684 lines
33 KiB
YAML
684 lines
33 KiB
YAML
##################################################
|
|
# Values that must always be provided by the user.
|
|
##################################################
|
|
|
|
# `clusterName` controls the name used to refer to the Teleport cluster, along with
|
|
# the externally-facing public address to use to access it. In most setups this must
|
|
# be a fully-qualified domain name (e.g. `teleport.example.com`) as this value is
|
|
# used as the cluster's public address by default.
|
|
#
|
|
# Note: When using a fully qualified domain name as your `clusterName`, you will also
|
|
# need to configure the DNS provider for this domain to point to the external
|
|
# load balancer address of your Teleport cluster.
|
|
#
|
|
# Warning: The clusterName cannot be changed during a Teleport cluster's lifespan.
|
|
# If you need to change it, you must redeploy a completely new cluster.
|
|
clusterName: ""
|
|
|
|
# Name for this kubernetes cluster to be used by teleport users.
|
|
kubeClusterName: ""
|
|
|
|
##################################################
|
|
# Values that you may need to change.
|
|
##################################################
|
|
|
|
# Version of teleport image, if different from chart version in Chart.yaml.
|
|
# DANGER: `teleportVersionOverride` MUST NOT be used to control the Teleport version.
|
|
# This chart is designed to run a specific teleport version (see Chart.yaml).
|
|
# You will face compatibility issues trying to run a different Teleport version with it.
|
|
#
|
|
# If you want to run Teleport version X, you should use `helm --version X` instead.
|
|
teleportVersionOverride: ""
|
|
|
|
# The `proxyProtocol` value controls whether the Proxy pods will
|
|
# accept PROXY lines with the client's IP address when they are
|
|
# behind a L4 load balancer (e.g. AWS ELB, GCP L4 LB, etc) with PROXY protocol
|
|
# enabled. Since L4 LBs do not preserve the client's IP address, PROXY protocol is
|
|
# required to ensure that Teleport can properly audit the client's IP address.
|
|
#
|
|
# When Teleport pods are not behind a L4 LB with PROXY protocol enabled, this
|
|
# value should be set to "off" to prevent Teleport from accepting PROXY headers
|
|
# from untrusted sources.
|
|
# Possible values are "on" and "off".
|
|
# - "on" will enable the PROXY protocol for all connections and will require the
|
|
# L4 LB to send a PROXY header.
|
|
# - "off" will disable the PROXY protocol for all connections and denies all
|
|
# connections prefixed with a PROXY header.
|
|
#
|
|
# If proxyProtocol is unspecified, Teleport does not require PROXY header for the
|
|
# connection, but will accept it if present. This mode is considered insecure
|
|
# and should only be used for testing purposes.
|
|
#
|
|
# See https://goteleport.com/docs/ver/14.x/management/security/proxy-protocol/
|
|
# for more information.
|
|
#
|
|
# proxyProtocol: on
|
|
|
|
# The `teleport-cluster` charts deploys two sets of pods: auth and proxy.
|
|
#
|
|
# `auth` allows you to set chart values only for Kubernetes resources related to the Teleport Auth Service.
|
|
# This is merged with chart-scoped values and takes precedence in case of conflict.
|
|
# For example:
|
|
#
|
|
# auth:
|
|
# postStart: ["curl", "http://hook"]
|
|
# imagePullPolicy: Always
|
|
auth:
