The teleport-cluster Helm chart deploys a Teleport cluster on Kubernetes.
This includes deploying proxies, auth servers, and kubernetes-access.
See the Teleport HA Architecture page
for more details.
You can browse the source on GitHub.
The teleport-cluster chart runs three Teleport services, split into two sets of pods:
| Teleport service | Running in | Purpose | Documentation |
|---|---|---|---|
auth_service | auth Deployment | Authenticates users and hosts, and issues certificates. | Auth documentation |
kubernetes_service | auth Deployment | Provides secure access to the Kubernetes cluster where the Teleport cluster is hosted. | Kubernetes Access documentation |
proxy_service | proxy Deployment | Runs the externally-facing parts of a Teleport cluster, such as the web UI, SSH proxy and reverse tunnel service. | Proxy documentation |
If you want to provide access to resources like Databases, Applications or other
Kubernetes clusters than the one hosting the Teleport cluster, you should use the
teleport-kube-agent Helm chart.
teleport-clusterhosts a Teleport cluster, you should only need one.teleport-kube-agentconnects to an existing Teleport cluster and exposes configured resources.
This reference details available values for the teleport-cluster chart.
The teleport-cluster chart can be deployed in four different modes.
Get started with a guide for each mode:
chartMode | Purpose | Guide |
|---|---|---|
standalone | Runs by relying only on Kubernetes resources. | Getting Started - Kubernetes with SSO |
aws | Leverages AWS managed services to store data. | Running an HA Teleport cluster using an AWS EKS Cluster |
gcp | Leverages GCP managed services to store data. | Running an HA Teleport cluster using a Google Cloud GKE cluster |
scratch (v12 and above) | Generates empty Teleport configuration. User must pass their own config. This is discouraged, use standalone mode with auth.teleportConfig and proxy.teleportConfig instead. | Running a Teleport cluster with a custom config |
custom mode has been removed in Teleport version 12. See the version 12
migration guide for
more information.
The chart is versioned with Teleport. No compatibility guarantees are ensured between new charts and previous major Teleport versions. It is strongly recommended to always deploy a Teleport version with the same major version as the Helm chart.
Backing up production instances, environments, and/or settings before making permanent modifications is encouraged as a best practice. Doing so allows you to roll back to an existing state if needed.
clusterName
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
string | nil | Yes | auth_service.cluster_name, proxy_service.public_addr |
clusterName controls the name used to refer to the Teleport cluster, along with
the externally-facing public address used to access it. In most setups this must
be a fully-qualified domain name (e.g. teleport.example.com) as this value is
used as the cluster's public address by default.
When using a fully qualified domain name as your clusterName, you will also
need to configure the DNS provider for this domain to point to the external
load balancer address of your Teleport cluster.
Whether an IP or hostname is provided as an external address for the load balancer varies according to the provider.
EKS uses a hostname:
kubectl --namespace teleport-cluster get service/teleport -o jsonpath='{.status.loadBalancer.ingress[*].hostname}'a5f22a02798f541e58c6641c1b158ea3-1989279894.us-east-1.elb.amazonaws.com
GKE uses an IP address:
kubectl --namespace teleport-cluster get service/teleport -o jsonpath='{.status.loadBalancer.ingress[*].ip}'35.203.56.38
You will need to manually add a DNS A record pointing teleport.example.com to
the IP, or a CNAME record pointing to the hostname of the Kubernetes load balancer.
Teleport assigns a subdomain to each application you have configured for Application
Access (e.g., grafana.teleport.example.com), so you will need to ensure that a
DNS A (or CNAME for services that only provide a hostname) record exists for each
application-specific subdomain so clients can access your applications via Teleport.
You should create either a separate DNS record for each subdomain, or a single
record with a wildcard subdomain such as *.teleport.example.com. This way, your
certificate authority (e.g., Let's Encrypt) can issue a certificate for each
subdomain, enabling clients to verify your Teleport hosts regardless of the
application they are accessing.
The clusterName cannot be changed during a Teleport cluster's lifespan.
If you need to change it, you must redeploy a completely new cluster.
kubeClusterName
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
string | clusterName value | no | kubernetes_service.kube_cluster_name |
kubeClusterName sets the name used for Kubernetes access.
