################################################################
# Values that must always be provided by the user.
################################################################
# roles(string) -- is a comma-separated list of services which will be enabled
# when running the `teleport-kube-agent` chart.
#
# | Services | Value for `roles` | Mandatory additional settings for this role |
# |------------------------------|-------------------|---------------------------------------------|
# | Teleport Kubernetes service | `kube` | [`kubeClusterName`](#kubeclustername) |
# | Teleport Application service | `app` | [`apps`](#apps) or [`appResources`](#appresources) |
# | Teleport Database service | `db` | [`databases`](#databases) or [`databaseResources`](#databaseresources) |
# | Teleport Discovery service | `discovery` | [`kubeClusterName`](#kubeclustername) |
# | Teleport Jamf service | `jamf` | [`jamfApiEndpoint`](#jamfapiendpoint), [`jamfClientId`](#jamfclientid) |
#
# For example:
# ```yaml
# roles: kube,app,discovery
# ```
roles: "kube"
# proxyAddr(string) -- provides the public-facing Teleport Proxy Service endpoint
# which should be used to join the cluster. This is the same URL used to access
# the web UI of your Teleport cluster. The port used is usually either 3080 or 443.
#
# Here are a few examples:
#
# | Deployment method | Example `proxy_service.public_addr` |
# |-------------------------------|-------------------------------------|
# | On-prem Teleport cluster | `teleport.example.com:3080` |
# | Teleport Cloud cluster | `example.teleport.sh:443` |
# | `teleport-cluster` Helm chart | `teleport.example.com:443` |
proxyAddr: ""
# enterprise(bool) -- controls if the `teleport-kube-agent` chart should deploy
# the OSS version or the enterprise version of the container image.
# This must be set to `true` when connecting to Teleport Cloud or self-hosted
# Teleport Enterprise clusters to allow the agent to leverage enterprise features.
enterprise: false
# authToken(string) -- provides a Teleport join token which will be used to join
# the Teleport instance to a Teleport cluster. `authToken` only supports the `token`
# join method.
#
# For other methods such as `kubernetes`, `iam` or `gcp`, the value
# [`joinParams`](#joinParams) should be used as it supports more methods to
# join the Teleport cluster. `joinParams` takes precedence if both `authToken`
# and `joinParams` are set.
#
# A token must be specified for the agent to join the Teleport cluster, either
# via `authToken`, [`joinParams`](#joinparams), or
# [an existing Kubernetes Secret](#joinTokenSecret).
#
# The token used must at least grant the required system roles. For example, if
# the chart [`roles`](#roles) is `kube,app`, the token should allow the system
# roles `App` and `Kube`.
authToken: ""
# joinParams -- controls how the Teleport agent joins the Teleport cluster.
# These sub-values must be configured for the agent to connect to a cluster.
#
# This value serves the same purpose as [`authToken`](#authToken) but supports
# all join methods. When set, it takes precedence over `authToken`.
# Its usage should be preferred.
joinParams:
# joinParams.method(string) -- controls which join method will be used by the
# instance to join the Teleport cluster.
#
# See [the join method reference](../../join-methods.mdx) for the list of possible
# values, the implications of each join method, and guides to set up each method.
#
# Common join-methods for the `teleport-kube-agent` are:
# - `token`: the most basic one, with regular ephemeral secret tokens
# - `kubernetes`: either the `in-cluster` variant (if the agent runs in the
# same Kubernetes cluster as the `teleport-cluster` chart) or the `JWKS`
# variant (works in every Kubernetes cluster, regardless of the Teleport Auth
# Service location).
method: "token"
# joinParams.tokenName(string) -- controls which token is used by the agent to
# join the Teleport cluster.
#
# When `joinParams.method` is [a delegated join method](../../join-methods.mdx#delegated-join-methods),
# the value is not sensitive.
#
# When `joinParams.method` is `token` (by default), `joinParams.tokenName`
# contains the secret token itself. In this case, the value is sensitive and
# is automatically stored in a Kubernetes Secret instead of being directly
# included in the agent's configuration.
#
# If method is `token`, `joinParams.tokenName` can be empty if the token
# is provided through an existing Kubernetes Secret, see
# [`joinTokenSecret`](#joinTokenSecret) for more details and instructions.
tokenName: ""
################################################################
# Values that must be provided if Kubernetes access is enabled.
################################################################
# kubeClusterName(string) -- sets the name used for the Kubernetes cluster proxied by
# the Teleport agent. This name will be shown to Teleport users connecting to
# the cluster.
#
# This setting is required if the chart `roles` contains `kube`.
kubeClusterName: ""
################################################################
# Values that must be provided if Application access is enabled.
################################################################
# apps(list) -- is a static list of applications that should be proxied by
# the agent. See [the Teleport Application access documentation](../../../enroll-resources/application-access/introduction.mdx)
# for more details.
#
# Proxied applications can be defined statically (through this value) or dynamically
# (through the [`appResources`](#appResources) value).
# One of `apps` and `appResources` is required if the chart `roles` contains `app`.
#
# You can specify multiple apps by adding elements to the list.
# For example:
#
# ```yaml
# apps:
# - name: grafana
# uri: http://localhost:3000
# labels:
# purpose: monitoring
# - name: jenkins
# uri: http://jenkins:8080
# labels:
# purpose: ci
# ```
#
#
# You can see a list of all the supported values that can be used in a Teleport
# Application Service configuration in the [Application Service Configuration
# Reference](../../../enroll-resources/application-access/reference.mdx#configuration).
#
apps: []
# appResources(list) -- is a set of labels the agent will monitor. Any application
# matching those labels will be proxied by the agent. See [the Teleport
# Application access documentation](../../../enroll-resources/application-access/introduction.mdx)
# for more details.
#
# Proxied applications can be defined statically (through [`apps`](#apps)) or
# dynamically (through this value).
# One of `apps` and `appResources` is required if the chart `roles` contains `app`.
#
# You can specify multiple selectors by including additional list elements.
# For example:
# ```yaml
# appResources:
# - labels:
# "env": "prod"
# - labels:
# "env": "test"
# ```
#
#
# Once `appResources` is set, you can dynamically register application with
# `tsh` by following [the Dynamic App Registration guide](../../../enroll-resources/application-access/guides/dynamic-registration.mdx).