|
|
# auth.teleportConfig contains YAML teleport configuration for auth pods
|
|
# The configuration will be merged with the chart-generated configuration
|
|
# and will take precedence in case of conflict.
|
|
#
|
|
# See the Teleport Configuration Reference for the list of supported fields:
|
|
# https://goteleport.com/docs/reference/config/
|
|
#
|
|
# teleportConfig:
|
|
# teleport:
|
|
# cache:
|
|
# enabled: false
|
|
# auth_service:
|
|
# client_idle_timeout: 2h
|
|
# client_idle_timeout_message: "Connection closed after 2hours without activity"
|
|
teleportConfig: {}
|
|
|
|
# `proxy` allows you to set chart values only for Kubernetes resources related to the Teleport Proxy Service.
|
|
# This is merged with chart-scoped values and takes precedence in case of conflict.
|
|
# For example:
|
|
# proxy:
|
|
# postStart: ["curl", "http://hook"]
|
|
# imagePullPolicy: Always
|
|
# annotations:
|
|
# service:
|
|
# external-dns.alpha.kubernetes.io/hostname: "teleport.example.com"
|
|
proxy:
|
|
# proxy.teleportConfig contains YAML teleport configuration for proxy pods
|
|
# The configuration will be merged with the chart-generated configuration
|
|
# and will take precedence in case of conflict
|
|
#
|
|
# See the Teleport Configuration Reference for the list of supported fields:
|
|
# https://goteleport.com/docs/reference/config/
|
|
#
|
|
# teleportConfig:
|
|
# teleport:
|
|
# cache:
|
|
# enabled: false
|
|
# proxy_service:
|
|
# https_keypairs:
|
|
# - key_file: /my-custom-mount/key.pem
|
|
# cert_file: /my-custom-mount/cert.pem
|
|
teleportConfig: {}
|
|
|
|
authentication:
|
|
# Default authentication type. Possible values are 'local' and 'github' for OSS, plus 'oidc' and 'saml' for Enterprise.
|
|
type: local
|
|
|
|
# Sets the authenticator connector for SSO or the default connector for "local" authentication.
|
|
# See SSO for Enterprise (https://goteleport.com/docs/enterprise/sso/).
|
|
# See Passwordless for local
|
|
# (http://goteleport.com/docs/access-controls/guides/passwordless/#optional-enable-passwordless-by-default).
|
|
# Defaults to "local".
|
|
connectorName: ""
|
|
|
|
# Enable/disable local authentication by setting `authentication.local_auth` in `teleport.yaml`.
|
|
# Disabling local auth is required for FedRAMP / FIPS; see https://gravitational.com/teleport/docs/enterprise/ssh-kubernetes-fedramp/.
|
|
localAuth: true
|
|
|
|
# Controls the locking mode: in case of network split should Teleport guarantee availability or integrity ?
|
|
# Possible values are "best_effort" and "strict". When not defined, Teleport defaults to "best_effort".
|
|
# See https://goteleport.com/docs/access-controls/guides/locking/#next-steps-locking-modes.
|
|
lockingMode: ""
|
|
|
|
# Second factor requirements for users of the Teleport cluster.
|
|
# Controls the `auth_config.authentication.second_factor` field in `teleport.yaml`.
|
|
# Possible values are 'off', 'on', 'otp', 'optional' and 'webauthn'.
|
|
#
|
|
# WARNING:
|
|
# If you set `publicAddr` for users to access the cluster under a domain different
|
|
# to clusterName you must manually set the webauthn Relying
|
|
# Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier
|
|
# If you don't, RP ID will default to `clusterName` and users will fail
|
|
# to register second factors.
|
|
#
|
|
# You can do this by setting the value
|
|
# `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`.
|
|
#
|
|
# RP ID must be both a valid domain, and part of the full domain users are connecting to.
|
|
# For example, if users are accessing the cluster with the domain
|
|
# "teleport.example.com", RP ID can be "teleport.example.com" or "example.com".
|
|
#
|
|
# Changing the RP ID will invalidate all already registered webauthn second factors.
|
|
secondFactor: "on"
|
|
|
|
# (Optional) When using webauthn this allows to restrict which vendor and key models can be used.
|
|
# webauthn:
|
|
# attestationAllowedCas:
|
|
# - /path/to/allowed_ca.pem
|
|
# - |
|
|
# -----BEGIN CERTIFICATE-----
|
|
# ...
|
|
# -----END CERTIFICATE-----
|
|
# attestationDeniedCas:
|
|
# - /path/to/denied_ca.pem
|
|
# - |
|
|
# -----BEGIN CERTIFICATE-----
|
|
# ...
|
|
# -----END CERTIFICATE-----
|
|
|
|
# Deprecated way to set the authentication type, `authentication.type` should be preferred.
|
|
# authenticationType: local
|
|
|
|
# Deprecated way to set the authentication second factor, `authentication.secondFactor` should be preferred.
|
|
# authenticationSecondFactor:
|
|
# secondFactor: "otp"
|
|
|
|
# Teleport supports TLS routing. In this mode, all client connections are wrapped in TLS and multiplexed on one Teleport proxy port.