This name will be shown to Teleport users connecting to the Kubernetes cluster.
auth
| Type | Default value | Required? |
|---|---|---|
object | no |
The teleport-cluster chart deploys two sets of pods, one for the Auth Service
and another for the Proxy Service.
auth contains values specific for Auth Service pods. You can use it to set
specific values for auth pods, taking precedence over chart-scoped values.
For example, to override the postStart value only for auth pods:
# By default all pods postStart command should be "echo starting"
postStart: ["echo", "starting"]
auth:
# But we override the `postStart` value specifically for auth pods
postStart: ["curl", "http://hook"]
imagePullPolicy: Always
auth.teleportConfig
| Type | Default value | Required? |
|---|---|---|
object | no |
auth.teleportConfig contains YAML teleport configuration for auth pods.
The configuration will be merged with the chart-generated configuration
and will take precedence in case of conflict. This field allows customization of/overrides to
any bit of configuration in teleport.yaml without having to use
the scratch chart mode.
The merge logic is as follows:
- object fields are merged recursively
- lists are replaced
- values (string, integer, boolean, ...) are replaced
- fields can be unset by setting them to
nullor~
See the Teleport Configuration Reference for the list of supported fields.
auth:
teleportConfig:
teleport:
cache:
enabled: false
auth_service:
client_idle_timeout: 2h
client_idle_timeout_message: "Connection closed after 2 hours without activity"
proxy
| Type | Default value | Required? |
|---|---|---|
object | no |
The teleport-cluster charts deploys two sets of pods: one for the Auth Service
and another for the Proxy Service.
proxy contains values specific to Proxy Service pods. You can use it to
set specific values for proxy pods, taking precedence over chart-scoped values.
For example, to override the postStart value only for proxy pods:
# By default all pods postStart command should be "echo starting"
postStart: ["echo", "starting"]
proxy:
# But we override the `postStart` value specifically for proxy pods
postStart: ["curl", "http://hook"]
imagePullPolicy: Always
proxy.teleportConfig
| Type | Default value | Required? |
|---|---|---|
object | no |
proxy.teleportConfig contains YAML teleport configuration for proxy pods
The configuration will be merged with the chart-generated configuration
and will take precedence in case of conflict. This field allows customization of/overrides to
any bit of configuration in teleport.yaml without having to use
the scratch chart mode.
The merge logic is as follows:
- object fields are merged recursively
- lists are replaced
- values (string, integer, boolean, ...) are replaced
- fields can be unset by setting them to
nullor~
See the Teleport Configuration Reference for the list of supported fields.
proxy:
teleportConfig:
teleport:
cache:
enabled: false
proxy_service:
https_keypairs:
- key_file: /my-custom-mount/key.pem
cert_file: /my-custom-mount/cert.pem
authentication
authentication.type
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
string | local | Yes | auth_service.authentication.type |
authentication.type controls the authentication scheme used by Teleport.
Possible values are local and github for OSS, plus oidc and saml for Enterprise.
authentication.connectorName
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
string | "" | No | auth_service.authentication.connector_name |
authentication.connectorName sets the default authentication connector.
The SSO documentation explains how to create
authentication connectors for common identity providers. In addition to SSO
connector names, the following built-in connectors are supported:
localfor local userspasswordlessto enable by default passwordless authentication.
Defaults to local.
authentication.localAuth
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
bool | true | No | auth_service.authentication.local_auth |
authentication.localAuth controls whether local authentication is enabled.
When disabled, users can only log in through authentication connectors like saml, oidc or github.
Disabling local auth is required for FedRAMP / FIPS.
authentication.lockingMode
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
string | "" | No | auth_service.authentication.locking_mode |
authentication.lockingMode controls the locking mode cluster-wide. Possible values are best_effort and strict.
See the locking modes documentation for more
details.
Defaults to Teleport's binary default when empty: best_effort.
authentication.secondFactor
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
string | otp | Yes | auth_service.authentication.second_factor |
authentication.secondFactor controls the second factor used for local user authentication. Possible values supported by this chart
are off (not recommended), on, otp, optional and webauthn.
When set to on, optional or webauthn, the authenticationSecondFactor.webauthn section can also be used.