#
appResources: []
# clusterDomain(string) -- sets the domain name used by the Kubernetes cluster. This value is used to build the
# FQDN application URIs. For example, if the cluster domain is `anything.local`, the agent will proxy the application
# `myapp` running in the `default` namespace at `http://myapp.default.svc.anything.local`. You must manually set this value
# to match your cluster domain if it is different from the default value `cluster.local`.
clusterDomain: "cluster.local"
################################################################
# Values that must be provided if Database access is enabled.
################################################################
# At least one of the `databases`, `awsDatabases`, `azureDatabases`, or
# `databaseResources` values must be set when database access is enabled.
# awsDatabases(list) -- configures AWS database auto-discovery.
#
#
# For AWS database auto-discovery to work, your Database Service pods will need to use a role which has appropriate IAM permissions as per the [database documentation](../../../enroll-resources/database-access/enroll-aws-databases/rds.mdx#step-36-create-iam-policies-for-teleport).
# After configuring a role, you can use an `eks.amazonaws.com/role-arn` annotation with the `annotations.serviceAccount` value to associate it with the service account and grant permissions:
#
# ```yaml
# annotations:
# serviceAccount:
# eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/my-rds-autodiscovery-role
# ```
#
#
# You can specify multiple database filters by adding elements to the list.
#
# - `types` is a list containing the types of AWS databases that should be discovered.
# - `regions` is a list of AWS regions which should be scanned for databases.
# - `tags` can be used to set AWS tags that must be matched for databases to be discovered.
#
# For example:
# ```yaml
# roles: db
# awsDatabases:
# - types: ["rds"]
# regions: ["us-east-1", "us-west-2"]
# tags:
# "environment": "production"
# - types: ["rds"]
# regions: ["us-east-1"]
# tags:
# "environment": "dev"
# - types: ["rds"]
# regions: ["eu-west-1"]
# tags:
# "*": "*"
# annotations:
# serviceAccount:
# eks.amazonaws.com/role-arn: arn:aws:iam::1234567890:role/my-rds-autodiscovery-role
# ```
awsDatabases: []
# azureDatabases(list) -- configures Azure database auto-discovery.
#
# For Azure database auto-discovery to work, your Database Service pods will need to have appropriate IAM permissions as per the [database documentation](../../../enroll-resources/database-access/enroll-azure-databases/azure-postgres-mysql.mdx#step-35-configure-iam-permissions-for-teleport).
#
# After configuring a service principal with appropriate IAM permissions, you must pass credentials to the pods.
# The easiest way is to use an Azure client secret.
#
# First, create in the chart installation namespace a Kubernetes `Secret` containing the azure client secret:
# ```code
# $ kubectl create secret generic teleport-azure-client-secret --from-literal=client_secret=
# secret/teleport-azure-client-secret created
# ```
#
# Then, use the [`extraEnv`](#extraenv) value to set the pods environment variables:
#
# ```yaml
# extraEnv:
# - name: AZURE_CLIENT_SECRET
# valueFrom:
# secretKeyRef:
# name: teleport-azure-client-secret
# key: client_secret
# optional: false
# - name: AZURE_TENANT_ID
# value: "11111111-2222-3333-4444-555555555555"
# - name: AZURE_CLIENT_ID
# value: "11111111-2222-3333-4444-555555555555"
# ```
#
#
# You can specify multiple database filters by adding elements to the list.
#
# Required fields for each filter:
# - `types` is a list containing the types of Azure databases that should be discovered.
# - `tags` can be used to set Azure resource tags that must be matched for databases to be discovered.
#
# Optional fields for each filter:
# - `regions` is a list of Azure regions which should be scanned for databases.
# - `subscriptions` can be used to discover databases within matching Azure subscriptions.
# - `resource_groups` can be used to discover databases within matching Azure resource groups.
#
# The default for each of these optional settings is `*`, which will auto-discover in all
# subscriptions, regions, or resource groups accessible by the Teleport service
# principal in Azure.
#
# For example:
# ```yaml
# roles: db
# azureDatabases:
# - types: ["mysql", "postgres"]
# tags:
# "*": "*"
# - types: ["mysql"]
# tags:
# "env": ["dev", "staging"]
# "origin": "alice"
# regions: ["eastus", "centralus"]
# subscriptions: ["subID1", "subID2"]
# resource_groups: ["group1", "group2"]
# extraEnv:
# - name: AZURE_CLIENT_SECRET
# valueFrom:
# secretKeyRef:
# name: teleport-azure-client-secret
# key: client_secret
# optional: false
# - name: AZURE_TENANT_ID
# value: "11111111-2222-3333-4444-555555555555"
# - name: AZURE_CLIENT_ID
# value: "11111111-2222-3333-4444-555555555555"
# ```
azureDatabases: []
# databases(list) -- is a static list of databases that should be proxied by
# the agent. See [the Teleport Database access documentation](../../../enroll-resources/database-access/database-access.mdx)
# for more details.
#
# Proxied applications can be defined statically (through this value) or dynamically
# (through the [`databaseResources`](#databaseResources) value).
#
# You can specify multiple databases by adding additional list elements.
#
# `values.yaml` example:
#
# ```yaml
# databases:
# - name: aurora-postgres
# uri: postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432
# protocol: postgres
# aws:
# region: us-east-1
# static_labels:
# env: staging
# - name: mysql
# uri: mysql-instance-1.xxx.us-east-1.rds.amazonaws.com:3306
# protocol: mysql
# aws:
# region: us-east-1
# static_labels:
# env: staging
# ```
#
#
# You can see a list of all the supported [values which can be used in a Teleport database service configuration here](../../../enroll-resources/database-access/reference/configuration.mdx).
