charts/teleport-kube-agent/values-home.yaml

################################################################
# Values that must always be provided by the user.
################################################################

# Join token for the cluster. `joinParams` can also pass the join token,
# but supports more join methods and takes precedence if set.
authToken: "36ce3b30a201d5c3fecaa0d97d57cc80"

# Address of the teleport proxy with port (usually :3080).
proxyAddr: "teleport.ipa.champion:443"
# Comma-separated list of roles to enable (any of: kube,db,app)
roles: "kube"

################################################################
# Values that must be provided if IAM or EC2 joining is enabled.
################################################################

# Specify how to join the Teleport cluster
joinParams:
  # Supported join methods are "token", "ec2", "iam".
  # method "token", is equivalent to using authToken to join a cluster
  method: "token"

  # Leave empty only when method is "token" and the secret
  # "teleport-kube-agent-join-token" has been created before and
  # contains a valid join token.
  tokenName: ""

################################################################
# Values that must be provided if Kubernetes access is enabled.
################################################################

# Name for this kubernetes cluster to be used by teleport users.
kubeClusterName: "homeCluster"

################################################################
# Values that must be provided if Application access is enabled.
################################################################

# At least one of 'apps', 'appResources' must be provided
# when application access is enabled. See the README for more details.

# Details of at least one app to be proxied. Example:
# apps:
#  - name: grafana
#    uri: http://localhost:3000
apps: []

# Dynamic application configuration mode. Example:
# appResources:
#  - labels:
#      "*": "*"
appResources: []

################################################################
# Values that must be provided if Database access is enabled.
################################################################

# At least one of 'databases', 'awsDatabases', 'azureDatabases', or 'databaseResources' must be provided
# when database access is enabled. See the README for more details.

# Database auto-discovery mode (AWS)
# Details of at least one awsDatabase discovery pattern to be discovered
# and proxied. Example:
# awsDatabases:
# - types: ["rds"]
#   regions: ["us-east-1"]
#   tags:
#     "environment": "production"
awsDatabases: []

# Database auto-discovery mode (Azure)
# Details of at least one azureDatabase discovery pattern to be discovered
# and proxied. Example:
# azureDatabases:
# - types: ["mysql", "postgres"]
#   tags:
#     "environment": "production"
#   regions: ["eastus", "centralus"]
#   subscriptions: ["subID1", "subID2"]
#   resource_groups: ["group1", "group2"]
# Note that regions, subscriptions, and resource_groups are optional, and by default
# the pattern for these selectors is ["*"] which will match all regions, subscriptions, or resource groups.
azureDatabases: []

# Manual database configuration mode
# Details of at least one database to be proxied. Example:
# databases:
#  - name: aurora
#    uri: "postgres-aurora-instance-1.xxx.us-east-1.rds.amazonaws.com:5432"
#    protocol: "postgres"
#    static_labels:
#      env: "prod"
databases: []

# Dynamic database configuration mode. Example:
# databaseResources:
#  - labels:
#      "*": "*"
databaseResources: []

################################################################
# Values that you may need to change.
################################################################

# Version of teleport image, if different from chart version in Chart.yaml.
# DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version.
# This chart is designed to run a specific teleport version (see Chart.yaml).
# You will face compatibility issues trying to run a different Teleport version with it.
#
# If you want to run Teleport version X, you should use `helm --version X` instead.
teleportVersionOverride: ""

# Optional CA pins of the auth server. This enables a more secure way of
# adding new nodes to a cluster. See "Adding Nodes to the Cluster"
# (https://goteleport.com/docs/admin-guide/#adding-nodes-to-the-cluster).
# Each list element can be the pin itself (recommended), or a path to a file
# containing the pin. For the latter it is your responsibility to mount
# the file, using extraVolumes.
caPin: []

# When set to true, the agent will skip the verification of proxy TLS
# certificate.
insecureSkipProxyTLSVerify: false

# Set enterprise to true to use enterprise image.
enterprise: false

# teleportConfig contains additional teleport configuration
# The configuration will be merged with the chart-generated configuration
# and will take precedence in case of conflict
teleportConfig: {}

# Settings for mounting your own TLS material in the agent pod.
# The agent does not expose a TLS server, so this is only used to trust CAs.
tls:
  # Name of an existing secret to use which contains a CA or trust bundle in x509 PEM format.
  # This is useful to trust private CAs.
  # This will automatically set the SSL_CERT_FILE environment variable to trust the CA.
  # Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem`
  # The filename inside the secret is important - it _must_ be ca.pem
  existingCASecretName: "homeca"

updater:
  enabled: false
  # `updater.versionServer` is the URL of the version server the agent fetches
  # the target version from. The complete version endpoint is built by
  # concatenating `versionServer` and `releaseChannel`.
  versionServer: "https://updates.releases.teleport.dev/v1/"
  # Release channel the agent subscribes to.
  releaseChannel: "stable/cloud"
  image: public.ecr.aws/gravitational/teleport-kube-agent-updater
  serviceAccount:
    # service account name defaults to "<kube agent sa name>-updater"
    name: ""