The configured rp_id defaults to clusterName.
If you set publicAddr for users to access the cluster under a domain different
to clusterName, you must manually set the webauthn Relying
Party Identifier (RP
ID). If you don't,
RP ID will default to clusterName and users will fail to register second
factors.
You can do this by setting the value
auth.teleportConfig.auth_service.authentication.webauthn.rp_id.
RP ID must be both a valid domain, and part of the full domain users are connecting to. For example, if users are accessing the cluster with the domain "teleport.example.com", RP ID can be "teleport.example.com" or "example.com".
Changing the RP ID will invalidate all already registered webauthn second factors.
authentication.webauthn
See Second Factor - WebAuthn for more details.
authentication.webauthn.attestationAllowedCas
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
array | [] | No | auth_service.authentication.webauthn.attestation_allowed_cas |
authentication.webauthn.attestationAllowedCas is an optional allow list of certificate authorities (as local file paths or in-line PEM certificate string) for
device verification.
This field allows you to restrict which device models and vendors you trust.
Devices outside of the list will be rejected during registration.
By default all devices are allowed.
authentication.webauthn.attestationDeniedCas
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
array | [] | No | auth_service.authentication.webauthn.attestation_denied_cas |
authentication.webauthn.attestationDeniedCas is optional deny list of certificate authorities (as local file paths or in-line PEM certificate string) for
device verification.
This field allows you to forbid specific device models and vendors, while allowing all others (provided they clear attestation_allowed_cas as well).
Devices within this list will be rejected during registration.
By default no devices are forbidden.
proxyListenerMode
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
string | nil | no | auth_service.proxy_listener_mode |
proxyListenerMode controls proxy TLS routing used by Teleport. Possible values are multiplex.
values.yaml example:
proxyListenerMode: multiplex
sessionRecording
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
string | "" | no | auth_service.session_recording |
sessionRecording controls the session_recording field in the teleport.yaml configuration.
It is passed as-is in the configuration.
For possible values, see the Teleport Configuration Reference.
values.yaml example:
sessionRecording: proxy
separatePostgresListener
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
bool | false | no | proxy_service.postgres_listen_addr |
separatePostgresListener controls whether Teleport will multiplex PostgreSQL
traffic for the Teleport Database Service over a separate TLS listener to
Teleport's web UI.
When separatePostgresListener is false (the default), PostgreSQL traffic will be directed to port 443 (the default Teleport web
UI port). This works in situations when Teleport is terminating its own TLS traffic, i.e. when using certificates from LetsEncrypt
or providing a certificate/private key pair via Teleport's proxy_service.https_keypairs config.
When separatePostgresListener is true, PostgreSQL traffic will be directed to a separate Postgres-only listener on port 5432.
This also adds the port to the Service that the chart creates. This is useful when terminating TLS at a load balancer
in front of Teleport, such as when using AWS ACM.
These settings will not apply if proxyListenerMode is set to multiplex.
values.yaml example:
separatePostgresListener: true
separateMongoListener
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
bool | false | no | proxy_service.mongo_listen_addr |
separateMongoListener controls whether Teleport will multiplex PostgreSQL traffic for the Teleport Database Service
over a separate TLS listener to Teleport's web UI.
When separateMongoListener is false (the default), MongoDB traffic will be directed to port 443 (the default Teleport web
UI port). This works in situations when Teleport is terminating its own TLS traffic, i.e. when using certificates from LetsEncrypt
or providing a certificate/private key pair via Teleport's proxy_service.https_keypairs config.
When separateMongoListener is true, MongoDB traffic will be directed to a separate Mongo-only listener on port 27017.
This also adds the port to the Service that the chart creates. This is useful when terminating TLS at a load balancer
in front of Teleport, such as when using AWS ACM.
These settings will not apply if proxyListenerMode is set to multiplex.
values.yaml example:
separateMongoListener: true
publicAddr
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
list[string] | [] | no | proxy_service.public_addr |
publicAddr controls the advertised addresses for TLS connections.
When publicAddr is not set, the address used is clusterName on port 443.
If you set publicAddr for users to access the cluster under a domain different
to clusterName you must manually set the webauthn Relying
Party Identifier (RP
ID). If you don't,
RP ID will default to clusterName and users will fail to register second
factors.