|
|
# Default mode will not utilize TLS routing and operate in backwards-compatibility mode.
|
|
#
|
|
# To use an ingress, set proxyListenerMode=multiplex, ingress.enabled=true and service.type=ClusterIP
|
|
#
|
|
# Possible values are 'separate' and 'multiplex'
|
|
proxyListenerMode: "separate"
|
|
|
|
# Optional setting for configuring session recording.
|
|
# See `session_recording` under https://goteleport.com/docs/setup/reference/config/#teleportyaml
|
|
sessionRecording: ""
|
|
|
|
# By default, Teleport will multiplex Postgres and MongoDB database connections on the same port as the proxy's web listener (443)
|
|
# Setting either of these values to true will separate the listeners out onto a separate port (5432 for Postgres, 27017 for MongoDB)
|
|
# This is useful when terminating TLS at a load balancer in front of Teleport (such as when using AWS ACM)
|
|
# These settings will not apply if proxyListenerMode is set to "multiplex".
|
|
separatePostgresListener: false
|
|
separateMongoListener: false
|
|
|
|
# Do not set any of these values unless you explicitly need to. Teleport always uses the cluster name by default.
|
|
#
|
|
# WARNING:
|
|
# If you set `publicAddr` for users to access the cluster under a domain different
|
|
# to clusterName, you must manually set the webauthn Relying
|
|
# Party Identifier (RP ID) - https://www.w3.org/TR/webauthn-2/#relying-party-identifier
|
|
# If you don't, RP ID will default to `clusterName` and users will fail
|
|
# to register second factors.
|
|
#
|
|
# You can do this by setting the value
|
|
# `auth.teleportConfig.auth_service.authentication.webauthn.rp_id`.
|
|
#
|
|
# RP ID must be both a valid domain, and part of the full domain users are connecting to.
|
|
# For example, if users are accessing the cluster with the domain
|
|
# "teleport.example.com", RP ID can be "teleport.example.com" or "example.com".
|
|
#
|
|
# Changing the RP ID will invalidate all already registered webauthn second factors.
|
|
#
|
|
# Public cluster addresses, including port (e.g. teleport.example.com:443)
|
|
# Defaults to `clusterName` on port 443.
|
|
publicAddr: []
|
|
# Public cluster kube addresses, including port. Defaults to `publicAddr` on port 3026.
|
|
# Only used when `proxyListenerMode` is not 'multiplex'.
|
|
kubePublicAddr: []
|
|
# Public cluster mongo listener addresses, including port. Defaults to `publicAddr` on port 27017.
|
|
# Only used when `proxyListenerMode` is not 'multiplex' and `separateMongoListener` is true.
|
|
mongoPublicAddr: []
|
|
# Public cluster MySQL addresses, including port. Defaults to `publicAddr` on port 3036.
|
|
# Only used when `proxyListenerMode` is not 'multiplex'.
|
|
mysqlPublicAddr: []
|
|
# Public cluster postgres listener addresses, including port. Defaults to `publicAddr` on port 5432.
|
|
# Only used when `proxyListenerMode` is not 'multiplex' and `separatePostgresListener` is true.
|
|
postgresPublicAddr: []
|
|
# Public cluster SSH addresses, including port. Defaults to `publicAddr` on port 3023.
|
|
# Only used when `proxyListenerMode` is not 'multiplex'.
|
|
sshPublicAddr: []
|
|
# Public cluster tunnel SSH addresses, including port. Defaults to `publicAddr` on port 3024.
|
|
# Only used when `proxyListenerMode` is not 'multiplex'.
|
|
tunnelPublicAddr: []
|
|
|
|
# ACME is a protocol for getting Web X.509 certificates
|
|
# Note: ACME can only be used for single-instance clusters. It is not suitable for use in HA configurations.
|
|
# For HA configurations, see either the "highAvailability.certManager" or "tls" values.
|
|
# Setting acme to 'true' enables the ACME protocol and will attempt to get a free TLS certificate from Let's Encrypt.
|
|
# Setting acme to 'false' (the default) will cause Teleport to generate and use self-signed certificates for its web UI.
|
|
# This section is mutually exclusive with the "tls" value below.
|
|
acme: false
|
|
# acmeEmail is the email address to provide during certificate registration (this is a Let's Encrypt requirement)
|
|
acmeEmail: ""
|
|
# acmeURI is the ACME server to use for getting certificates. The default is to use Let's Encrypt's production server.
|
|
acmeURI: ""
