charts/teleport-cluster-15.3.7/charts/teleport-operator/values.yaml

# enabled(bool) -- controls if the operator should be enabled and deployed.
#
# - When `true`, the chart creates both the `CustomResourceDefinition` and operator `Deployment` Kubernetes resources.
# - When `false`, the chart creates the `CustomResourceDefinition` resources without the operator `Deployment`.
enabled: true

# installCRDs(string) -- controls if the chart should install the CRDs.
# There are 3 possible values: dynamic, always, never.
#
# - "dynamic" means the CRDs are installed if the operator is enabled or if
#   the CRDs are already present in the cluster. The presence check is here to
#   avoid all CRDs to be removed if you temporarily disable the operator.
#   Removing CRDs triggers a cascading deletion, which removes CRs, and all the
#   related resources in Teleport.
# - "always" means the CRDs are always installed
# - "never" means the CRDs are never installed
installCRDs: "dynamic"

# teleportAddress(string) -- is the address of the Teleport cluster whose resources
# are managed by the operator. The address must contain both the domain name and
# the port of the Teleport cluster. It can be either the address of the Auth Service
# or the Proxy Service.
#
# For example:
#   - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080`
#   - joining an Auth: `teleport-auth.example.com:3025`
#   - joining a Cloud-hosted Teleport: `example.teleport.sh:443`
teleportAddress: ""

# caPins(list[string]) -- is a list of Teleport CA fingerprints that is used by the operator to
# validate the identity of the Teleport Auth server. This is only used when joining
# an Auth server directly (on port `3025`) and is ignored when joining through a Proxy
# (port `443` or `3080`).
caPins: []

# joinMethod(string) -- describes how the Teleport Kubernetes Operator joins the Teleport cluster.
# The operator does not store its Teleport-issued identity, it must be able to join the
# cluster again on each pod restart. To achieve this, it needs to use a delegated join
# method. `kubernetes` is the most common one.
joinMethod: "kubernetes"

# teleportClusterName(string) -- is the name of the joined Teleport cluster.
# Setting this value is required when joining via the
# [Kubernetes JWKS](../../join-methods.mdx#kubernetes-jwks) join method.
teleportClusterName: ""

# token(string) -- is the name of the token used by the operator to join the Teleport cluster.
token: ""

# teleportVersionOverride(string) -- controls the Teleport Kubernetes Operator
# image version deployed by the chart.
#
# Normally, the version of the Teleport Kubernetes Operator matches the
# version of the chart. If you install chart version 15.0.0, you'll use
# Teleport Kubernetes Operator version 15.0.0. Upgrading the operator is
# done by upgrading the chart.
#
# <Admonition type="warning">
# `teleportVersionOverride` is intended for development and MUST NOT be
# used to control the Teleport version in a typical deployment. This
# chart is designed to run a specific Teleport version. You will face
# compatibility issues trying to run a different Teleport version with it.
#
# If you want to run Teleport version `X.Y.Z`, you should use
# `helm install --version X.Y.Z` instead.
#
# </Admonition>
teleportVersionOverride: ""

nameOverride: ""
fullNameOverride: ""

# image(string) -- sets the container image used for Teleport Kubernetes Operator
# pods run by the chart.
#
# You can override this to use your own Teleport Kubernetes Operator
# image rather than a Teleport-published image.
image: public.ecr.aws/gravitational/teleport-operator

# annotations --
annotations:
  # annotations.deployment(object) -- contains the Kubernetes annotations
  # put on the `Deployment` resource created by the chart.
  deployment: {}
  # annotations.pod(object) -- contains the Kubernetes annotations
  # put on the `Pod` resources created by the chart.
  pod: {}
  # annotations.serviceAccount(object) -- contains the Kubernetes annotations
  # put on the `Deployment` resource created by the chart.
  serviceAccount: {}

# serviceAccount --
serviceAccount:
  # serviceAccount.create(bool) -- controls if the chart should create the Kubernetes
  # `ServiceAccount` resource for the operator.
  #
  # - When `true`, the chart creates a `ServiceAccount` resource for the operator.
  # - When `false`, the chart does not create the `ServiceAccount` resource.
  #   The user is responsible for deploying and maintaining it separately.
  #
  # This value can be set to `false` when deploying in constrained environments
  # where the user deploying the operator is not allowed to edit `ServiceAccount`
  # resources.
  create: true
  # serviceAccount.name(string) -- controls the name of the operator Kubernetes `ServiceAccount`.
  # The operator pods use by default a `ServiceAccount` named after the Helm chart release.
  # This value overrides this behaviour, this is useful when `serviceAccount.create`
  # is false and the operator must use an existing `ServiceAccount`.
  name: ""

# rbac --
rbac:
  # rbac.create(bool) -- controls if the chart should create RBAC Kubernetes resources.
  #
  # - When `true`, the chart creates both `Role` and `RoleBinding` resources for the operator.
  # - When `false`, the chart does not create the `Role` and `RoleBinding` resources.
  #   The user is responsible for deploying and maintaining them separately.
  #
  # This value can be set to `false` when deploying in constrained environments
  # where the user deploying the operator is not allowed to edit RBAC resources.
  create: true

# imagePullPolicy(string) -- sets the pull policy for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/containers/images/#updating-images)
# for more details.
imagePullPolicy: IfNotPresent

# resources(object) -- sets the resource requests/limits for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
# for more details.
resources: {}

# priorityClassName(string) -- sets the priority class used by any pods created by the chart.
# The user is responsible for creating the `PriorityClass` resource before deploying the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/)
# for more details.
priorityClassName: ""

# tolerations(list) -- sets the tolerations for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/)
# for more details.
tolerations: []

# nodeSelector(object) -- sets the node selector for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector)
# for more details.
nodeSelector: {}

# affinity(object) -- sets the affinities for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
# for more details.
affinity: {}

# imagePullSecrets(list) -- sets the image pull secrets for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/containers/images/#referring-to-an-imagepullsecrets-on-a-pod)
# for more details.
imagePullSecrets: []

# highAvailability --
highAvailability:
  # highAvailability.replicaCount(int) -- controls the amount of operator pod replicas deployed
  # by the chart.
  #
  # When multiple pods are running, all pods join the Teleport cluster on
  # startup but a single pod actively reconciles resources.
  #
  # The operator replicas elect a replica leader using
  # [Kubernetes leases](https://kubernetes.io/docs/concepts/architecture/leases/).
  # If the leader fails, its lease will expire and another replica will start
  # reconciling resources.
  replicaCount: 1

# tls --
tls:
  # tls.existingCASecretName(string) -- makes the operator pods trust an additional CA certificate.
  # This is used to trust Proxy certificates if they're signed by a private CA. The operator
  # trusts by default CAs part of Mozilla's Web PKI (the `ca-certificates` package).
  #
  # To use this value, you must create a Kubernetes `Secret` containing the CA
  # certs in the same namespace as the Teleport Kubernetes Operator using a
  # command such as:
  #
  # ```shell
  # $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
  # ```
  existingCASecretName: ""

# podSecurityContext(object) -- sets the pod security context for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
# for more details.
#
# The default value supports running under the `restricted`
# [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/).
podSecurityContext:
  seccompProfile:
    type: RuntimeDefault
  runAsUser: 65532
  runAsGroup: 65532
  fsGroup: 65532
  runAsNonRoot: true

# securityContext(object) -- sets the container security context for any pods created by the chart.
# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)
# for more details.
#
# The default value supports running under the `restricted`
# [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/).
securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
  readOnlyRootFilesystem: true