You can do this by setting the value
auth.teleportConfig.auth_service.authentication.webauthn.rp_id.
RP ID must be both a valid domain, and part of the full domain users are connecting to. For example, if users are accessing the cluster with the domain "teleport.example.com", RP ID can be "teleport.example.com" or "example.com".
Changing the RP ID will invalidate all already registered webauthn second factors.
values.yaml example:
publicAddr: ["loadbalancer.example.com:443"]
kubePublicAddr
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
list[string] | [] | no | proxy_service.kube_public_addr |
kubePublicAddr controls the advertised addresses for the Kubernetes proxy.
This setting will not apply if proxyListenerMode is set to multiplex.
When kubePublicAddr is not set, the addresses are inferred from publicAddr if set,
else clusterName is used. Default port is 3026.
values.yaml example:
kubePublicAddr: ["loadbalancer.example.com:3026"]
mongoPublicAddr
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
list[string] | [] | no | proxy_service.mongo_public_addr |
mongoPublicAddr controls the advertised addresses to MongoDB clients.
This setting will not apply if proxyListenerMode is set to multiplex and
requires separateMongoListener enabled.
When mongoPublicAddr is not set, the addresses are inferred from clusterName is used.
Default port is 27017.
values.yaml example:
mongoPublicAddr: ["loadbalancer.example.com:27017"]
mysqlPublicAddr
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
list[string] | [] | no | proxy_service.mysql_public_addr |
mysqlPublicAddr controls the advertised addresses for the MySQL proxy.
This setting will not apply if proxyListenerMode is set to multiplex.
When mysqlPublicAddr is not set, the addresses are inferred from publicAddr if set,
else clusterName is used. Default port is 3036.
values.yaml example:
mysqlPublicAddr: ["loadbalancer.example.com:3036"]
postgresPublicAddr
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
list[string] | [] | no | proxy_service.postgres_public_addr |
postgresPublicAddr controls the advertised addresses to postgres clients.
This setting will not apply if proxyListenerMode is set to multiplex and
requires separatePostgresListener enabled.
When postgresPublicAddr is not set, the addresses are inferred from publicAddr if set,
else clusterName is used. Default port is 5432.
values.yaml example:
postgresPublicAddr: ["loadbalancer.example.com:5432"]
sshPublicAddr
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
list[string] | [] | no | proxy_service.ssh_public_addr |
sshPublicAddr controls the advertised addresses for SSH clients. This is also used by the tsh client.
This setting will not apply if proxyListenerMode is set to multiplex.
hen sshPublicAddr is not set, the addresses are inferred from publicAddr if set,
else clusterName is used. Default port is 3023.
values.yaml example:
sshPublicAddr: ["loadbalancer.example.com:3023"]
tunnelPublicAddr
| Type | Default value | Required? | teleport.yaml equivalent |
|---|---|---|---|
list[string] | [] | no | proxy_service.tunnel_public_addr |
tunnelPublicAddr controls the advertised addresses to trusted clusters or nodes joining via node-tunneling.
This setting will not apply if proxyListenerMode is set to multiplex.
When tunnelPublicAddr is not set, the addresses are inferred from publicAddr if set,
else clusterName is used. Default port is 3024.
values.yaml example:
tunnelPublicAddr: ["loadbalancer.example.com:3024"]
enterprise
| Type | Default value |
|---|---|
bool | false |
enterprise controls whether to use Teleport Community Edition or Teleport Enterprise.
Setting enterprise to true will use the Teleport Enterprise image.
You will also need to download your Enterprise license from the Teleport dashboard and add it as a Kubernetes secret to use this:
kubectl --namespace teleport create secret generic license --from-file=/path/to/downloaded/license.pem
If you installed the Teleport chart into a specific namespace, the license secret you create must also be added to the same namespace.
The file added to the secret must be called license.pem. If you have renamed it, you can specify the filename to use in the secret creation command:
kubectl --namespace teleport create secret generic license --from-file=license.pem=/path/to/downloaded/this-is-my-teleport-license.pem
values.yaml example:
enterprise: true
installCRDs
| Type | Default value |
|---|---|
bool | false |
CRDs are not namespace-scoped resources - they can be installed only once in a cluster.