#
#
#
# Database CAs can be trusted on a per-database basis.
# You must create a secret containing the database CA certificate in the same namespace as Teleport using a command like:
#
# ```code
# $ kubectl create secret generic my-postgres-ca --from-file=ca.pem=/path/to/database-ca.pem
# ```
#
# Then, deploy the Helm chart with the following values:
#
# ```yaml
# databases:
# - name: my-postgres
# uri: postgres.example.com:5432
# protocol: postgres
# tls:
# ca_cert_file: "/etc/teleport-tls-db/my-postgres/ca.pem"
# extraVolumes:
# - name: my-postgres-ca
# secret:
# secretName: my-postgres-ca
# extraVolumeMounts:
# - name: my-postgres-ca
# mountPath: /etc/teleport-tls-db/my-postgres
# readOnly: true
# ```
#
databases: []
# databaseResources(list) -- is a set of labels the agent will monitor.
# Any database matching those labels will be proxied by the agent. See [the Teleport
# Database access
# documentation](../../../enroll-resources/database-access/database-access.mdx)
# for more details.
#
# Proxied databases can be defined statically (through [`databases`](#databases)) or
# dynamically (through this value).
#
# You can specify multiple selectors by including additional list elements.
# For example:
# ```yaml
# databaseResources:
# - labels:
# "env": "prod"
# "engine": "postgres"
# - labels:
# "env": "test"
# "engine": "mysql"
# ```
#
#
# Once `databaseResources` is set, you can dynamically register database with
# `tsh` by following [this guide](../../../enroll-resources/database-access/guides/dynamic-registration.mdx).
#
databaseResources: []
################################################################
# Values that must be provided for Kubernetes Discovery
################################################################
# kubernetesDiscovery(list) -- controls the Discovery Service configuration
# if it's enabled.
#
# The Discovery Service is enabled when the agent `roles` contains "discovery".
# The Discovery service automatically detects Kubernetes Services and configures
# the agent to provide access to them. See [the Kubernetes App Discovery
# documentation](../../../enroll-resources/auto-discovery/kubernetes-applications/architecture.mdx)
# for more details.
#
#
# The Discovery mechanism ignores Kubernetes services running in the `kube-system` and
# `kube-public` namespaces.
#
# The default value will try to discover all apps running in Kubernetes.
# The discovery can be restricted through this value. For example:
#
# ```yaml
# kubernetesDiscovery:
# - types: ["app"]
# namespaces: [ "toronto", "porto" ]
# labels:
# env: staging
# - types: ["app"]
# namespaces: [ "seattle", "oakland" ]
# labels:
# env: testing
# ```
kubernetesDiscovery:
- types: ["app"]
namespaces: ["*"]
labels:
"*": "*"
################################################################
# Values that must be provided if Jamf service is enabled.
################################################################
# jamfApiEndpoint(string) -- sets the Jamf Pro API endpoint used for Jamf service.
# Example: "https://yourtenant.jamfcloud.com/api".
#
# This setting is required if the chart `roles` contains `jamf`.
jamfApiEndpoint: ""
# jamfClientId(string) -- sets the Jamf Pro API Client ID used for Jamf service.
#
# This setting is required if the chart `roles` contains `jamf`.
jamfClientId: ""
# jamfClientSecret(string) -- sets the Jamf Pro API client secret used for Jamf service.
#
# This setting is required if the chart `roles` contains `jamf` and `jamfCredentialsSecret.create` is set to `true`.
# If you provide your own Kubernetes Secret, this setting can remain unset.
jamfClientSecret: ""
# jamfCredentialsSecret -- manages the Kubernetes Secret containing the Jamf API credentials (either Jamf client secret or password).
jamfCredentialsSecret:
# jamfCredentialsSecret.create(bool) -- controls whether the chart creates the
# Kubernetes `Secret` containing the Jamf Pro API Client Secret.
# If false, you must create a Kubernetes Secret with the configured name in
# the Helm release namespace.
create: true
# jamfCredentialsSecret.name(string) -- is the name of the Kubernetes Secret
# containing the Jamf Pro API Client Secret used by the chart.
#
# If `jamfCredentialsSecret.create` is `false`, the chart will not attempt to create the secret itself.
# Instead, it will read the value from an existing Kubernetes Secret. `jamfCredentialsSecret.name`
# configures the name of this secret. This allows you to configure this secret externally and avoid having a plaintext
# Jamf Pro API Client Secret stored in your Teleport chart values.
#
# To create your own Kubernetes Secret containing Jamf Pro API Client Secret, run the command:
#
# ```code
# $ kubectl --namespace teleport create secret generic my-jamf-secret --from-literal=credential=
# ```
#
#
# The key used for the Jamf Pro API Client Secret inside the secret must be `credential`, as in the command above.
#
#
# For example:
#
# ```yaml
# jamfCredentialsSecret:
# create: false
# name: my-jamf-secret
# ```
name: teleport-jamf-api-credentials
################################################################
# Values that you may need to change.
################################################################
# teleportVersionOverride(string) -- controls the Teleport Kubernetes Operator
# image version deployed by the chart.
#
# Normally, the version of the Teleport Kubernetes Operator matches the
# version of the chart. If you install chart version 15.0.0, you'll use
# Teleport version 15.0.0. Upgrading the agent is done by upgrading the chart.
#
#
# `teleportVersionOverride` is intended for development and MUST NOT be
# used to control the Teleport version in a typical deployment. This
# chart is designed to run a specific Teleport version. You will face
# compatibility issues trying to run a different Teleport version with it.
#
# If you want to run Teleport version `X.Y.Z`, you should use
# `helm install --version X.Y.Z` instead.
#
teleportVersionOverride: ""
# caPin(list) -- is a list of CA pins the agent must validate when joining
# the Teleport cluster to ensure it is connecting to the correct Auth Service.
#
# This is only used when joining the Auth Service directly. When joining through
# a Proxy Service, authenticity is guaranteed by the x509 certificate used for
# the TLS connection.
#
# Each list element can be the pin itself (recommended), or a path to a file
# containing the pin. For the latter, it is your responsibility to mount
# the file, using [`extraVolumes`](#extraVolumes).
caPin: []
# insecureSkipProxyTLSVerify(bool) -- disables TLS verification of the TLS
# certificate presented by the Proxy Service.
#
# This can be used for joining a Teleport instance to a Teleport cluster
# which does not have valid TLS certificates for testing.
#
#
# Using a self-signed TLS certificate and disabling TLS verification is OK for testing, but is not viable when running a production Teleport
# cluster as it will drastically reduce security. You must configure valid TLS certificates on your Teleport cluster for production workloads.
#
# One option might be to use Teleport's built-in [ACME support](../teleport-cluster.mdx#acme) or enable [cert-manager support](../teleport-cluster.mdx#highavailabilitycertmanager).
#
insecureSkipProxyTLSVerify: false
# teleportConfig(object) -- contains YAML teleport configuration to pass to the
# Teleport pods. The configuration will be merged with the chart-generated
# configuration and will take precedence in case of conflict.
#
# See the [Teleport Configuration Reference](../../config.mdx) for the list of supported fields.
#
# ```yaml
# teleportConfig:
# app_service:
# debug_app: true
# discovery_service:
# enabled: true
# azure:
# - types: ["aks"]
# tags:
# "*":"*"
# ```
teleportConfig: {}
# tls -- contains settings for mounting your own TLS material in the agent pod.
# The agent does not expose a TLS server, so this is only used to trust CAs.
tls:
# tls.existingCASecretName(string) -- sets the `SSL_CERT_FILE` environment
# variable to load a trusted CA or bundle in PEM format into Teleport pods.
# The injected CA will be used to validate TLS communications, with the Proxy
# Service, with upstream applications or databases.
#
#
# The recommended way to trust a database CA is to do it per-database instead
# of adding the CA to the global Teleport trust store. It allows to trust
# multiple CAs while limiting the trust scope to their specific databases.
# See [the `databases` section](#databases).
#
#
# You must create a secret containing the CA certs in the same namespace as Teleport using a command like:
#
# ```code
# $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
# ```
#
#
# The key containing the root CA in the secret must be `ca.pem`.
#
existingCASecretName: ""
# updater -- controls whether the Kube Agent Updater should be deployed alongside
# the `teleport-kube-agent`. The updater fetches the target version, validates the
# image signature, and updates the teleport deployment. The `enterprise` value should
# have been set to `true`.
#
# All Kubernetes-specific fields such as `tolerations`, `affinity`, `nodeSelector`,
# ... default to the agent values. However, they can be overridden from the
# `updater` object. For example:
#
# ```yaml
# # the agent pod requests 1cpu and 2 GiB of memory. It also has a memory limit.
# resources:
# requests:
# cpu: "1"
# memory: "2Gi"
# limits:
# memory: "2Gi"
#
# # the updater pod requests 0.5 cpu and 512MiB of memory. The memory limit has also been unset.
# updater:
# resources:
# requests:
# cpu: "0.5"
# memory: "512Mi"
# limits: ~
# ```
#
# Other updater-specific values that can be defined in `updater` are described
# below.
updater:
# updater.enabled(bool) -- Enables the Kube Agent Updater and deploys it alongside the Teleport Agent.
# You can enable this when:
#
# - using Teleport Cloud and your tenant is enrolled into automatic updates.
# (You can check this through the web UI, choose `Add Kubernetes` and
# `Enroll New Resource of type Kubernetes`, and check if the value is turned
# on.)
# - using self-hosted Teleport and you maintain your own version server.
#
# You must not enable this when:
#
# - you are a Teleport Cloud customer not enrolled in automatic updates.
# - you are a self-hosted Teleport user and have not set up your Teleport cluster to
# support automatic updates.
enabled: false
# updater.versionServer(string) -- is the URL of the version server the agent
# fetches the target version from. The complete version endpoint is built by
# concatenating [`versionServer`](#updaterversionserver) and [`releaseChannel`
# ](#updaterreleasechannel).
# This field supports gotemplate.
#
# You must set this if the updater is enabled, and you are not a Teleport Cloud user.
#
# You must not change the default values if you are a Teleport Cloud user.
versionServer: "https://{{ .Values.proxyAddr }}/v1/webapi/automaticupgrades/channel"
