Teleport Chart 업데이트

helm/teleport-cluster/values.yaml

@@ -30,6 +30,30 @@ kubeClusterName: ""
 # If you want to run Teleport version X, you should use `helm --version X` instead.
 teleportVersionOverride: ""
 
+# The `proxyProtocol` value controls whether the Proxy pods will
+# accept PROXY lines with the client's IP address when they are
+# behind a L4 load balancer (e.g. AWS ELB, GCP L4 LB, etc) with PROXY protocol
+# enabled. Since L4 LBs do not preserve the client's IP address, PROXY protocol is
+# required to ensure that Teleport can properly audit the client's IP address.
+#
+# When Teleport pods are not behind a L4 LB with PROXY protocol enabled, this
+# value should be set to "off" to prevent Teleport from accepting PROXY headers
+# from untrusted sources.
+# Possible values are "on" and "off".
+# - "on" will enable the PROXY protocol for all connections and will require the
+#   L4 LB to send a PROXY header.
+# - "off" will disable the PROXY protocol for all connections and denies all
+#   connections prefixed with a PROXY header.
+#
+# If proxyProtocol is unspecified, Teleport does not require PROXY header for the
+# connection, but will accept it if present. This mode is considered insecure
+# and should only be used for testing purposes.
+#
+# See https://goteleport.com/docs/ver/14.x/management/security/proxy-protocol/
+# for more information.
+#
+# proxyProtocol: on
+
 # The `teleport-cluster` charts deploys two sets of pods: auth and proxy.
 # `auth` contains values specific for the auth pods. You can use it to
 #  set specific values for auth pods, taking precedence over chart-scoped values.
@@ -437,10 +461,13 @@ highAvailability:
   # Settings for cert-manager (can be used for provisioning TLS certs in HA mode)
   # These settings are mutually exclusive with the "tls" value below.
   certManager:
-    # If set to true, a common name matching the cluster name will be set in the certificate signing request. This is mandatory for some CAs.
-    addCommonName: false
     # If set to true, use cert-manager to get certificates for Teleport to use for TLS termination
     enabled: false
+    # If set to true, a common name matching the cluster name will be set in the certificate signing request. This is mandatory for some CAs.
+    addCommonName: false
+    # If set to true, any additional public addresses configured under the `publicAddr` chart value will be added to the certificate signing request.
+    # This setting is not enabled by default to preserve backward compatibility.
+    addPublicAddrs: false
     # Name of the Issuer/ClusterIssuer to use for certs
     # NOTE: You will always need to create this yourself when certManager.enabled is true.
     issuerName: ""
@@ -582,6 +609,19 @@ extraArgs: []
 # Extra environment to be configured on the Teleport pod
 extraEnv: []
 
+# Extra containers to be added to the Teleport pod
+extraContainers: []
+# - name: nscenter
+#   command:
+#     - /bin/bash
+#     - -c
+#     - sleep infinity & wait
+#   image: praqma/network-multitool
+#   imagePullPolicy: IfNotPresent
+#   securityContext:
+#     privileged: true
+#     runAsNonRoot: false
+
 # Extra volumes to mount into the Teleport pods
 # https://kubernetes.io/docs/concepts/storage/volumes/
 extraVolumes: []