454 lines
17 KiB
YAML
454 lines
17 KiB
YAML
################################################################
|
|
# Values that must always be provided by the user.
|
|
################################################################
|
|
|
|
# Join token for the cluster. `joinParams` can also pass the join token,
|
|
# but supports more join methods and takes precedence if set.
|
|
authToken: "36ce3b30a201d5c3fecaa0d97d57cc80"
|
|
|
|
# Address of the teleport proxy with port (usually :3080).
|
|
proxyAddr: "teleport.ipa.champion:443"
|
|
# Comma-separated list of roles to enable (any of: kube,db,app)
|
|
roles: "kube"
|
|
|
|
################################################################
|
|
# Values that must be provided if IAM or EC2 joining is enabled.
|
|
################################################################
|
|
|
|
# Specify how to join the Teleport cluster
|
|
joinParams:
|
|
# Supported join methods are "token", "ec2", "iam".
|
|
# method "token", is equivalent to using authToken to join a cluster
|
|
method: "token"
|
|
|
|
# Leave empty only when method is "token" and the secret
|
|
# "teleport-kube-agent-join-token" has been created before and
|
|
# contains a valid join token.
|
|
tokenName: ""
|
|
|
|
################################################################
|
|
# Values that must be provided if Kubernetes access is enabled.
|
|
################################################################
|
|
|
|
# Name for this kubernetes cluster to be used by teleport users.
|
|
kubeClusterName: "homeCluster"
|
|
|
|
################################################################
|
|
# Values that must be provided if Application access is enabled.
|
|
################################################################
|
|
|
|
# At least one of 'apps', 'appResources' must be provided
|
|
# when application access is enabled. See the README for more details.
|
|
|
|
# Details of at least one app to be proxied. Example:
|
|
# apps:
|
|
# - name: grafana
|
|
# uri: http://localhost:3000
|
|
apps: []
|
|
|
|
# Dynamic application configuration mode. Example:
|
|
# appResources:
|
|
# - labels:
|
|
# "*": "*"
|
|
appResources: []
|
|
|
|
################################################################
|
|
# Values that must be provided if Database access is enabled.
|
|
################################################################
|
|
|
|
# At least one of 'databases', 'awsDatabases', 'azureDatabases', or 'databaseResources' must be provided
|
|
# when database access is enabled. See the README for more details.
|
|
|
|
# Database auto-discovery mode (AWS)
|
|
# Details of at least one awsDatabase discovery pattern to be discovered
|
|
# and proxied. Example:
|
|
# awsDatabases:
|
|
# - types: ["rds"]
|
|
# regions: ["us-east-1"]
|
|
# tags:
|
|
# "environment": "production"
|
|
awsDatabases: []
|
|
|
|
# Database auto-discovery mode (Azure)
|
|
# Details of at least one azureDatabase discovery pattern to be discovered
|
|
# and proxied. Example:
|
|
# azureDatabases:
|
|
# - types: ["mysql", "postgres"]
|
|
# tags:
|
|
# "environment": "production"
|
|
# regions: ["eastus", "centralus"]
|
|
# subscriptions: ["subID1", "subID2"]
|
|
# resource_groups: ["group1", "group2"]
|
|
# Note that regions, subscriptions, and resource_groups are optional, and by default
|
|
# the pattern for these selectors is ["*"] which will match all regions, subscriptions, or resource groups.
|
|
azureDatabases: []
|
|
|
|
# Manual database configuration mode
|
|
# Details of at least one database to be proxied. Example:
|
|
# databases:
|
|
# - name: aurora
|
|
# uri: "postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432"
|
|
# protocol: "postgres"
|
|
# static_labels:
|
|
# env: "prod"
|
|
databases: []
|
|
|
|
# Dynamic database configuration mode. Example:
|
|
# databaseResources:
|
|
# - labels:
|
|
# "*": "*"
|
|
databaseResources: []
|
|
|
|
################################################################
|
|
# Values that you may need to change.
|
|
################################################################
|
|
|
|
# Version of teleport image, if different from chart version in Chart.yaml.
|
|
# DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version.
|
|
# This chart is designed to run a specific teleport version (see Chart.yaml).
|
|
# You will face compatibility issues trying to run a different Teleport version with it.
|
|
#
|
|
# If you want to run Teleport version X, you should use `helm --version X` instead.
|
|
teleportVersionOverride: ""
