jonny/charts
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add teleport values for home

Browse Source
This commit is contained in:
Jonny Ervine 2023-09-09 15:56:59 +08:00
parent 9467c59c8d
commit 1866c26b1f
1 changed files with 453 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

453
teleport-kube-agent/values-home.yaml Normal file
View File

@ -0,0 +1,453 @@
################################################################
# Values that must always be provided by the user.
################################################################
# Join token for the cluster. `joinParams` can also pass the join token,
# but supports more join methods and takes precedence if set.
authToken: "36ce3b30a201d5c3fecaa0d97d57cc80"
# Address of the teleport proxy with port (usually :3080).
proxyAddr: "teleport.ipa.champion:443"
# Comma-separated list of roles to enable (any of: kube,db,app)
roles: "kube"
################################################################
# Values that must be provided if IAM or EC2 joining is enabled.
################################################################
# Specify how to join the Teleport cluster
joinParams:
# Supported join methods are "token", "ec2", "iam".
# method "token", is equivalent to using authToken to join a cluster
method: "token"
# Leave empty only when method is "token" and the secret
# "teleport-kube-agent-join-token" has been created before and
# contains a valid join token.
tokenName: ""
################################################################
# Values that must be provided if Kubernetes access is enabled.
################################################################
# Name for this kubernetes cluster to be used by teleport users.
kubeClusterName: "homeCluster"
################################################################
# Values that must be provided if Application access is enabled.
################################################################
# At least one of 'apps', 'appResources' must be provided
# when application access is enabled. See the README for more details.
# Details of at least one app to be proxied. Example:
# apps:
# - name: grafana
# uri: http://localhost:3000
apps: []
# Dynamic application configuration mode. Example:
# appResources:
# - labels:
# "*": "*"
appResources: []
################################################################
# Values that must be provided if Database access is enabled.
################################################################
# At least one of 'databases', 'awsDatabases', 'azureDatabases', or 'databaseResources' must be provided
# when database access is enabled. See the README for more details.
# Database auto-discovery mode (AWS)
# Details of at least one awsDatabase discovery pattern to be discovered
# and proxied. Example:
# awsDatabases:
# - types: ["rds"]
# regions: ["us-east-1"]
# tags:
# "environment": "production"
awsDatabases: []
# Database auto-discovery mode (Azure)
# Details of at least one azureDatabase discovery pattern to be discovered
# and proxied. Example:
# azureDatabases:
# - types: ["mysql", "postgres"]
# tags:
# "environment": "production"
# regions: ["eastus", "centralus"]
# subscriptions: ["subID1", "subID2"]
# resource_groups: ["group1", "group2"]
# Note that regions, subscriptions, and resource_groups are optional, and by default
# the pattern for these selectors is ["*"] which will match all regions, subscriptions, or resource groups.
azureDatabases: []
# Manual database configuration mode
# Details of at least one database to be proxied. Example:
# databases:
# - name: aurora
# uri: "postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432"
# protocol: "postgres"
# static_labels:
# env: "prod"
databases: []
# Dynamic database configuration mode. Example:
# databaseResources:
# - labels:
# "*": "*"
databaseResources: []
################################################################
# Values that you may need to change.
################################################################
# Version of teleport image, if different from chart version in Chart.yaml.
# DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version.
# This chart is designed to run a specific teleport version (see Chart.yaml).
# You will face compatibility issues trying to run a different Teleport version with it.
#
# If you want to run Teleport version X, you should use `helm --version X` instead.
teleportVersionOverride: ""
# Optional CA pins of the auth server. This enables a more secure way of
# adding new nodes to a cluster. See "Adding Nodes to the Cluster"
# (https://goteleport.com/docs/admin-guide/#adding-nodes-to-the-cluster).
# Each list element can be the pin itself (recommended), or a path to a file
# containing the pin. For the latter it is your responsibility to mount
# the file, using extraVolumes.
caPin: []
# When set to true, the agent will skip the verification of proxy TLS
# certificate.
insecureSkipProxyTLSVerify: false
# Set enterprise to true to use enterprise image.
enterprise: false
# teleportConfig contains additional teleport configuration
# The configuration will be merged with the chart-generated configuration
# and will take precedence in case of conflict
teleportConfig: {}
# Settings for mounting your own TLS material in the agent pod.
# The agent does not expose a TLS server, so this is only used to trust CAs.
tls:
# Name of an existing secret to use which contains a CA or trust bundle in x509 PEM format.
# This is useful to trust private CAs.
# This will automatically set the SSL_CERT_FILE environment variable to trust the CA.
# Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem`
# The filename inside the secret is important - it _must_ be ca.pem
existingCASecretName: ""
updater:
enabled: false
# `updater.versionServer` is the URL of the version server the agent fetches
# the target version from. The complete version endpoint is built by
# concatenating `versionServer` and `releaseChannel`.
versionServer: "https://updates.releases.teleport.dev/v1/"
# Release channel the agent subscribes to.
releaseChannel: "stable/cloud"
image: public.ecr.aws/gravitational/teleport-kube-agent-updater
serviceAccount:
# service account name defaults to "<kube agent sa name>-updater"
name: ""
# If set, will use an existing volume mounted via extraVolumes
# as the Teleport data directory.
# If anything is set under the "storage" key, this will be ignored.
existingDataVolume: ""
# If true, create & use Pod Security Policy resources
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
# WARNING: the PSP won't be deployed for Kubernetes 1.23 and higher.
# Please read https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/
podSecurityPolicy:
enabled: true
# Labels is a map of key values pairs about this cluster
labels:
teleport.internal/resource-id: badd4bc3-ca45-4456-b2f9-513ec8e8bcbc
# Settings for high availability.
highAvailability:
# Set to >1 for a high availability mode where multiple Teleport agent pods will be deployed.
replicaCount: 1
# Setting 'requireAntiAffinity' to true will use 'requiredDuringSchedulingIgnoredDuringExecution' to require that multiple Teleport pods must not be scheduled on the
# same physical host. This will result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution.
# Setting 'requireAntiAffinity' to false (the default) uses 'preferredDuringSchedulingIgnoredDuringExecution' to make this a soft requirement.
# This setting only has any effect when replicaCount is greater than 1.
requireAntiAffinity: false
# If enabled will create a Pod Disruption Budget
# https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
enabled: false
minAvailable: 1
# podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1)
# This CRD is managed by the prometheus-operator and allows workload to
# get monitored. To use this value, you need to run a `prometheus-operator`
# in the cluster for this value to take effect.
# See https://prometheus-operator.dev/docs/prologue/introduction/
podMonitor:
# Whether the chart should deploy a PodMonitor.
# Disabled by default as it requires the PodMonitor CRD to be installed.
enabled: false
# additionalLabels to put on the PodMonitor.
# This is used to be selected by a specific prometheus instance.
additionalLabels: {}
# interval is the interval between two metrics scrapes. Defaults to 30s
interval: 30s
################################################################
# Values that must be provided if using persistent storage for Teleport.
#
# Assigning a persistent volume to Teleport agent allows the agent to keep session recordings when the pod is restarted if `session_recording` is set to `node` or `proxy`.
# The security association between the agent and the Teleport is no longer stored in PV, instead it is stored in a Kubernetes Secret so that the agent does not require PV
# to survive restarts and rotations while using short-lived joining tokens.
#
# Fields:
# enabled: Set to true to enable the use of Persistent volumes.
# storageClassName: The name of the kubernetes storage class to use when creating volumes. See https://kubernetes.io/docs/concepts/storage/storage-classes/
# requests: The size of the volume to request from the persistent storage system
################################################################
storage:
enabled: false
storageClassName: ""
requests: 128Mi
# Settings for configuring an cluster admin role binding.
# This is useful for granting cluster admin permissions to a Kubernetes Group
# other than the default "system:masters" group.
# GKE Autopilot clusters forbid using the "system:masters" group for impersonation
# and require a custom group to be used instead.
adminClusterRoleBinding:
create: false
name: "cluster-admin"
################################################################
# Values that you shouldn't need to change.
################################################################
# Container image for the cluster.
# Since version 13, hardened distroless images are used by default.
# You can use the deprecated debian-based images by setting the value to
# `public.ecr.aws/gravitational/teleport`. Those images will be
# removed with teleport 14.
image: public.ecr.aws/gravitational/teleport-distroless
# Enterprise version of the image
# Since version 13, hardened distroless images are used by default.
# You can use the deprecated debian-based images by setting the value to
# `public.ecr.aws/gravitational/teleport-ent`. Those images will be
# removed with teleport 14.
enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless
# Optional array of imagePullSecrets, to use when pulling from a private registry
imagePullSecrets: []
# - name: myRegistryKeySecretName
# Number of replicas for the agent deployment.
# DEPRECATED Use highAvailability:replicaCount instead
# replicaCount: 1
# (optional) Override the name of the ClusterRole used by the agent's service account.
clusterRoleName: ""
# (optional) Override the name of the ClusterRoleBinding used by the agent's service account.
clusterRoleBindingName: ""
# (optional) Override the name of the Role used by the agent's service account for Secret access.
roleName: ""
# (optional) Override the name of the RoleBinding used by the agent's service account.
roleBindingName: ""
# (optional) Override the name of the service account used by the agent.
# DEPRECATED Use serviceAccount:name instead
serviceAccountName: ""
# (optional) Kubernetes service account to create/use.
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
# If not set and serviceAccount.create is true, the name is generated using the release name.
# If create is false, the name will be used to reference an existing service account.
name: ""
# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding.
