Simplifying Zero Trust Security for AWS with Teleport
Jan 23
Virtual
Register Now
Teleport logoTry For Free
Fork me on GitHub

Teleport

tbot Chart Reference

This chart deploys an instance of the MachineID agent, TBot, into your Kubernetes cluster.

To use it, you will need to know:

  • The address of your Teleport Proxy Service or Auth Service
  • The name of your Teleport cluster
  • The name of a join token configured for Machine ID and your Kubernetes cluster as described in the Machine ID on Kubernetes guide

By default, this chart is designed to use the kubernetes join method but it can be customized to use any delegated join method. We do not recommend that you use the token join method with this chart.

Minimal configuration

This basic configuration will write a Teleport identity file to a secret in the deployment namespace called test-output.

clusterName: "test.teleport.sh"
teleportProxyAddress: "test.teleport.sh:443"
defaultOutput:
  secretName: "test-output"
token: "my-token"

Full reference

image

TypeDefault
string"public.ecr.aws/gravitational/tbot-distroless"

image sets the container image used for tbot pods created by this chart.

You can override this to use your own tbot image rather than a Teleport-published image.

clusterName

TypeDefault
string""

clusterName should be the name of the Teleport cluster that your Bot will join. You can retrieve it by running tctl status.

For example: clusterName: "test.teleport.sh"

teleportProxyAddress

TypeDefault
string""

teleportProxyAddress is the teleport Proxy Service address the bot will connect to. This must contain the port number, usually 443 or 3080 for Proxy Service. Connecting to the Proxy Service is the most common and recommended way to connect to Teleport. This is mandatory to connect to Teleport Enterprise (Cloud)

This setting is mutually exclusive with teleportProxyAddress and is ignored if customConfig is set.

For example:

teleportProxyAddress: "test.teleport.sh:443"

teleportAuthAddress

TypeDefault
string""

teleportAuthAddress is the teleport Auth Service address the bot will connect to. This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection should be used when you are deploying the bot in the same Kubernetes cluster than your teleport-cluster Helm release and have direct access to the Auth Service. Else, you should prefer connecting via the Proxy Service.

This setting is mutually exclusive with teleportProxyAddress and is ignored if customConfig is set.

For example:

teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025"

defaultOutput

defaultOutput controls the default output configured for the tbot agent. Ignored if customConfig is set.

defaultOutput.enabled

TypeDefault
booltrue

defaultOutput.enabled controls whether the default output is enabled.

persistence

persistence controls how the tbot agent stores its data.

Options:

  • "secret": uses a Kubernetes Secret.
  • "disabled": does not persist data. May impact ability to track bot deployment across its lifetime.

tbotConfig

TypeDefault
object{}

tbotConfig contains YAML teleport configuration to pass to the tbot pods. The configuration will be merged with the chart-generated configuration and will take precedence in case of conflict. Try to prefer to use the more specific configuration values throughout this chart.

outputs

TypeDefault
list[]

outputs contains additional outputs to configure for the tbot agent. These should be in the same format as the outputs field in the tbot.yaml. Ignored if customConfig is set.

services

TypeDefault
list[]

services contains additional services to configure for the tbot agent. These should be in the same format as the services field in the tbot.yaml. Ignored if customConfig is set.

joinMethod

TypeDefault
string"kubernetes"

joinMethod describes how tbot joins the Teleport cluster. See the join method reference for a list fo supported values and detailed explanations. Ignored if customConfig is set.

token

TypeDefault
string""

token is the name of the token used by tbot to join the Teleport cluster. This value is not sensitive unless the joinMethod is set to "token". Ignored if customConfig is set.

teleportVersionOverride

TypeDefault
string""

teleportVersionOverride controls the tbot image version deployed by the chart.

Normally, the version of tbot matches the version of the chart. If you install chart version 15.0.0, you'll use tbot version 15.0.0. Upgrading tbot is done by upgrading the chart.

Warning

teleportVersionOverride is intended for development and MUST NOT be used to control the Teleport version in a typical deployment. This chart is designed to run a specific Teleport version. You will face compatibility issues trying to run a different Teleport version with it.