CRDs are required by the Teleport Kubernetes Operator and are installed by default when operator.enabled is true.
installCRDs overrides this behavior and allows users to indicate whether to deploy Teleport CRDs.
If several releases of the teleport-cluster chart are deployed in the same Kubernetes cluster, only one
release should have installCRDs enabled. Unless you are deploying multiple teleport-cluster Helm releases in
the same Kubernetes cluster or installing the CRDs on your own you should not have to set this value.
values.yaml example:
installCRDs: true
operator
operator.enabled
| Type | Default value |
|---|---|
bool | false |
operator.enabled controls whether to deploy the Teleport Kubernetes Operator as a side-car.
Enabling the operator will also deploy the Teleport CRDs in the Kubernetes cluster.
If you are deploying multiple releases of the Helm chart in the same cluster you can override this behavior with
installCRDs.
values.yaml example:
operator:
enabled: true
operator.image
| Type | Default value |
|---|---|
string | public.ecr.aws/gravitational/teleport-operator |
operator.image sets the Teleport Kubernetes Operator container image used for Teleport pods in the cluster.
You can override this to use your own Teleport Operator image rather than a Teleport-published image.
This setting requires operator.enabled.
values.yaml example:
operator:
image: my.docker.registry/teleport-operator-image-name
operator.resources
| Type | Default value |
|---|---|
object | {} |
See the Kubernetes resource documentation.
It is recommended to set resource requests/limits for each container based on their observed usage.
values.yaml example:
operator:
resources:
requests:
cpu: 1
memory: 2Gi
teleportVersionOverride
| Type | Default value |
|---|---|
string | nil |
Normally the version of Teleport being used will match the version of the chart being installed. If you install chart version 10.0.0, you'll be using Teleport 10.0.0. Upgrading the Helm chart will use the latest version from the repo.
You can optionally override this to use a different published Teleport Docker
image tag like 10.1.2 or 11.
teleportVersionOverride MUST NOT be used to control the Teleport version.
This chart is designed to run a specific Teleport version. You will face
compatibility issues trying to run a different Teleport version with it.
If you want to run Teleport version X.Y.Z, you should use
helm --version X.Y.Z instead.
See our installation guide for information on Docker image versions.
values.yaml example:
teleportVersionOverride: "11"
acme
| Type | Default value | teleport.yaml equivalent |
|---|---|---|
bool | false | proxy_service.acme.enabled |
ACME is a protocol for getting Web X.509 certificates.
Setting acme to true enables the ACME protocol and will attempt to get a free TLS certificate from Let's Encrypt.
Setting acme to false (the default) will cause Teleport to generate and use self-signed certificates for its web UI.
ACME can only be used for single-pod clusters. It is not suitable for use in HA configurations.
Using a self-signed TLS certificate and disabling TLS verification is OK for testing, but is not viable when running a production Teleport cluster as it will drastically reduce security. You must configure valid TLS certificates on your Teleport cluster for production workloads.
One option might be to use Teleport's built-in ACME support or enable cert-manager support.
acmeEmail
| Type | Default value | teleport.yaml equivalent |
|---|---|---|
string | nil | proxy_service.acme.email |
acmeEmail is the email address to provide during certificate registration (this is a Let's Encrypt requirement).
acmeURI
| Type | Default value | teleport.yaml equivalent |
|---|---|---|
string | Let's Encrypt production server | proxy_service.acme.uri |
acmeURI is the ACME server to use for getting certificates.
As an example, this can be overridden to use the Let's Encrypt staging server for testing.
You can also use any other ACME-compatible server.
values.yaml example:
acme: true
acmeEmail: [email protected]
acmeURI: https://acme-staging-v02.api.letsencrypt.org/directory
podSecurityPolicy
podSecurityPolicy.enabled
| Type | Default value |
|---|---|
bool | true for 1.22 and lower, false for 1.23 and higher |
By default, Teleport charts used to install a podSecurityPolicy.
PodSecurityPolicy resource has been removed in Kubernetes 1.25 and replaced since 1.23 by PodSecurityAdmission. If you are running on Kubernetes 1.23 or later it is recommended to disable PSPs and use PSAs. The steps are documented in the PSP removal guide.