|
|
|
|
# Set enterprise to true to use enterprise image
|
|
# You will need to download your Enterprise license from the Teleport dashboard and create a secret to use this:
|
|
# kubectl -n ${TELEPORT_NAMESPACE?} create secret generic license --from-file=/path/to/downloaded/license.pem
|
|
enterprise: false
|
|
|
|
# CRDs are installed by default when the operator is enabled. This manual override allows to disable CRD installation
|
|
# when deploying multiple releases in the same cluster.
|
|
# installCRDs:
|
|
|
|
# Configuration of the optional Teleport operator
|
|
operator:
|
|
# Set enabled to true to add the Kubernetes Teleport Operator
|
|
enabled: false
|
|
# Kubernetes Teleport Operator image
|
|
image: public.ecr.aws/gravitational/teleport-operator
|
|
# Resources to request for the operator container
|
|
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
|
resources: {}
|
|
# requests:
|
|
# cpu: "0.5"
|
|
# memory: "1Gi"
|
|
# limits:
|
|
# memory: "1Gi"
|
|
|
|
# If true, create & use Pod Security Policy resources
|
|
# https://kubernetes.io/docs/concepts/policy/pod-security-policy/
|
|
# WARNING: the PSP won't be deployed for Kubernetes 1.23 and higher.
|
|
# Please read https://goteleport.com/docs/deploy-a-cluster/helm-deployments/migration-kubernetes-1-25-psp/
|
|
podSecurityPolicy:
|
|
enabled: true
|
|
|
|
# Labels is a map of key-value pairs about this cluster
|
|
labels: {}
|
|
|
|
# Mode to deploy the chart in. The default is "standalone". Options:
|
|
# - "standalone": will deploy a Teleport container running auth and proxy services with a PersistentVolumeClaim for storage.
|
|
# - "aws": will deploy Teleport using DynamoDB for backend/audit log storage and S3 for session recordings. (1)
|
|
# - "gcp": will deploy Teleport using Firestore for backend/audit log storage and Google Cloud storage for session recordings. (2)
|
|
# - "azure": will deploy Teleport using Azure Database for PostgreSQL for backend/audit and Azure Blob Storage for session recordings. (3)
|
|
# - "scratch": will deploy Teleport containers but will not provide default configuration file. You must pass your own configuration. (4)
|
|
# (1) To use "aws" mode, you must also configure the "aws" section below.
|
|
# (2) To use "gcp" mode, you must also configure the "gcp" section below.
|
|
# (3) To use "azure" mode, you must also configure the "azure" section below.
|
|
# (4) When set to "scratch", you must write the teleport configuration in auth.teleportConfig and proxy.teleportConfig.
|
|
# `scratch` usage is strongly discouraged, this is a last resort option and
|
|
# everything should be doable with `standalone` mode + overrides through
|
|
# `auth.teleportConfig` and `proxy.teleportConfig`.
|
|
chartMode: standalone
|
|
|
|
# validateConfigOnDeploy enables a Kubernetes job before install and upgrade that will verify
|
|
# if the teleport.yaml configuration is valid and will block the deployment if it is not
|
|
validateConfigOnDeploy: true
|
|
|
|
# Whether the chart should create a Teleport ProvisionToken for the proxies to join the Teleport cluster.
|
|
# Disabling this flag will cause the proxies not to be able to join the auth pods. In this case, the
|
|
# Helm chart user is responsible for configuring working join_params on the proxy.
|
|
createProxyToken: true
|
|
|
|
# podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1)
|
|
# This CRD is managed by the prometheus-operator and allows workload to
|
|
# get monitored. To use this value, you need to run a `prometheus-operator`
|
|
# in the cluster for this value to take effect.
|
|
# See https://prometheus-operator.dev/docs/prologue/introduction/
|
|
podMonitor:
|
|
# Whether the chart should deploy a PodMonitor.
|
|
# Disabled by default as it requires the PodMonitor CRD to be installed.
|
|
enabled: false
|
|
# additionalLabels to put on the PodMonitor.
|
|
# This is used to be selected by a specific prometheus instance.
|
|
# Defaults to {prometheus: default} which seems to be the common default prometheus selector
|
|
additionalLabels:
|
|
prometheus: default
|
|
# interval is the interval between two metrics scrapes. Defaults to 30s
|
|
interval: 30s
|
|
|
|
######################################################################
|
|
# Persistence settings (only used in "standalone" and "scratch" modes)
|
|
# NOTE: Changes in Kubernetes 1.23+ mean that persistent volumes will not automatically be provisioned in AWS EKS clusters
|
|
# without additional configuration. See https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html for more details.
|
|
# This driver addon must be configured to use persistent volumes in EKS clusters after Kubernetes 1.23.
|
|
######################################################################
|
|
persistence:
|
|
# Enable persistence using a PersistentVolumeClaim
|
|
enabled: true
|
|
# Leave blank to automatically create a PersistentVolumeClaim for Teleport storage.
|
|
# If you would like to use a pre-existing PersistentVolumeClaim, put its name here.
|
|
existingClaimName: ""
|
|
# Size of persistent volume to request when created by Teleport.
|
|
# Ignored if existingClaimName is provided.
|
|
volumeSize: 10Gi
|
|
|
|
##################################################
|
|
# AWS-specific settings (only used in "aws" mode)
|
|
##################################################
|
|
aws:
|
|
# The AWS region where the DynamoDB tables are located.
|
|
region: ""
|
|
# The DynamoDB table name to use for backend storage. Teleport will attempt to create this table automatically if it does not exist.
|
|
# The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables.
|
|
backendTable: ""
|
|
# The DynamoDB table name to use for audit log storage. Teleport will attempt to create this table automatically if it does not exist.
|
|
# The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables.
|
|
# This MUST NOT be the same table name as used for 'backendTable' as the schemas are different.
|
|
auditLogTable: ""
|
|
# Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
|
|
auditLogMirrorOnStdout: false
|
|
# The S3 bucket name to use for recorded session storage. Teleport will attempt to create this bucket automatically if it does not exist.
|
|
# The container will need an appropriately-provisioned IAM role with permissions to create S3 buckets.
|
|
sessionRecordingBucket: ""
|
|
# Whether or not to turn on DynamoDB backups
|
|
backups: false
|
|
|
|
# Whether Teleport should configure DynamoDB's autoscaling.
|
|
# Requires additional statements in the IAM Teleport Policy to be allowed to configure the autoscaling.
|
|
# See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling
|
|
dynamoAutoScaling: false
|
|
|
|
# DynamoDB autoscaling settings. Required if `dynamoAutoScaling` is `true`.
|
|
# See https://goteleport.com/docs/setup/reference/backends/#dynamodb-autoscaling
|
|
readMinCapacity: null # Integer
|
|
readMaxCapacity: null # Integer
|
|
readTargetValue: null # Float
|
|
writeMinCapacity: null # Integer
|
|
writeMaxCapacity: null # Integer
|
|
writeTargetValue: null # Float
|
|
|
|
##################################################
|
|
# GCP-specific settings (only used in "gcp" mode)
|
|
##################################################
|
|
gcp:
|
|
# The project name being used for the GCP account where Teleport is running.
|
|
# See https://support.google.com/googleapi/answer/7014113?hl=en
|
|
projectId: ""
|
|
# The Firestore collection to use for backend storage. Teleport will attempt to create this collection automatically if it does not exist.
|
|
# Either of the following must be true:
|
|
# - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections
|
|
# - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections.
|
|
backendTable: ""
|
|
# The Firestore collection to use for audit log storage. Teleport will attempt to create this collection automatically if it does not exist.
|
|
# Either of the following must be true:
|
|
# - The container will need an appropriately-provisioned IAM role/service account with permissions to create Firestore collections
|
|
# - The service account credentials provided via 'credentialSecretName' will need permissions to create Firestore collections.
|
|
# This MUST NOT be the same collection name as used for 'backendTable' as the schemas are different.
|
|
auditLogTable: ""
|
|
# Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
|
|
auditLogMirrorOnStdout: false
|
|
# The Google storage bucket name to use for recorded session storage. This bucket must already exist in the Google account being used.
|
|
sessionRecordingBucket: ""
|
|
# The name of the Kubernetes secret used to store the Google credentials.
|
|
# You will need to create this secret manually. It must contain a JSON file from Google with the credentials that Teleport will use.
|
|
# You can override this to a blank value if the worker node running Teleport already has a service account which grants access.
|
|
credentialSecretName: teleport-gcp-credentials
|
|
|
|
#####################################################
|
|
# Azure-specific settings (only used in "azure" mode)
|
|
#####################################################
|
|
azure:
|
|
# The fully qualified hostname of the Postgres database cluster hosted in Azure.
|
|
# It should follow the format "<database name>.postgres.database.azure.com".
|
|
databaseHost: ""
|
|
# The Postgres user Teleport must use to connect to the backend and audit
|
|
# databases.
|
|
databaseUser: ""
|
|
# The Postgres database to use for backend storage.
|
|
backendDatabase: "teleport_backend"