|
|
|
|
# Optional CA pins of the auth server. This enables a more secure way of
|
|
# adding new nodes to a cluster. See "Adding Nodes to the Cluster"
|
|
# (https://goteleport.com/docs/admin-guide/#adding-nodes-to-the-cluster).
|
|
# Each list element can be the pin itself (recommended), or a path to a file
|
|
# containing the pin. For the latter it is your responsibility to mount
|
|
# the file, using extraVolumes.
|
|
caPin: []
|
|
|
|
# When set to true, the agent will skip the verification of proxy TLS
|
|
# certificate.
|
|
insecureSkipProxyTLSVerify: false
|
|
|
|
# Set enterprise to true to use enterprise image.
|
|
enterprise: false
|
|
|
|
# teleportConfig contains additional teleport configuration
|
|
# The configuration will be merged with the chart-generated configuration
|
|
# and will take precedence in case of conflict
|
|
teleportConfig: {}
|
|
|
|
# Settings for mounting your own TLS material in the agent pod.
|
|
# The agent does not expose a TLS server, so this is only used to trust CAs.
|
|
tls:
|
|
# Name of an existing secret to use which contains a CA or trust bundle in x509 PEM format.
|
|
# This is useful to trust private CAs.
|
|
# This will automatically set the SSL_CERT_FILE environment variable to trust the CA.
|
|
# Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem`
|
|
# The filename inside the secret is important - it _must_ be ca.pem
|
|
existingCASecretName: ""
|
|
|
|
updater:
|
|
enabled: false
|
|
# `updater.versionServer` is the URL of the version server the agent fetches
|
|
# the target version from. The complete version endpoint is built by
|
|
# concatenating `versionServer` and `releaseChannel`.
|
|
versionServer: "https://updates.releases.teleport.dev/v1/"
|
|
# Release channel the agent subscribes to.
|
|
releaseChannel: "stable/cloud"
|
|
image: public.ecr.aws/gravitational/teleport-kube-agent-updater
|
|
serviceAccount:
|
|
# service account name defaults to "<kube agent sa name>-updater"
|
|
name: ""
|
|
|
|
# If set, will use an existing volume mounted via extraVolumes
|
|
# as the Teleport data directory.
|
|
# If anything is set under the "storage" key, this will be ignored.
|
|
existingDataVolume: ""
|
|
|
|
# If true, create & use Pod Security Policy resources
|
|
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
|
|
# WARNING: the PSP won't be deployed for Kubernetes 1.23 and higher.
|
|
# Please read https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/
|
|
podSecurityPolicy:
|
|
enabled: true
|
|
|
|
# Labels is a map of key values pairs about this cluster
|
|
labels:
|
|
teleport.internal/resource-id: badd4bc3-ca45-4456-b2f9-513ec8e8bcbc
|
|
|
|
# Settings for high availability.
|
|
highAvailability:
|
|
# Set to >1 for a high availability mode where multiple Teleport agent pods will be deployed.
|
|
replicaCount: 1
|
|
# Setting 'requireAntiAffinity' to true will use 'requiredDuringSchedulingIgnoredDuringExecution' to require that multiple Teleport pods must not be scheduled on the
|
|
# same physical host. This will result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution.
|
|
# Setting 'requireAntiAffinity' to false (the default) uses 'preferredDuringSchedulingIgnoredDuringExecution' to make this a soft requirement.
|
|
# This setting only has any effect when replicaCount is greater than 1.
|
|
requireAntiAffinity: false
|
|
# If enabled will create a Pod Disruption Budget
|
|
# https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
|
|
podDisruptionBudget:
|
|
enabled: false
|
|
minAvailable: 1
|
|
|
|
# podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1)
|
|
# This CRD is managed by the prometheus-operator and allows workload to
|
|
# get monitored. To use this value, you need to run a `prometheus-operator`
|
|
# in the cluster for this value to take effect.
|
|
# See https://prometheus-operator.dev/docs/prologue/introduction/
|
|
podMonitor:
|
|
# Whether the chart should deploy a PodMonitor.
|
|
# Disabled by default as it requires the PodMonitor CRD to be installed.
|
|
enabled: false
|
|
# additionalLabels to put on the PodMonitor.
|
|
# This is used to be selected by a specific prometheus instance.
|
|
additionalLabels: {}
|
|
# interval is the interval between two metrics scrapes. Defaults to 30s
|
|
interval: 30s
|
|
|
|
################################################################
|
|
# Values that must be provided if using persistent storage for Teleport.
|
|
#
|
|
# Assigning a persistent volume to Teleport agent allows the agent to keep session recordings when the pod is restarted if `session_recording` is set to `node` or `proxy`.