# updater.releaseChannel(string) -- is the release channel the updater
# subscribes to.
#
# The complete version endpoint is built by concatenating
# [`versionServer`](#updaterversionserver) and [`releaseChannel`](#updaterreleasechannel).
# You must not change the default value if you are a Teleport Cloud user unless
# instructed by Teleport support.
#
# You can change this value if the updater is enabled, you are not a Teleport
# Cloud user, and manage your own version server.
releaseChannel: "stable/cloud"
# updater.image(string) -- sets the container image used for Teleport updater
# pods run when `updater.enabled` is true.
#
# You can override this to use your own Teleport Kube Agent Updater image rather
# than a Teleport-published image.
image: public.ecr.aws/gravitational/teleport-kube-agent-updater
# updater.serviceAccount --
serviceAccount:
# updater.serviceAccount.name(string) -- is the updater Kubernetes Service
# Account name. When unset, it defaults to `-updater`
name: ""
# updater.pullCredentials(string) -- configures how the updater attempts to
# get the image pull credentials used to validate the image signature.
#
# This is not required when pulling images from official public Teleport
# registries (chart's default).
#
# Supported values are `amazon`, `google`, `docker` and `none`.
pullCredentials: ""
# updater.extraArgs(list) -- contains additional arguments to pass to the updater
# binary.
extraArgs: []
# updater.extraVolumes(list) -- contains extra volumes to mount into the Updater pods.
# See [the Kubernetes volume documentation](https://kubernetes.io/docs/concepts/storage/volumes/)
# for more details.
#
# For example:
# ```yaml
# updater:
# extraVolumes:
# - name: myvolume
# secret:
# secretName: testSecret
# ```
extraVolumes: []
# updater.extraVolumeMounts(list) -- contains extra volumes mounts for the updater.
# See [the Kubernetes volume documentation](https://kubernetes.io/docs/concepts/storage/volumes/)
# for more details.
#
# For example:
# ```yaml
# updater:
# extraVolumesMounts:
# - name: myvolume
# mountPath: /path/on/host
# ```
extraVolumeMounts: []
# existingDataVolume(string) -- is the name of an existing Kubernetes Persistent
# Volume that should be mounted at `/var/lib/teleport`.
#
# This is only useful if you had a previous agent running with persistence enabled
# and want for a new agent to reuse the volume.
existingDataVolume: ""
# podSecurityPolicy --
podSecurityPolicy:
# podSecurityPolicy.enabled(bool) -- controls if the chart should deploy a Kubernetes
# PodSecurityPolicy.
#
# By default, Teleport charts used to install a [`podSecurityPolicy`](https://github.com/gravitational/teleport/blob/branch/(=teleport.major_version=)/examples/chart/teleport-cluster/templates/psp.yaml).
#
# PodSecurityPolicy resources (PSP) have been removed in Kubernetes 1.25
# and replaced since 1.23 by PodSecurityAdmission (PSA). If you are running on
# Kubernetes 1.23 or later, it is recommended to disable PSPs and use PSAs.
# The steps are documented in the
# [PSP removal guide](../../../deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp.mdx).
#
# This value will be removed in a future chart version.
enabled: true
# labels(object) -- is the map of key-value pairs that will be applied on the
# Teleport resource representing the Kubernetes cluster. These labels can then
# be used with Teleport's RBAC policies to define access rules for the cluster.
# This is only used when the [`roles`](#roles) contains `kube`.
#
#
# These are Teleport-specific RBAC labels, not Kubernetes labels.
#
#
#
# For historical/backwards compatibility reasons, these labels will only be applied to the Kubernetes cluster being joined via the
# Teleport Kubernetes service.
#
# To set labels for applications, add a `labels` element to the [`apps`](#apps) section.
# To set labels for databases, add a `static_labels` element to the [`databases`](#databases) section.
#
# For more information on how to set static/dynamic labels for Teleport services, see [labelling nodes and applications](../../../management/admin/labels.mdx).
#
#
# For example:
#
# ```yaml
# labels:
# environment: production
# region: us-east
# ```
labels: {}
# highAvailability -- contains settings controlling the availability of the
# Teleport agent deployed by the chart.
#
# The availability can be increased by:
# - running more replicas with `replicaCount`
# - requiring that the Pods are not scheduled on the same Kubernetes Node with `requireAntiAffinity`
# - by asking Kubernetes not to delete all pods at the same time with `podDisruptionBudget`.
#
# Even with highAvailability settings Restarting/rolling-out pods can still cause
# disruption for established long-lived sessions, like `kubectl exec` or
# database shells.
highAvailability:
# highAvailability.replicaCount(int) -- is the number of agent replicas deployed by the Chart.
#
# Set to a number higher than `1` for a high availability mode where multiple Teleport pods will be deployed.
#
#
# As a rough guide, we recommend configuring one replica per distinct
# availability zone where your cluster has worker nodes.
#
# 2 replicas/availability zones will be fine for smaller workloads. 3-5
# replicas/availability zones will be more appropriate for bigger
# clusters with more traffic.
#
#
# When adding new replicas to an existing agent, you must ensure the provided token
# (via [`authToken`](#authToken), [`joinParams`](#joinParams), or [`joinTokenSecret`](#joinTokenSecret))
# is still valid. Each replica has its own identity and needs to join the Teleport
# cluster on its first startup.
replicaCount: 1
# highAvailability.requireAntiAffinity(bool) -- configures Kubernetes `requiredDuringSchedulingIgnoredDuringExecution`
# to require that multiple Teleport pods must not be scheduled on the same physical host.
#
#
# This can result in Teleport pods failing to be scheduled in very small
# clusters or during node downtime, so should be used with caution.
#
#
# Setting `highAvailability.requireAntiAffinity` to `false` (the default)
# uses `preferredDuringSchedulingIgnoredDuringExecution` to make node
# anti-affinity a soft requirement.
#
#
# This setting only has any effect when `highAvailability.replicaCount` is greater than `1`.
#
requireAntiAffinity: false
# highAvailability.podDisruptionBudget -- controls how the chart creates and
# configures a Kubernetes PodDisruptionBudget to ensure Kubernetes does not
# delete all agent replicas at the same time.
podDisruptionBudget:
# highAvailability.podDisruptionBudget.enabled(bool) -- makes the chart create
# a Kubernetes PodDisruptionBudget for the agent pods.
enabled: false
# highAvailability.podDisruptionBudget.minAvailable(int) -- is the minimum
# available pod specified on the PodDisruptionBudget.
minAvailable: 1
# podMonitor -- controls the PodMonitor CR (from monitoring.coreos.com/v1)
# This CRD is managed by the prometheus-operator and allows workload to
# get monitored. To use this value, you need to run a `prometheus-operator`
# in the cluster for this value to take effect.
# See https://prometheus-operator.dev/docs/prologue/introduction/
podMonitor:
# podMonitor.enabled(bool) -- controls if the chart deploys a PodMonitor.
# This is disabled by default as it requires the PodMonitor CRD to be installed.
enabled: false
# podMonitor.additionalLabels(object) -- adds labels on the PodMonitor.
# This is used to be selected by a specific prometheus instance.
#
# For example:
# ```yaml
# podMonitor:
# additionalLabels:
# prometheus: default
# ```
additionalLabels: {}
# podMonitor.interval(string) -- is the interval between two metrics scrapes.
interval: 30s
################################################################
# Values that must be provided if using persistent storage for Teleport.
################################################################
# storage -- controls how the agent stores data in a Kubernetes Persistent Volume.
#
# Since Teleport 12, the agent does not need PV storage to keep its identity across
# restarts: it stores it in a Kubernetes Secret. This means the `teleport-kubernetes-agent`
# can use one-time and short-lived join tokens, it will retain its identity and
# secrets even after a restart.
#
# The main benefit of enabling storage is to persist not-yet-uploaded session
# recordings after Pod termination, when the Teleport session recording mode is
# not synchronous.
storage:
# storage.enabled(bool) -- enables the creation of a Kubernetes persistent
# volume to hold Teleport instance state.
enabled: false
# storage.storageClassName(string) -- controls which Kubernetes StorageClass
# the chart uses when creating Persistent Volume Claims. A StorageClass with
# the provided name must exist on the Kubernetes cluster.
storageClassName: ""
# storage.requests(string) -- is the size of the persistent volume to create.
requests: 128Mi
# adminClusterRoleBinding -- optionally creates a cluster admin role binding.
# This is useful for granting cluster admin permissions to a Kubernetes Group
# other than the default `system:masters` group.
#
# GKE Autopilot clusters forbid using the `system:masters` group for impersonation
# and require a custom group to be used instead.
adminClusterRoleBinding:
# adminClusterRoleBinding.create(bool) -- controls if the chart should create
# an additional admin cluster role binding.
create: false
# adminClusterRoleBinding.name(string) -- is the name of the created admin
# cluster role binding.
name: "cluster-admin"
################################################################
# Values that you shouldn't need to change.
################################################################
# image(string) -- sets the container image used for Teleport OSS agent pods
# created by the chart.
#
# You can override this to use your own Teleport image rather than a Teleport-published image.
#
#
# When using the Teleport Kube Agent Updater, you must ensure the image is
# available before the updater version target gets updated and Kubernetes tries
# to pull the image.
#
# For this reason, it is strongly discouraged to set a custom image when
# using automatic updates. Teleport Cloud uses automatic updates by default.
#
#
# Since version 13, hardened distroless images are used by default.
# You can use the deprecated debian-based images by setting the value to
# `public.ecr.aws/gravitational/teleport`. Those images will be
# removed with teleport 15.
#
# This setting only takes effect when [`enterprise`](#enterprise) is `false`.
# When running an enterprise version, you must use
# [`enterpriseImage`](#enterpriseImage) instead.
image: public.ecr.aws/gravitational/teleport-distroless
# enterpriseImage(string) -- sets the container image used for Teleport Enterprise
# agent pods created by the chart.
#
# You can override this to use your own Teleport image rather than a
# Teleport-published image.
#
#
# When using the Teleport Kube Agent Updater you must ensure the image is
# available before the updater version target gets updated and Kubernetes tries
# to pull the image.
#
# For this reason, it is strongly discouraged to set a custom image when
# using automatic updates. Teleport Cloud uses automatic updates by default.
#
#
# Since version 13, hardened distroless images are used by default.
# You can use the deprecated debian-based images by setting the value to
# `public.ecr.aws/gravitational/teleport-ent`. Those images will be
# removed with teleport 15.
#
# This setting only takes effect when [`enterprise`](#enterprise) is `true`.
# When running an enterprise version, you must use [`image`](#image) instead.
enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless
# imagePullSecrets(list) -- is a list of secrets containing authorization tokens
# which can be optionally used to access a private Docker registry.
#
# See the [Kubernetes reference](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod) for more details.
imagePullSecrets: []
# Number of replicas for the agent deployment.
# DEPRECATED Use highAvailability.replicaCount instead
# replicaCount: 1
# clusterRoleName(string) -- can be optionally used to override the name of the
# Kubernetes `ClusterRole` used by the agent's `ServiceAccount`.
#
#
# Most users will not need to change this.
#
clusterRoleName: ""
# clusterRoleBindingName(string) -- can be optionally used to override the name
# of the Kubernetes `ClusterRoleBinding` used by the agent's `ServiceAccount`.
#
#
# Most users will not need to change this.
#
clusterRoleBindingName: ""