rbac:
# Specifies whether a ClusterRole and ClusterRoleBinding should be created.
# Set to false if your cluster level resources are managed separately.
create: true
# Name of the Secret to store the teleport join token.
# DEPRECATED Use joinTokenSecret.name instead
secretName: ""
# Manages the join token secret creation and its name.
joinTokenSecret:
# create controls whether the Helm chart should create and manage the join token
# secret.
# If false, the chart assumes that the secret with the configured name already exists at the
# installation namespace.
create: true
# Name of the Secret to store the teleport join token.
name: teleport-kube-agent-join-token
# Teleport logging configuration
log:
# Log level for the Teleport process.
# Available log levels are: DEBUG, INFO, WARNING, ERROR.
# The default is INFO, which is recommended in production.
# DEBUG is useful during first-time setup or to see more detailed logs for debugging.
level: INFO
# Log output
# Use a file path to log to disk: e.g. '/var/lib/teleport/teleport.log'
# Other supported values: 'stdout', 'stderr' and 'syslog'
output: stderr
# Log format configuration
# Possible output values are 'json' and 'text' (default).
format: text
# Possible extra_fields values include: timestamp, component, caller, and level.
# All extra fields are included by default.
extraFields: ["timestamp", "level", "component", "caller"]
##################################
# Extra Kubernetes configuration #
##################################
# Affinity for pod assignment
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
# Pod's DNS Configuration
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
# This value is useful if you need to reduce the DNS load: set "ndots" to 0 and only use FQDNs.
dnsConfig: {}
# nameservers:
# - 1.2.3.4
# searches:
# - ns1.svc.cluster-domain.example
# - my.dns.search.suffix
# options:
# - name: ndots
# value: "2"
# Pod's DNS Policy
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
dnsPolicy: ""
# nodeSelector to apply for pod assignment
# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
nodeSelector: {}
# Kubernetes labels to apply
# https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
extraLabels:
# Labels for the Cluster Role
clusterRole: {}
# Labels for the Cluster Role Binding
clusterRoleBinding: {}
# Labels for the Role
role: {}
# Labels for the Role Binding
roleBinding: {}
# Labels for the ConfigMap
config: {}
# Labels for the Deployment/StatefulSet
deployment: {}
# Labels for each Pod in the Deployment/StatefulSet
pod: {}
# Labels for the Pod Disruption Budget (ignored when disabled)
podDisruptionBudget: {}
# Labels for the Pod Security Policy (ignored when disabled)
podSecurityPolicy: {}
# Labels for the Secret (ignored when disabled)
secret: {}
# Labels for the ServiceAccount object
serviceAccount: {}
# Kubernetes annotations to apply
# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
annotations:
# Annotations for the ConfigMap
config: {}
# Annotations for the Deployment
deployment: {}
# Annotations for each Pod in the Deployment
pod: {}
# Annotations for the Secret (has no effect when `joinTokenSecret.create` is false)
secret: {}
# Annotations for the ServiceAccount object
serviceAccount: {}
# Extra arguments to pass to 'teleport start' for the main Teleport pod
extraArgs: []
# Extra environment to be configured on the Teleport pod
extraEnv: []
# Extra volumes to mount into the Teleport pods
# https://kubernetes.io/docs/concepts/storage/volumes/
extraVolumes: []
# - name: myvolume
# secret:
# secretName: testSecret
# Extra volume mounts corresponding to the volumes mounted above
extraVolumeMounts: []
# - name: myvolume
# mountPath: /path/on/host
# Pod Host aliases (see https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/)
hostAliases: []
# - ip: "127.0.0.1"
# hostnames:
# - "foo.local"
# - "bar.local"
# - ip: "10.1.2.3"
# hostnames:
# - "foo.remote"
# - "bar.remote"
# Allow the imagePullPolicy to be overridden
imagePullPolicy: IfNotPresent
# A list of initContainers to run before each Teleport pod starts
# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
initContainers: []
# - name: "teleport-init"
# image: "alpine"
# args: ["echo test"]
# Resources to request for each pod in the deployment
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources: {}
# requests:
# cpu: "1"
# memory: "2Gi"
# Security context to add to the initContainer
initSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
# Security context to add to other containers
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
# Priority class name to add to the deployment
priorityClassName: ""
# Tolerations for pod assignment
# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# Timeouts for the readiness and liveness probes
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
probeTimeoutSeconds: 1