|
|
# The security association between the agent and the Teleport is no longer stored in PV, instead it is stored in a Kubernetes Secret so that the agent does not require PV
|
|
# to survive restarts and rotations while using short-lived joining tokens.
|
|
#
|
|
# Fields:
|
|
# enabled: Set to true to enable the use of Persistent volumes.
|
|
# storageClassName: The name of the kubernetes storage class to use when creating volumes. See https://kubernetes.io/docs/concepts/storage/storage-classes/
|
|
# requests: The size of the volume to request from the persistent storage system
|
|
################################################################
|
|
storage:
|
|
enabled: false
|
|
storageClassName: ""
|
|
requests: 128Mi
|
|
|
|
# Settings for configuring an cluster admin role binding.
|
|
# This is useful for granting cluster admin permissions to a Kubernetes Group
|
|
# other than the default "system:masters" group.
|
|
# GKE Autopilot clusters forbid using the "system:masters" group for impersonation
|
|
# and require a custom group to be used instead.
|
|
adminClusterRoleBinding:
|
|
create: false
|
|
name: "cluster-admin"
|
|
|
|
################################################################
|
|
# Values that you shouldn't need to change.
|
|
################################################################
|
|
|
|
# Container image for the cluster.
|
|
# Since version 13, hardened distroless images are used by default.
|
|
# You can use the deprecated debian-based images by setting the value to
|
|
# `public.ecr.aws/gravitational/teleport`. Those images will be
|
|
# removed with teleport 14.
|
|
image: public.ecr.aws/gravitational/teleport-distroless
|
|
# Enterprise version of the image
|
|
# Since version 13, hardened distroless images are used by default.
|
|
# You can use the deprecated debian-based images by setting the value to
|
|
# `public.ecr.aws/gravitational/teleport-ent`. Those images will be
|
|
# removed with teleport 14.
|
|
enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless
|
|
# Optional array of imagePullSecrets, to use when pulling from a private registry
|
|
imagePullSecrets: []
|
|
# - name: myRegistryKeySecretName
|
|
# Number of replicas for the agent deployment.
|
|
# DEPRECATED Use highAvailability:replicaCount instead
|
|
# replicaCount: 1
|
|
# (optional) Override the name of the ClusterRole used by the agent's service account.
|
|
clusterRoleName: ""
|
|
# (optional) Override the name of the ClusterRoleBinding used by the agent's service account.
|
|
clusterRoleBindingName: ""
|
|
# (optional) Override the name of the Role used by the agent's service account for Secret access.
|
|
roleName: ""
|
|
# (optional) Override the name of the RoleBinding used by the agent's service account.
|
|
roleBindingName: ""
|
|
# (optional) Override the name of the service account used by the agent.
|
|
# DEPRECATED Use serviceAccount:name instead
|
|
serviceAccountName: ""
|
|
# (optional) Kubernetes service account to create/use.
|
|
serviceAccount:
|
|
# Specifies whether a ServiceAccount should be created
|
|
create: true
|
|
# The name of the ServiceAccount to use.
|
|
# If not set and serviceAccount.create is true, the name is generated using the release name.
|
|
# If create is false, the name will be used to reference an existing service account.
|
|
name: ""
|
|
|
|
# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding.
|
|
rbac:
|
|
# Specifies whether a ClusterRole and ClusterRoleBinding should be created.
|
|
# Set to false if your cluster level resources are managed separately.
|
|
create: true
|
|
|
|
# Name of the Secret to store the teleport join token.
|
|
# DEPRECATED Use joinTokenSecret.name instead
|
|
secretName: ""
|
|
|
|
# Manages the join token secret creation and its name.
|
|
joinTokenSecret:
|
|
# create controls whether the Helm chart should create and manage the join token
|
|
# secret.
|
|
# If false, the chart assumes that the secret with the configured name already exists at the
|
|
# installation namespace.
|
|
create: true
|
|
# Name of the Secret to store the teleport join token.
|
|
name: teleport-kube-agent-join-token
|
|
|
|
# Teleport logging configuration
|
|
log:
|
|
# Log level for the Teleport process.
|
|
# Available log levels are: DEBUG, INFO, WARNING, ERROR.
|
|
# The default is INFO, which is recommended in production.
|
|
# DEBUG is useful during first-time setup or to see more detailed logs for debugging.
|
|
level: INFO
|
|
# Log output
|
|
# Use a file path to log to disk: e.g. '/var/lib/teleport/teleport.log'
|
|
# Other supported values: 'stdout', 'stderr' and 'syslog'
|
|
output: stderr
|
|
# Log format configuration
|
|
# Possible output values are 'json' and 'text' (default).
|
|
format: text
|
|
# Possible extra_fields values include: timestamp, component, caller, and level.
|
|
# All extra fields are included by default.
|
|
extraFields: ["timestamp", "level", "component", "caller"]
|
|
|
|
##################################
|
|
# Extra Kubernetes configuration #
|
|
##################################
|
|
|
|
# Affinity for pod assignment
|
|
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
|
affinity: {}
|
|
|
|
# Pod's DNS Configuration
|
|
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
|
|
# This value is useful if you need to reduce the DNS load: set "ndots" to 0 and only use FQDNs.
|
|
dnsConfig: {}
|
|
# nameservers:
|
|
# - 1.2.3.4
|
|
# searches:
|
|
# - ns1.svc.cluster-domain.example
|
|
# - my.dns.search.suffix
|
|
# options:
|
|
# - name: ndots
|
|
# value: "2"
|
|
|
|
# Pod's DNS Policy
|
|
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
|
|
dnsPolicy: ""
|
|
|
|
# nodeSelector to apply for pod assignment
|
|
# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
|
|
nodeSelector: {}
|
|
|
|
# Kubernetes labels to apply
|
|
# https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
|
|
extraLabels:
|
|
# Labels for the Cluster Role
|
|
clusterRole: {}
|
|
# Labels for the Cluster Role Binding
|
|
clusterRoleBinding: {}
|
|
# Labels for the Role
|
|
role: {}
|
|
# Labels for the Role Binding
|
|
roleBinding: {}
|
|
# Labels for the ConfigMap
|
|
config: {}
|
|
# Labels for the Deployment/StatefulSet
|
|
deployment: {}
|
|
# Labels for each Pod in the Deployment/StatefulSet
|
|
pod: {}
|
|
# Labels for the Pod Disruption Budget (ignored when disabled)
|
|
podDisruptionBudget: {}
|
|
# Labels for the Pod Security Policy (ignored when disabled)
|
|
podSecurityPolicy: {}
|
|
# Labels for the Secret (ignored when disabled)
|
|
secret: {}
|
|
# Labels for the ServiceAccount object
|
|
serviceAccount: {}
|
|
|
|
# Kubernetes annotations to apply
|
|
# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
|
annotations:
|
|
# Annotations for the ConfigMap
|
|
config: {}
|
|
# Annotations for the Deployment
|
|
deployment: {}
|
|
# Annotations for each Pod in the Deployment
|
|
pod: {}
|
|
# Annotations for the Secret (has no effect when `joinTokenSecret.create` is false)
|
|
secret: {}
|
|
# Annotations for the ServiceAccount object
|
|
serviceAccount: {}
|
|
|
|
# Extra arguments to pass to 'teleport start' for the main Teleport pod
|
|
extraArgs: []
|
|
|
|
# Extra environment to be configured on the Teleport pod
|
|
extraEnv: []
|
|
|
|
# Extra volumes to mount into the Teleport pods
|
|
# https://kubernetes.io/docs/concepts/storage/volumes/
|
|
extraVolumes: []
|
|
# - name: myvolume
|
|
# secret:
|
|
# secretName: testSecret
|
|
|
|
# Extra volume mounts corresponding to the volumes mounted above
|
|
extraVolumeMounts: []
|
|
# - name: myvolume
|
|
# mountPath: /path/on/host
|
|
|
|
# Pod Host aliases (see https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/)
|
|
hostAliases: []
|
|
# - ip: "127.0.0.1"
|
|
# hostnames:
|
|
# - "foo.local"
|
|
# - "bar.local"
|
|
# - ip: "10.1.2.3"
|
|
# hostnames:
|
|
# - "foo.remote"
|
|
# - "bar.remote"
|
|
|
|
# Allow the imagePullPolicy to be overridden
|
|
imagePullPolicy: IfNotPresent
|
|
|
|
# A list of initContainers to run before each Teleport pod starts
|
|
# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
|
|
initContainers: []
|
|
# - name: "teleport-init"
|
|
# image: "alpine"
|
|
# args: ["echo test"]
|
|
|
|
# Resources to request for each pod in the deployment
|
|
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
|
resources: {}
|
|
# requests:
|
|
# cpu: "1"
|
|
# memory: "2Gi"
|
|
|
|
# Security context to add to the initContainer
|
|
initSecurityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- all
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
runAsUser: 9807
|
|
|
|
# Security context to add to other containers
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- all
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
runAsUser: 9807
|
|
|
|
# Priority class name to add to the deployment
|
|
priorityClassName: ""
|
|
|
|
# Tolerations for pod assignment
|
|
# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
|
tolerations: []
|
|
|
|
# Timeouts for the readiness and liveness probes
|
|
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
|
|
probeTimeoutSeconds: 1
|