If you want to run Teleport version X.Y.Z, you should use helm install --version X.Y.Z instead.

anonymousTelemetry

TypeDefault
boolfalse

anonymousTelemetry controls whether anonymous telemetry is enabled.

debug

TypeDefault
boolfalse

debug controls whether the tbot agent runs in debug mode.

serviceAccount

serviceAccount controls the Kubernetes ServiceAccounts deployed and used by the chart.

serviceAccount.create

TypeDefault
booltrue

serviceAccount.create controls whether Helm Chart creates the Kubernetes ServiceAccount resources for the agent. When off, you are responsible for creating the appropriate ServiceAccount resources.

serviceAccount.name

TypeDefault
string""

serviceAccount.name sets the name of the ServiceAccount resource used by the chart. By default, the ServiceAccount has the name of the Helm release.

imagePullPolicy

TypeDefault
string"IfNotPresent"

imagePullPolicy sets the pull policy for any pods created by the chart. See the Kubernetes documentation for more details.

extraLabels

extraLabels contains additional Kubernetes labels to apply on the resources created by the chart. See the Kubernetes label documentation for more information.

extraLabels.role

TypeDefault
object{}

extraLabels.role are labels to set on the Role.

extraLabels.roleBinding

TypeDefault
object{}

extraLabels.roleBinding are labels to set on the RoleBinding.

extraLabels.config

TypeDefault
object{}

extraLabels.config are labels to set on the ConfigMap.

extraLabels.deployment

TypeDefault
object{}

extraLabels.deployment are labels to set on the Deployment or StatefulSet.

extraLabels.pod

TypeDefault
object{}

extraLabels.pod are labels to set on the Pods created by the Deployment or StatefulSet.

extraLabels.serviceAccount

TypeDefault
object{}

extraLabels.serviceAccount are labels to set on the ServiceAccount.

annotations

annotations contains annotations to apply to the different Kubernetes objects created by the chart. See the Kubernetes annotation documentation for more details.

annotations.role

TypeDefault
object{}

annotations.role are annotations to set on the Role.

annotations.roleBinding

TypeDefault
object{}

annotations.roleBinding are annotations to set on the RoleBinding.

annotations.config

TypeDefault
object{}

annotations.config contains the Kubernetes annotations put on the ConfigMap resource created by the chart.

annotations.deployment

TypeDefault
object{}

annotations.deployment contains the Kubernetes annotations put on the Deployment or StatefulSet resource created by the chart.

annotations.pod

TypeDefault
object{}

annotations.pod contains the Kubernetes annotations put on the Pod resources created by the chart.

annotations.serviceAccount

TypeDefault
object{}

annotations.serviceAccount contains the Kubernetes annotations put on the ServiceAccount resource created by the chart.

resources

TypeDefault
object{}

resources sets the resource requests/limits for any pods created by the chart. See the Kubernetes documentation for more details.

affinity

TypeDefault
object{}

affinity sets the affinities for any pods created by the chart. See the Kubernetes documentation for more details.

tolerations

TypeDefault
list[]

tolerations sets the tolerations for any pods created by the chart. See the Kubernetes documentation for more details.

nodeSelector

TypeDefault
object{}

nodeSelector sets the node selector for any pods created by the chart. See the Kubernetes documentation for more details.

imagePullSecrets

TypeDefault
list[]

imagePullSecrets sets the image pull secrets for any pods created by the chart. See the Kubernetes documentation for more details.

extraVolumes

TypeDefault
list[]

extraVolumes contains extra volumes to mount into the Teleport pods. See the Kubernetes volume documentation for more details.

For example:

extraVolumes:
- name: myvolume
  secret:
    secretName: testSecret

extraVolumeMounts

TypeDefault
list[]

extraVolumeMounts contains extra volumes mounts for the main Teleport container. See the Kubernetes volume documentation for more details.

For example:

extraVolumesMounts:
- name: myvolume
  mountPath: /path/on/host

extraArgs

TypeDefault
list[]

extraArgs contains extra arguments to pass to tbot start for the main tbot pod

extraEnv

TypeDefault
list[]

extraEnv contains extra environment variables to set in the main tbot pod.

For example:

extraEnv:
  - name: HTTPS_PROXY
    value: "http://username:[email protected]:3128"