To disable PSP creation, you can set enabled to false.
values.yaml example:
podSecurityPolicy:
enabled: false
labels
| Type | Default value |
|---|---|
object | {} |
labels can be used to add a map of key-value pairs relating to the Teleport cluster being deployed. These labels can then be used with
Teleport's RBAC policies to define access rules for the cluster.
These are Teleport-specific RBAC labels, not Kubernetes labels.
values.yaml example:
labels:
environment: production
region: us-east
chartMode
| Type | Default value |
|---|---|
string | standalone |
chartMode is used to configure the chart's operation mode. You can find more information about each mode on its specific guide page:
Using the scratch chart mode is discouraged. Precise chart and Teleport
knowledge is required to write a fully working cluster configuration.
If you want a working cluster with blocks of custom configuration, it is
recommended to use one of the other modes and rely on
auth.teleportConfig and proxy.teleportConfig
to inject your custom configuration.
persistence
Changes in Kubernetes 1.23+ mean that persistent volumes will not automatically be provisioned in AWS EKS clusters without additional configuration.
See AWS documentation on the EBS CSI driver for more details. This driver addon must be configured to use persistent volumes in EKS clusters after Kubernetes 1.23.
persistence.enabled
| Type | Default value |
|---|---|
bool | true |
persistence.enabled can be used to enable data persistence using either a new or pre-existing PersistentVolumeClaim.
values.yaml example:
persistence:
enabled: true
persistence.existingClaimName
| Type | Default value |
|---|---|
string | nil |
persistence.existingClaimName can be used to provide the name of a pre-existing PersistentVolumeClaim to use if desired.
The default is left blank, which will automatically create a PersistentVolumeClaim to use for Teleport storage in standalone or scratch mode.
values.yaml example:
persistence:
existingClaimName: my-existing-pvc-name
persistence.volumeSize
| Type | Default value |
|---|---|
string | 10Gi |
You can set volumeSize to request a different size of persistent volume when installing the Teleport chart in standalone or scratch mode.
volumeSize will be ignored if existingClaimName is set.
values.yaml example:
persistence:
volumeSize: 50Gi
aws
aws settings are described in the AWS guide: Running an HA Teleport cluster using an AWS EKS Cluster
gcp
gcp settings are described in the GCP guide: Running an HA Teleport cluster using a Google Cloud GKE cluster
highAvailability
highAvailability contains settings controlling how Teleport pods are
replicated and scheduled. This allows Teleport to run in a highly-available
fashion: Teleport should sustain the crash/loss of a machine without interrupting
the service.
For auth pods
When using "standalone" or "scratch" mode, you must use highly-available storage (etcd, DynamoDB or Firestore) for multiple replicas to be supported. Manually configuring NFS-based storage or ReadWriteMany volume claims is NOT supported and will result in errors. Using Teleport's built-in ACME client (as opposed to using cert-manager or passing certs through a secret) is not supported with multiple replicas.
For proxy pods
Proxy pods need to be provided a certificate to be replicated (via either
tls.existingSecretName or highAvailability.certManager).
If proxy pods are replicable, they will default to 2 replicas,
even if highAvailability.replicaCount is 1. To force a single proxy replica,
set proxy.highAvailability.replicaCount: 1.
highAvailability.replicaCount
| Type | Default value |
|---|---|
int | 1 |
Controls the amount of pod replicas. The highAvailability section describes
the replication requirements.
If you set a value greater than 1, you must meet the replication criteria described above. Failure to do so will result in errors and inconsistent data.
highAvailability.requireAntiAffinity
| Type | Default value |
|---|---|
bool | false |
Setting highAvailability.requireAntiAffinity to true will use requiredDuringSchedulingIgnoredDuringExecution to require that multiple
Teleport pods must not be scheduled on the same physical host.
This can result in Teleport pods failing to be scheduled in very small clusters or during node downtime, so should be used with caution.
Setting highAvailability.requireAntiAffinity to false (the default) uses preferredDuringSchedulingIgnoredDuringExecution to make node
anti-affinity a soft requirement.