# roleName(string) -- provides a custom name for the `Role` resource that the
# `teleport-kube-agent` chart creates for the Teleport pod. By default, the `Role`
# has the name of the Helm release.
#
# You should set this value if there is a `Role` resource in the namespace of your
# `teleport-kube-agent` resources with the same name as your `teleport-kube-agent`
# release.
roleName: ""
# roleBindingName(string) -- provides a custom name for the `RoleBinding` resource that the
# `teleport-kube-agent` chart creates for the Teleport pod. By default, the
# `RoleBinding` has the name of the Helm release.
#
# You should set this value if there is a `RoleBinding` resource in the namespace
# of your `teleport-kube-agent` resources with the same name as your
# `teleport-kube-agent` release.
roleBindingName: ""
# serviceAccountName(string) -- is deprecated and will be removed in a future
# version. Use [`serviceAccount.name`](#serviceaccountname-1) instead.
serviceAccountName: ""
# serviceAccount -- controls the Kubernetes ServiceAccounts deployed and used by
# the chart.
serviceAccount:
# serviceAccount.create(bool) -- controls whether Helm Chart creates the
# Kubernetes `ServiceAccount` resources for the agent and optionally for the
# updater.
# When off, you are responsible for creating the appropriate ServiceAccount
# resources.
create: true
# serviceAccount.name(string) -- sets the name of the `ServiceAccount` resource
# used by the chart. By default, the `ServiceAccount` has the name of the
# Helm release.
name: ""
# rbac --
rbac:
# rbac.create(bool) -- controls if the chart should create RBAC Kubernetes resources.
#
# - When `true`, the chart creates both `ClusterRole` and `ClusterRoleBinding`
# resources for the agent, and `Role`/`RoleBinding` for the updater if enabled.
# - When `false`, the chart does not create the `Role` and `RoleBinding` resources.
# The user is responsible for deploying and maintaining them separately.
#
# This value can be set to `false` when deploying in constrained environments
# where the user deploying the operator is not allowed to edit RBAC resources.
create: true
# Name of the Secret to store the teleport join token.
# DEPRECATED Use joinTokenSecret.name instead
secretName: ""
# joinTokenSecret -- manages the join token secret creation and its name.
# See the [`joinParams`](#joinParams) section for more details.
joinTokenSecret:
# joinTokenSecret.create(bool) -- controls whether the chart creates the
# Kubernetes `Secret` containing the Teleport join token.
# If false, you must create a Kubernetes Secret with the configured name in
# the Helm release namespace.
create: true
# joinTokenSecret.name(string) -- is the name of the Kubernetes Secret
# containing the Teleport join token used by the chart.
#
# If `joinTokenSecret.create` is `false`, the chart will not attempt to create the secret itself.
# Instead, it will read the value from an existing secret. `joinTokenSecret.name`
# configures the name of this secret. This allows you to configure this secret externally and avoid having a plaintext
# join token stored in your Teleport chart values.
#
# To create your own join token secret, you can use a command like this:
#
# ```code
# $ kubectl --namespace teleport create secret generic my-token-secret --from-literal=auth-token=
# ```
#
#
# The key used for the auth token inside the secret must be `auth-token`, as in the command above.
#
#
# For example:
#
# ```yaml
# joinTokenSecret:
# create: false
# name: my-token-secret
#
# joinParams:
# method: "token"
# tokenName: ""
# ```
name: teleport-kube-agent-join-token
# log -- controls the agent logging.
log:
# log.level(string) -- is the log level for the Teleport process.
# Available log levels are: `DEBUG`, `INFO`, `WARNING`, `ERROR`.
#
# The default is `INFO`, which is recommended in production.
# `DEBUG` is useful during first-time setup or to see more detailed logs for debugging.
level: INFO
# log.output(string) -- sets the output destination for the Teleport process.
# This can be set to any of the built-in values: `stdout`, `stderr` or `syslog`
# to use that destination.
#
# The value can also be set to a file path (such as `/var/log/teleport.log`)
# to write logs to a file. Bear in mind that a few service startup messages
# will still go to `stderr` for resilience.
output: stderr
# log.format(string) -- sets the log output format for the Teleport process.
# Possible values are `text` (default) or `json`.
format: text
# log.extraFields(list) -- sets the fields used in logging for the Teleport process.
#
# See the [Teleport config file reference](../../config.mdx) for
# more details on possible values for `extra_fields`.
extraFields: ["timestamp", "level", "component", "caller"]
##################################
# Extra Kubernetes configuration #
##################################
# affinity(object) -- sets the affinities for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
# for more details.
affinity: {}
# dnsConfig(object) -- contains custom Pod DNS Configuration for the agent pods.
# This value is useful if you need to reduce the DNS load: set "ndots" to 0 and
# only use FQDNs to refer to applications and databases.
#
# See [the Kubernetes pod DNS documentation
# ](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config)
# for more information.
#
# For example:
# ```yaml
# nameservers:
# - 1.2.3.4
# searches:
# - ns1.svc.cluster-domain.example
# - my.dns.search.suffix
# options:
# - name: ndots
# value: "2"
# ```
dnsConfig: {}
# dnsPolicy(string) -- sets the Pod's DNS Policy
#
# See [the Kubernetes pod DNS documentation
# ](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy)
# for more information.
dnsPolicy: ""