|
|
# The Postgres database to use for audit log storage.
|
|
# This MUST NOT be the same database as used for 'backendDatabase'.
|
|
auditLogDatabase: "teleport_audit"
|
|
# Whether to mirror audit log entries to stdout in JSON format (useful for external log collectors)
|
|
auditLogMirrorOnStdout: false
|
|
# The fully qualified domain name of the Azure Blob Storage account to use for
|
|
# recorded session storage. This account must already exist.
|
|
# It should follow the format "<storage account>.blob.core.windows.net"
|
|
sessionRecordingStorageAccount: ""
|
|
# Azure client ID is used by the Kubernetes Service Account to know which
|
|
# Application it should impersonate. This can be unset only if the clientID is
|
|
# passed through other means (e.g. environment variable)
|
|
clientID: ""
|
|
# Controls the `pool_max_conns` setting passed to PostgreSQL. This is the
|
|
# max amount of connections Teleport can open to the database. This can affect
|
|
# performance on large clusters and depends on various factors like the
|
|
# database size, the number of CPU cores available for Teleport, GOMAXPROCS
|
|
# and the database latency.
|
|
# This only applies to the core backend connections, not the audit log ones.
|
|
# 0 means the parameter is not set and the client's default is used (recommended)
|
|
databasePoolMaxConnections: 0
|
|
|
|
# `highAvailability` contains settings controlling how Teleport pods are
|
|
# replicated and scheduled. This allows Teleport to run in a highly-available
|
|
# fashion: Teleport should sustain the crash/loss of a machine without interrupting
|
|
# the service.
|
|
#
|
|
# For auth pods:
|
|
# When using "standalone" or "scratch" mode, you must use highly-available storage
|
|
# (etcd, DynamoDB or Firestore) for multiple replicas to be supported.
|
|
# Manually configuring NFS-based storage or ReadWriteMany volume claims
|
|
# is NOT supported and will result in errors. Using Teleport's built-in
|
|
# ACME client (as opposed to using cert-manager or passing certs through a secret)
|
|
# is not supported with multiple replicas.
|
|
# For proxy pods:
|
|
# Proxy pods need to be provided a certificate to be replicated (either via
|
|
# `tls.existingSecretName` or via `highAvailability.certManager`).
|
|
# If proxy pods are replicable, they will default to 2 replicas,
|
|
# even if `highAvailability.replicaCount` is 1. To force a single proxy replica,
|
|
# set `proxy.highAvailability.replicaCount: 1`.
|
|
highAvailability:
|
|
# Controls the amount of pod replicas. The `highAvailability` comment describes
|
|
# the replication requirements.
|
|
#
|
|
# WARNING: You **must** meet the replication criteria,
|
|
# else the deployment will result in errors and inconsistent data.
|
|
replicaCount: 1
|
|
# Setting 'requireAntiAffinity' to true will use 'requiredDuringSchedulingIgnoredDuringExecution' to require that multiple Teleport pods must not be scheduled on the
|
|
# same physical host. This will result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution.
|
|
# Setting 'requireAntiAffinity' to false (the default) uses 'preferredDuringSchedulingIgnoredDuringExecution' to make this a soft requirement.
|
|
# This setting only has any effect when replicaCount is greater than 1.
|
|
requireAntiAffinity: false
|
|
# If enabled will create a Pod Disruption Budget
|
|
# https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
|
|
podDisruptionBudget:
|
|
enabled: false
|
|
minAvailable: 1
|
|
# Settings for cert-manager (can be used for provisioning TLS certs in HA mode)
|
|
# These settings are mutually exclusive with the "tls" value below.
|
|
certManager:
|
|
# If set to true, use cert-manager to get certificates for Teleport to use for TLS termination
|
|
enabled: false
|
|
# If set to true, a common name matching the cluster name will be set in the certificate signing request. This is mandatory for some CAs.
|
|
addCommonName: false
|
|
# If set to true, any additional public addresses configured under the `publicAddr` chart value will be added to the certificate signing request.
|
|
# This setting is not enabled by default to preserve backward compatibility.
|
|
addPublicAddrs: false
|
|
# Name of the Issuer/ClusterIssuer to use for certs
|
|
# NOTE: You will always need to create this yourself when certManager.enabled is true.
|
|
issuerName: ""
|
|
# Kind of Issuer that cert-manager should look for.
|
|
# This defaults to 'Issuer' to keep everything contained within the teleport namespace.
|
|
issuerKind: Issuer
|
|
# Group of Issuer that cert-manager should look for.
|
|
# This defaults to 'cert-manager.io' which is the default Issuer group.
|
|
issuerGroup: cert-manager.io
|
|
# Injects delay when performing pod rollouts to mitigate the loss of all agent tunnels at the same time
|
|
# See https://github.com/gravitational/teleport/issues/13129
|
|
minReadySeconds: 15
|
|
|
|
# Settings for mounting your own TLS keypair to secure Teleport's web UI.
|
|
# These settings are mutually exclusive with the "highAvailability.certManager" and "acme" values above.
|
|
tls:
|
|
# Name of an existing secret to use which contains a TLS keypair. Will automatically set the https_keypairs section in teleport.yaml.
