount.

annotations#

annotations contains annotations to apply to the different Kubernetes objects created by the chart. See the Kubernetes annotation documentation for more details.

annotations.config#

annotations.config are annotations to set on the ConfigMap.

annotations.deployment#

annotations.deployment are annotations to set on the Deployment.

annotations.pod#

annotations.pod are annotations to set on the Pods.

annotations.podDisruptionBudget#

annotations.podDisruptionBudget are annotations to set on the podDisruptionBudget.

annotations.secret#

annotations.secret are annotations to set on the Secret.

annotations.service#

annotations.service are annotations to set on the Service.

annotations.serviceAccount#

annotations.serviceAccount are annotations to set on the ServiceAccount.

image#

image sets the container image used for Teleport Community Edition Agent pods created by the chart.

You can override this to use your own Teleport image rather than a Teleport-published image.

By default, the image contains only the Teleport application and its runtime dependencies, and does not contain a shell.

This setting only takes effect when enterprise is false. When running an enterprise version, you must use enterpriseImage instead.

enterpriseImage#

enterpriseImage sets the container image used for Teleport Enterprise agent pods created by the chart.

You can override this to use your own Teleport image rather than a Teleport-published image.

By default, the image contains only the Teleport application and its runtime dependencies, and does not contain a shell.

This setting only takes effect when enterprise is true. When running an OSS version, you must use image instead.

imagePullSecrets#

imagePullSecrets is a list of secrets containing authorization tokens which can be optionally used to access a private Docker registry.

See the Kubernetes reference for more details.

imagePullPolicy#

imagePullPolicy sets the pull policy for any pods created by the chart. See the Kubernetes documentation for more details.

topologySpreadConstraints#

topologySpreadConstraints sets the topology spread constraints for any pods created by the chart. See the Kubernetes documentation for more details.

When unset, the chart defaults to a soft topology spread constraint that tries to spread pods across hosts and zones.

topologySpreadConstraints:
  - maxSkew: 1
    topologyKey: kubernetes.io/hostname
    whenUnsatisfiable: ScheduleAnyway
    labelSelector:
      matchLabels: # dynamically computed
  - maxSkew: 1
    topologyKey: topology.kubernetes.io/zone
    whenUnsatisfiable: ScheduleAnyway
    labelSelector:
      matchLabels: # dynamically computed

disableTopologySpreadConstraints#

disableTopologySpreadConstraints turns off the default topology spread constraints.

affinity#

affinity sets the affinities for any pods created by the chart. See the Kubernetes documentation for more details.

tolerations#

tolerations sets the tolerations for any pods created by the chart. See the Kubernetes documentation for more details.

teleportConfig#

teleportConfig contains YAML teleport configuration to pass to the Teleport pods. The configuration will be merged with the chart-generated configuration and will take precedence in case of conflict.

See the Teleport Configuration Reference for the list of supported fields.

extraArgs#

extraArgs contains extra arguments to pass to teleport start for the main Teleport container.

extraEnv#

extraEnv contains extra environment variables to set in the main Teleport container.

For example:

extraEnv:
  - name: HTTPS_PROXY
    value: "http://username:password@my.proxy.host:3128"

extraVolumes#

extraVolumes contains extra volumes to mount into the Teleport pods. See the Kubernetes volume documentation for more details.

For example:

extraVolumes:
- name: myvolume
  secret:
    secretName: testSecret

extraVolumeMounts#

extraVolumeMounts contains extra volumes mounts for the main Teleport container. See the Kubernetes volume documentation for more details.

For example:

extraVolumesMounts:
- name: myvolume
  mountPath: /path/on/host

dnsConfig#

dnsConfig contains custom Pod DNS Configuration for the agent pods. This value is useful if you need to reduce the DNS load: set "ndots" to 0 and only use FQDNs to refer to remote hosts.

See the Kubernetes pod DNS documentation for more information.

For example:

 nameservers:
   - 1.2.3.4
 searches:
   - ns1.svc.cluster-domain.example
   - my.dns.search.suffix
 options:
   - name: ndots
     value: "2"

dnsPolicy#

dnsPolicy sets the Pod's DNS Policy

See the Kubernetes pod DNS documentation for more information.

hostAliases#

hostAliases sets Host aliases in the Teleport Pod. See the Kubernetes hosts file documentation for more details.

For example:

hostAliases:
  - ip: "127.0.0.1"
    hostnames:
      - "foo.local"
      - "bar.local"
  - ip: "10.1.2.3"
    hostnames:
      - "foo.remote"
      - "bar.remote"

tls#

tls contains settings for mounting your own TLS material in the agent pod.

tls.existingCASecretName#

tls.existingCASecretName sets the SSL_CERT_FILE environment variable to load a trusted CA or bundle in PEM format into Teleport pods. The injected CA will be used to validate TLS communications with the Proxy Service.

You must create a secret containing the CA certs in the same namespace as Teleport using a command like:

$ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem

tls.existingCASecretKeyName#

tls.existingCASecretKeyName determines which key in the CA secret will be used as a trusted CA bundle file.

insecureSkipProxyTLSVerify#

insecureSkipProxyTLSVerify disables TLS verification of the TLS certificate presented by the Proxy Service.

This can be used for joining a Teleport instance to a Teleport cluster which does not have valid TLS certificates for testing.

securityContext#

securityContext sets the container security context for any pods created by the chart. See the Kubernetes documentation for more details.

The default value is compatible with the restricted PSS.

To unset the security context, set it to null or ~.

podSecurityContext#

podSecurityContext sets the pod security context for any pods created by the chart. See the Kubernetes documentation for more details.

To unset the security context, set it to null or ~.

priorityClassName#

priorityClassName sets the priority class used by any pods created by the chart. The user is responsible for creating the PriorityClass resource before deploying the chart. See the Kubernetes documentation for more details.

nameOverride#

nameOverride optionally overrides the name of the chart, used together with the release name when giving a name to resources.

fullnameOverride#

fullnameOverride optionally overrides the full name of resources.

teleportVersionOverride#

teleportVersionOverride controls the Teleport Kubernetes Operator image version deployed by the chart.

Normally, the version of the Teleport Kubernetes Operator matches the version of the chart. If you install chart version 15.0.0, you'll use Teleport version 15.0.0. Upgrading the agent is done by upgrading the chart.