# If set, will use an existing volume mounted via extraVolumes
# as the Teleport data directory.
# If anything is set under the "storage" key, this will be ignored.
existingDataVolume: ""

# If true, create & use Pod Security Policy resources
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
# WARNING: the PSP won't be deployed for Kubernetes 1.23 and higher.
# Please read https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/
podSecurityPolicy:
  enabled: true

# Labels is a map of key values pairs about this cluster
labels:
  teleport.internal/resource-id: badd4bc3-ca45-4456-b2f9-513ec8e8bcbc

# Settings for high availability.
highAvailability:
  # Set to >1 for a high availability mode where multiple Teleport agent pods will be deployed.
  replicaCount: 1
  # Setting 'requireAntiAffinity' to true will use 'requiredDuringSchedulingIgnoredDuringExecution' to require that multiple Teleport pods must not be scheduled on the
  # same physical host. This will result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution.
  # Setting 'requireAntiAffinity' to false (the default) uses 'preferredDuringSchedulingIgnoredDuringExecution' to make this a soft requirement.
  # This setting only has any effect when replicaCount is greater than 1.
  requireAntiAffinity: false
  # If enabled will create a Pod Disruption Budget
  # https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  podDisruptionBudget:
    enabled: false
    minAvailable: 1

# podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1)
# This CRD is managed by the prometheus-operator and allows workload to
# get monitored. To use this value, you need to run a `prometheus-operator`
# in the cluster for this value to take effect.
# See https://prometheus-operator.dev/docs/prologue/introduction/
podMonitor:
  # Whether the chart should deploy a PodMonitor.
  # Disabled by default as it requires the PodMonitor CRD to be installed.
  enabled: false
  # additionalLabels to put on the PodMonitor.
  # This is used to be selected by a specific prometheus instance.
  additionalLabels: {}
  # interval is the interval between two metrics scrapes. Defaults to 30s
  interval: 30s

################################################################
# Values that must be provided if using persistent storage for Teleport.
#
# Assigning a persistent volume to Teleport agent allows the agent to keep session recordings when the pod is restarted if `session_recording` is set to `node` or `proxy`.
# The security association between the agent and the Teleport is no longer stored in PV, instead it is stored in a Kubernetes Secret so that the agent does not require PV
# to survive restarts and rotations while using short-lived joining tokens.
#
# Fields:
#   enabled: Set to true to enable the use of Persistent volumes.
#   storageClassName: The name of the kubernetes storage class to use when creating volumes. See https://kubernetes.io/docs/concepts/storage/storage-classes/
#   requests: The size of the volume to request from the persistent storage system
################################################################
storage:
  enabled: false
  storageClassName: ""
  requests: 128Mi

# Settings for configuring an cluster admin role binding.
# This is useful for granting cluster admin permissions to a Kubernetes Group
# other than the default "system:masters" group.
# GKE Autopilot clusters forbid using the "system:masters" group for impersonation
# and require a custom group to be used instead.
adminClusterRoleBinding:
  create: false
  name: "cluster-admin"

################################################################
# Values that you shouldn't need to change.
################################################################

# Container image for the cluster.
# Since version 13, hardened distroless images are used by default.
# You can use the deprecated debian-based images by setting the value to
# `public.ecr.aws/gravitational/teleport`. Those images will be
# removed with teleport 14.
image: public.ecr.aws/gravitational/teleport-distroless
# Enterprise version of the image
# Since version 13, hardened distroless images are used by default.
# You can use the deprecated debian-based images by setting the value to
# `public.ecr.aws/gravitational/teleport-ent`. Those images will be
# removed with teleport 14.
enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless
# Optional array of imagePullSecrets, to use when pulling from a private registry
imagePullSecrets: []
# - name: myRegistryKeySecretName
# Number of replicas for the agent deployment.
# DEPRECATED Use highAvailability:replicaCount instead
# replicaCount: 1
# (optional) Override the name of the ClusterRole used by the agent's service account.
clusterRoleName: ""
# (optional) Override the name of the ClusterRoleBinding used by the agent's service account.
clusterRoleBindingName: ""
# (optional) Override the name of the Role used by the agent's service account for Secret access.
roleName: ""
# (optional) Override the name of the RoleBinding used by the agent's service account.
roleBindingName: ""
# (optional) Override the name of the service account used by the agent.
# DEPRECATED Use serviceAccount:name instead
serviceAccountName: ""
# (optional) Kubernetes service account to create/use.
serviceAccount:
  # Specifies whether a ServiceAccount should be created
  create: true
  # The name of the ServiceAccount to use.
  # If not set and serviceAccount.create is true, the name is generated using the release name.
  # If create is false, the name will be used to reference an existing service account.
  name: ""

# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding.
rbac:
  # Specifies whether a ClusterRole and ClusterRoleBinding should be created.
  # Set to false if your cluster level resources are managed separately.
  create: true

# Name of the Secret to store the teleport join token.
# DEPRECATED Use joinTokenSecret.name instead
secretName: ""

# Manages the join token secret creation and its name.
joinTokenSecret:
  # create controls whether the Helm chart should create and manage the join token
  # secret.
  # If false, the chart assumes that the secret with the configured name already exists at the
  # installation namespace.
  create: true
  # Name of the Secret to store the teleport join token.
  name: teleport-kube-agent-join-token

# Teleport logging configuration
log:
  # Log level for the Teleport process.
  # Available log levels are: DEBUG, INFO, WARNING, ERROR.
  # The default is INFO, which is recommended in production.
  # DEBUG is useful during first-time setup or to see more detailed logs for debugging.
  level: INFO
  # Log output
  # Use a file path to log to disk: e.g. '/var/lib/teleport/teleport.log'
  # Other supported values: 'stdout', 'stderr' and 'syslog'
  output: stderr
  # Log format configuration
  # Possible output values are 'json' and 'text' (default).
  format: text
  # Possible extra_fields values include: timestamp, component, caller, and level.
  # All extra fields are included by default.
  extraFields: ["timestamp", "level", "component", "caller"]

##################################
# Extra Kubernetes configuration #
##################################

# Affinity for pod assignment
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}

# Pod's DNS Configuration
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
# This value is useful if you need to reduce the DNS load: set "ndots" to 0 and only use FQDNs.
dnsConfig: {}
#  nameservers:
#    - 1.2.3.4
#  searches:
#    - ns1.svc.cluster-domain.example
#    - my.dns.search.suffix
#  options:
#    - name: ndots
#      value: "2"

# Pod's DNS Policy
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
dnsPolicy: ""

# nodeSelector to apply for pod assignment
# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
nodeSelector: {}

# Kubernetes labels to apply
# https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
extraLabels:
  # Labels for the Cluster Role
  clusterRole: {}
  # Labels for the Cluster Role Binding
  clusterRoleBinding: {}
  # Labels for the  Role
  role: {}
  # Labels for the Role Binding
  roleBinding: {}
  # Labels for the ConfigMap
  config: {}
  # Labels for the Deployment/StatefulSet
  deployment: {}
  # Labels for each Pod in the Deployment/StatefulSet
  pod: {}
  # Labels for the Pod Disruption Budget (ignored when disabled)
  podDisruptionBudget: {}
  # Labels for the Pod Security Policy (ignored when disabled)
  podSecurityPolicy: {}
  # Labels for the Secret (ignored when disabled)
  secret: {}
  # Labels for the ServiceAccount object
  serviceAccount: {}

# Kubernetes annotations to apply
# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
annotations:
  # Annotations for the ConfigMap
  config: {}
  # Annotations for the Deployment
  deployment: {}
  # Annotations for each Pod in the Deployment
  pod: {}
  # Annotations for the Secret (has no effect when `joinTokenSecret.create` is false)
  secret: {}
  # Annotations for the ServiceAccount object
  serviceAccount: {}

# Extra arguments to pass to 'teleport start' for the main Teleport pod
extraArgs: []

# Extra environment to be configured on the Teleport pod
extraEnv: []

# Extra volumes to mount into the Teleport pods
# https://kubernetes.io/docs/concepts/storage/volumes/
extraVolumes: []
# - name: myvolume
#   secret:
#     secretName: testSecret

# Extra volume mounts corresponding to the volumes mounted above
extraVolumeMounts: []
# - name: myvolume
#   mountPath: /path/on/host

# Pod Host aliases (see https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/)
hostAliases: []
# - ip: "127.0.0.1"
#   hostnames:
#     - "foo.local"
#     - "bar.local"
# - ip: "10.1.2.3"
#   hostnames:
#     - "foo.remote"
#     - "bar.remote"

# Allow the imagePullPolicy to be overridden
imagePullPolicy: IfNotPresent

# A list of initContainers to run before each Teleport pod starts
# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
initContainers: []
# - name: "teleport-init"
#   image: "alpine"
#   args: ["echo test"]

# Resources to request for each pod in the deployment
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources: {}
#  requests:
#    cpu: "1"
#    memory: "2Gi"

# Security context to add to the initContainer
initSecurityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - all
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 9807

# Security context to add to other containers
securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - all
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 9807

# Priority class name to add to the deployment
priorityClassName: ""

# Tolerations for pod assignment
# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []

# Timeouts for the readiness and liveness probes
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
probeTimeoutSeconds: 1