|
|
# Create the secret in the same namespace as Teleport using `kubectl create secret tls my-tls-secret --cert=/path/to/cert/file --key=/path/to/key/file`
|
|
# See https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more information.
|
|
existingSecretName: ""
|
|
# (optional) Name of an existing secret to use which contains a CA or trust bundle in x509 PEM format.
|
|
# Useful for building trust when using intermediate certificate authorities.
|
|
# This will automatically set the SSL_CERT_FILE environment variable to trust the CA.
|
|
# Create the secret with `kubectl create secret generic --from-file=ca.pem=/path/to/root-ca.pem
|
|
# The filename inside the secret is important - it _must_ be ca.pem
|
|
existingCASecretName: ""
|
|
|
|
##################################################
|
|
# Values that you shouldn't need to change.
|
|
##################################################
|
|
|
|
# Container image for the cluster.
|
|
# Since version 13, hardened distroless images are used by default.
|
|
# You can use the deprecated debian-based images by setting the value to
|
|
# `public.ecr.aws/gravitational/teleport`. Those images will be
|
|
# removed with teleport 14.
|
|
image: public.ecr.aws/gravitational/teleport-distroless
|
|
# Enterprise version of the image
|
|
# Since version 13, hardened distroless images are used by default.
|
|
# You can use the deprecated debian-based images by setting the value to
|
|
# `public.ecr.aws/gravitational/teleport-ent`. Those images will be
|
|
# removed with teleport 14.
|
|
enterpriseImage: public.ecr.aws/gravitational/teleport-ent-distroless
|
|
# Optional array of imagePullSecrets, to use when pulling from a private registry
|
|
imagePullSecrets: []
|
|
# Teleport logging configuration
|
|
log:
|
|
# Log level for the Teleport process.
|
|
# Available log levels are: DEBUG, INFO, WARNING, ERROR.
|
|
# The default is INFO, which is recommended in production.
|
|
# DEBUG is useful during first-time setup or to see more detailed logs for debugging.
|
|
level: INFO
|
|
# Log output
|
|
# Use a file path to log to disk: e.g. '/var/lib/teleport/teleport.log'
|
|
# Other supported values: 'stdout', 'stderr' and 'syslog'
|
|
output: stderr
|
|
# Log format configuration
|
|
# Possible output values are 'json' and 'text' (default).
|
|
format: text
|
|
# Possible extra_fields values include: timestamp, component, caller, and level.
|
|
# All extra fields are included by default.
|
|
extraFields: ["timestamp", "level", "component", "caller"]
|
|
|
|
##################################
|
|
# Extra Kubernetes configuration #
|
|
##################################
|
|
|
|
# nodeSelector to apply for pod assignment
|
|
# https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
|
|
nodeSelector: {}
|
|
|
|
# Affinity for pod assignment
|
|
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
|
# NOTE: If affinity is set here, highAvailability.requireAntiAffinity cannot also be used - you can only set one or the other.
|
|
affinity: {}
|
|
|
|
# Kubernetes annotations to apply
|
|
# https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
|
|
annotations:
|
|
# Annotations for the ConfigMap
|
|
config: {}
|
|
# Annotations for the Deployment
|
|
deployment: {}
|
|
# Annotations for each Pod in the Deployment
|
|
pod: {}
|
|
# Annotations for the Service object
|
|
service: {}
|
|
# Annotations for the ServiceAccount object
|
|
serviceAccount: {}
|
|
# Annotations for the certificate secret generated by cert-manager v1.5+ when
|
|
# highAvailability.certManager.enabled is true
|
|
certSecret: {}
|
|
# Annotations for the Ingress object
|
|
ingress: {}
|
|
|
|
# Kubernetes service account to create/use.
|
|
serviceAccount:
|
|
# Specifies whether a ServiceAccount should be created
|
|
create: true
|
|
# The name of the ServiceAccount to use.
|
|
# If not set and serviceAccount.create is true, the name is generated using the release name.
|
|
# If create is false, the name will be used to reference an existing service account.
|
|
name: ""
|
|
# To set annotations on the service account, use the annotations.serviceAccount value.
|
|
|
|
# Set to true (default) to create Kubernetes ClusterRole and ClusterRoleBinding.
|
|
rbac:
|
|
# Specifies whether a ClusterRole and ClusterRoleBinding should be created.
|
|
# Set to false if your cluster level resources are managed separately.
|
|
create: true
|
|
|
|
# Options for the Teleport proxy service
|
|
# This setting only applies to the proxy service. The teleport auth service is internal-only and always uses a ClusterIP.
|
|
# You can override the proxy's backend service to any service type (other than "LoadBalancer") here if really needed.
|
|
# To use an Ingress, set service.type=ClusterIP and ingress.enabled=true
|
|
service:
|
|
type: LoadBalancer
|
|
# Additional entries here will be added to the service spec.
|
|
spec: {}
|
|
# loadBalancerIP: "1.2.3.4"
|
|
|
|
# Options for ingress
|
|
# If you set ingress.enabled to true, service.type MUST also be set to something other than "LoadBalancer" to prevent
|
|
# additional unnecessary load balancers from being created. Ingress controllers should provision their own load balancer.
|
|
# Using an Ingress also requires that you use the `tsh` client to connect to Kubernetes clusters and databases behind Teleport.
|
|
# See https://goteleport.com/docs/architecture/tls-routing/#working-with-layer-7-load-balancers-or-reverse-proxies-preview for details.
|
|
ingress:
|
|
enabled: false
|
|
# Setting suppressAutomaticWildcards to true will not automatically add *.<clusterName> as a hostname served
|
|
# by the Ingress. This may be desirable if you don't use Teleport Application Access.
|
|
suppressAutomaticWildcards: false
|
|
# Additional entries here will be added to the ingress spec.
|
|
spec: {}
|
|
# ingressClassName: nginx
|
|
|
|
# Extra arguments to pass to 'teleport start' for the main Teleport pod
|
|
extraArgs: []
|
|
|
|
# Extra environment to be configured on the Teleport pod
|
|
extraEnv: []
|
|
|
|
# Extra containers to be added to the Teleport pod
|
|
extraContainers: []
|
|
# - name: nscenter
|
|
# command:
|
|
# - /bin/bash
|
|
# - -c
|
|
# - sleep infinity & wait
|
|
# image: praqma/network-multitool
|
|
# imagePullPolicy: IfNotPresent
|
|
# securityContext:
|
|
# privileged: true
|
|
# runAsNonRoot: false
|
|
|
|
# Extra volumes to mount into the Teleport pods
|
|
# https://kubernetes.io/docs/concepts/storage/volumes/
|
|
extraVolumes: []
|
|
# - name: myvolume
|
|
# secret:
|
|
# secretName: testSecret
|
|
|
|
# Extra volume mounts corresponding to the volumes mounted above
|
|
extraVolumeMounts: []
|
|
# - name: myvolume
|
|
# mountPath: /path/on/host
|
|
|
|
# Allow the imagePullPolicy to be overridden
|
|
imagePullPolicy: IfNotPresent
|
|
|
|
# A list of initContainers to run before each Teleport pod starts
|
|
# https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
|
|
initContainers: []
|
|
# - name: "teleport-init"
|
|
# image: "alpine"
|
|
# args: ["echo test"]
|
|
|
|
# If set, will run the command as a postStart handler
|
|
# https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
|
|
postStart:
|
|
command: []
|
|
|
|
# Resources to request for the teleport container
|
|
# https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
|
|
resources: {}
|
|
# requests:
|
|
# cpu: "1"
|
|
# memory: "2Gi"
|
|
|
|
# Security context to add to the container
|
|
securityContext: {}
|
|
# runAsUser: 99
|
|
|
|
# Priority class name to add to the deployment
|
|
priorityClassName: ""
|
|
|
|
# Tolerations for pod assignment
|
|
# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
|
tolerations: []
|
|
|
|
# Timeouts for the readiness and liveness probes
|
|
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
|
|
probeTimeoutSeconds: 1
|
|
|
|
# Kubernetes termination grace period
|
|
# https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
|
|
#
|
|
# This should be greater than 30 seconds as pods are waiting 30 seconds in a preStop hook.
|
|
terminationGracePeriodSeconds: 60
|