Scaling Privileged Access for Modern Infrastructure: Real-World Insights
Apr 25
Virtual
Register Today
Teleport logoTry For Free
Fork me on GitHub

Teleport

teleport-access-graph Chart Reference

The teleport-access-graph Helm chart deploys the Teleport Access Graph service.

See Run Teleport Access Graph on Self-Hosted Clusters with Helm for more details.

Version Compatibility

The chart is versioned with the Teleport Access Graph service. No compatibility guarantees are ensured if the service and chart versions differ. It is strongly recommended to always align the chart and service versions by using the --version Helm flag.

tls

tls TLS settings for the main gRPC listener.

tls.existingSecretName

TypeDefault
string""

tls.existingSecretName is the name of an existing Kubernetes secret containing the certificate and its private key to use for the gRPC listener. The secret must be of type kubernetes.io/tls, see the Kubernetes documentation for more details.

Setting this is required, as Teleport Access Graph always operates via TLS-protected connections.

clusterHostCAs

TypeDefault
array[]

clusterHostCAs is a list of strings containing PEM-encoded Host CA certificates of Teleport clusters that are allowed to use this instance of TAG. Setting this to a non-empty array is required.

service

TypeDefault
object{"grpcPort":443,"type":"ClusterIP"}

service contains options for the TAG Kubernetes service that the Chart exposes.

service.type

TypeDefault
string"ClusterIP"

service.type the type of Kubernetes service to create. The LoadBalancer type is only supported when using a Layer 4 (TCP) or lower load balancer. TAG expects to terminate its own TLS, as it uses mTLS to authenticate its clients.

service.grpcPort

TypeDefault
int443

service.grpcPort the port that the gRPC service is exposed on. This is the port that Teleport Auth Service and Proxy Service will need to connect to TAG on.

replicaCount

TypeDefault
int2

replicaCount the number of TAG pods that should be deployed.

image

image.tag

TypeDefault
string""

image.tag sets the version of the Teleport Access Graph image used. By default, this is the same as the Helm Chart version, i.e. TAG will be upgraded when you upgrade the Helm chart.

podAnnotations

TypeDefault
object{}

podAnnotations contains the Kubernetes annotations put on the Pod resources created by the chart.

podLabels

TypeDefault
object{}

podLabels contains the Kubernetes labels put on the Pod resources created by the chart.

podSecurityContext

TypeDefault
object{"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532}

podSecurityContext sets the pod security context for any pods created by the chart. See the Kubernetes documentation for more details.

The default value supports running under the restricted Pod Security Standard.

securityContext

TypeDefault
object{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"seccompProfile":{"type":"RuntimeDefault"}}

securityContext sets the container security context for any pods created by the chart. See the Kubernetes documentation for more details.

The default value supports running under the restricted Pod Security Standard.

volumes

TypeDefault
array[]

volumes allows to define additional volumes on the output Deployment definition.

nodeSelector

TypeDefault
object{}

nodeSelector sets the node selector for any pods created by the chart. See the Kubernetes documentation for more details.

tolerations

TypeDefault
list[]

tolerations sets the tolerations for any pods created by the chart. See the Kubernetes documentation for more details.

affinity

TypeDefault
object{}

affinity sets the affinities for any pods created by the chart. See the Kubernetes documentation for more details.