# nodeSelector(object) -- sets the node selector for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector)
# for more details.
nodeSelector: {}
# extraLabels -- contains additional Kubernetes labels to apply on the resources
# created by the chart.
# See [the Kubernetes label documentation
# ](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
# for more information.
extraLabels:
# extraLabels.clusterRole(object) -- are labels to set on the ClusterRole.
clusterRole: {}
# extraLabels.clusterRoleBinding(object) -- are labels to set on the ClusterRoleBinding.
clusterRoleBinding: {}
# extraLabels.role(object) -- are labels to set on the Role.
role: {}
# extraLabels.roleBinding(object) -- are labels to set on the RoleBinding.
roleBinding: {}
# extraLabels.config(object) -- are labels to set on the ConfigMap.
config: {}
# extraLabels.deployment(object) -- are labels to set on the Deployment or StatefulSet.
deployment: {}
# extraLabels.job(object) -- are labels to set on the post-delete Job created by the chart.
job: {}
# extraLabels.pod(object) -- are labels to set on the Pods created by the
# Deployment or StatefulSet.
pod: {}
# extraLabels.podDisruptionBudget(object) -- are labels to set on the podDisruptionBudget.
podDisruptionBudget: {}
# extraLabels.podSecurityPolicy(object) -- are labels to set on the podSecurityPolicy.
podSecurityPolicy: {}
# extraLabels.secret(object) -- are labels to set on the Secret.
secret: {}
# extraLabels.serviceAccount(object) -- are labels to set on the ServiceAccount.
serviceAccount: {}
# annotations -- contains annotations to apply to the different Kubernetes
# objects created by the chart. See [the Kubernetes annotation
# documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
# for more details.
annotations:
# annotations.config(object) -- contains the Kubernetes annotations
# put on the `ConfigMap` resource created by the chart.
config: {}
# annotations.deployment(object) -- contains the Kubernetes annotations
# put on the `Deployment` or `StatefulSet` resource created by the chart.
deployment: {}
# annotations.pod(object) -- contains the Kubernetes annotations
# put on the `Pod` resources created by the chart.
pod: {}
# annotations.secret(object) -- contains the Kubernetes annotations
# put on the `Secret` resource created by the chart.
# This has no effect when `joinTokenSecret.create` is `false`.
secret: {}
# annotations.serviceAccount(object) -- contains the Kubernetes annotations
# put on the `ServiceAccount` resource created by the chart.
serviceAccount: {}
# extraArgs(list) -- contains extra arguments to pass to `teleport start` for
# the main Teleport pod
extraArgs: []
# extraEnv(list) -- contains extra environment variables to set in the main
# Teleport pod.
#
# For example:
# ```yaml
# extraEnv:
# - name: HTTPS_PROXY
# value: "http://username:password@my.proxy.host:3128"
# ```
extraEnv: []
# extraContainers(list) -- contains extra containers to add in the main Teleport
# pod.
#
# For example:
# ```yaml
# extraContainers:
# - name: debug-sidecar
# command:
# - busybox
# - sh
# - -c
# - "echo waiting && sleep infinity"
# image: busybox:latest
# imagePullPolicy: IfNotPresent
# securityContext:
# privileged: true
# runAsNonRoot: false
# ```
extraContainers: []
# extraVolumes(list) -- contains extra volumes to mount into the Teleport pods.
# See [the Kubernetes volume documentation](https://kubernetes.io/docs/concepts/storage/volumes/)
# for more details.
#
# For example:
# ```yaml
# extraVolumes:
# - name: myvolume
# secret:
# secretName: testSecret
# ```
extraVolumes: []
# extraVolumeMounts(list) -- contains extra volumes mounts for the main Teleport container.
# See [the Kubernetes volume documentation](https://kubernetes.io/docs/concepts/storage/volumes/)
# for more details.
#
# For example:
# ```yaml
# extraVolumesMounts:
# - name: myvolume
# mountPath: /path/on/host
# ```
extraVolumeMounts: []
# hostAliases -- sets Host aliases in the Teleport Pod.
# See [the Kubernetes hosts file documentation](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/)
# for more details.
#
# For example:
# ```yaml
# hostAliases:
# - ip: "127.0.0.1"
# hostnames:
# - "foo.local"
# - "bar.local"
# - ip: "10.1.2.3"
# hostnames:
# - "foo.remote"
# - "bar.remote"
# ```
hostAliases: []
# imagePullPolicy(string) -- sets the pull policy for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/containers/images/#updating-images)
# for more details.
imagePullPolicy: IfNotPresent
# initContainers(list) -- sets the Teleport Pod's init-containers.
# See [the Kubernetes init-container documentation](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/)
# for more details.
#
# For example:
# ```yaml
# initContainers:
# - name: "teleport-init"
# image: "alpine"
# args: ["echo test"]
# ```
initContainers: []
# resources(object) -- sets the resource requests/limits for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
# for more details.
resources: {}
# initSecurityContext(object) -- sets the init container security context for any
# pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)
# for more details.
#
# The default value is compatible with [the restricted PSS](https://kubernetes.io/docs/concepts/security/pod-security-standards/).
#
# To unset the security context, set it to `null` or `~`.
initSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
seccompProfile:
type: RuntimeDefault
# securityContext(object) -- sets the container security context for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)
# for more details.
#
# The default value is compatible with [the restricted PSS](https://kubernetes.io/docs/concepts/security/pod-security-standards/).
#
# To unset the security context, set it to `null` or `~`.
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 9807
seccompProfile:
type: RuntimeDefault
# podSecurityContext(object) -- sets the pod security context for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
# for more details.
#
# To unset the security context, set it to `null` or `~`.
podSecurityContext:
fsGroup: 9807
# priorityClassName(string) -- sets the priority class used by any pods created by the chart.
# The user is responsible for creating the `PriorityClass` resource before deploying the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/)
# for more details.
priorityClassName: ""
# tolerations(list) -- sets the tolerations for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/)
# for more details.
tolerations: []
# probeTimeoutSeconds(int) -- sets the timeout for the readiness and liveness probes
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
probeTimeoutSeconds: 1