This setting only has any effect when highAvailability.replicaCount is greater than 1.
values.yaml example:
highAvailability:
requireAntiAffinity: true
highAvailability.podDisruptionBudget
highAvailability.podDisruptionBudget.enabled
| Type | Default value |
|---|---|
bool | false |
Enable a Pod Disruption Budget for the Teleport Pod to ensure HA during voluntary disruptions.
values.yaml example:
highAvailability:
podDisruptionBudget:
enabled: true
highAvailability.podDisruptionBudget.minAvailable
| Type | Default value |
|---|---|
int | 1 |
Ensures that this number of replicas is available during voluntary disruptions, can be a number of replicas or a percentage.
values.yaml example:
highAvailability:
podDisruptionBudget:
minAvailable: 1
highAvailability.certManager
See the cert-manager docs for more information.
highAvailability.certManager.enabled
| Type | Default value | teleport.yaml equivalent |
|---|---|---|
bool | false | proxy_service.https_keypairs (to provide your own certificates) |
Setting highAvailability.certManager.enabled to true will use cert-manager to provision a TLS certificate for a Teleport
cluster deployed in HA mode.
You must install and configure cert-manager in your Kubernetes cluster yourself.
See the cert-manager Helm install instructions and the relevant sections of the AWS and GCP guides for more information.
highAvailability.certManager.addCommonName
| Type | Default value | teleport.yaml equivalent |
|---|---|---|
bool | false | proxy_service.https_keypairs (to provide your own certificates) |
Setting highAvailability.certManager.addCommonName to true will instruct cert-manager to set the commonName field in its certificate signing request to the issuing CA.
You must install and configure cert-manager in your Kubernetes cluster yourself.
See the cert-manager Helm install instructions and the relevant sections of the AWS and GCP guides for more information.
values.yaml example:
highAvailability:
certManager:
enabled: true
addCommonName: true
issuerName: letsencrypt-production
highAvailability.certManager.issuerName
| Type | Default value | teleport.yaml equivalent |
|---|---|---|
string | nil | None |
Sets the name of the cert-manager Issuer or ClusterIssuer to use for issuing certificates.
You must install configure an appropriate Issuer supporting a DNS01 challenge yourself.
Please see the cert-manager DNS01 docs and the relevant sections of the AWS and GCP guides for more information.
values.yaml example:
highAvailability:
certManager:
enabled: true
issuerName: letsencrypt-production
highAvailability.certManager.issuerKind
| Type | Default value | teleport.yaml equivalent |
|---|---|---|
string | Issuer | None |
Sets the Kind of Issuer to be used when issuing certificates with cert-manager. Defaults to Issuer to keep permissions
scoped to a single namespace.
values.yaml example:
highAvailability:
certManager:
issuerKind: ClusterIssuer
highAvailability.certManager.issuerGroup
| Type | Default value |
|---|---|
string | cert-manager.io |
Sets the Group of Issuer to be used when issuing certificates with cert-manager. Defaults to cert-manager.io to use built-in issuers.
values.yaml example:
highAvailability:
certManager:
issuerGroup: cert-manager.io
highAvailability.minReadySeconds
| Type | Default value |
|---|---|
integer | 15 |
Amount of time to wait during a pod rollout before moving to the next pod. See Kubernetes documentation.
This is used to give time for the agents to connect back to newly created pods before continuing the rollout.
values.yaml example:
highAvailability:
minReadySeconds: 15
tls.existingSecretName
| Type | Default value | teleport.yaml equivalent |
|---|---|---|
string | "" | proxy_service.https_keypairs |
tls.existingSecretName tells Teleport to use an existing Kubernetes TLS secret to secure its web UI using HTTPS. This can be
set to use a TLS certificate issued by a trusted internal CA rather than a public-facing CA like Let's Encrypt.
You should create the secret in the same namespace as Teleport using a command like this:
kubectl create secret tls my-tls-secret --cert=/path/to/cert/file --key=/path/to/key/file
See https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more information.
values.yaml example:
tls:
existingSecretName: my-tls-secret
tls.existingCASecretName
| Type | Default value |
|---|---|
string | "" |
tls.existingCASecretName sets the SSL_CERT_FILE environment variable to load a trusted CA or bundle in PEM format into Teleport pods.
This can be set to inject a root and/or intermediate CA so that Teleport can build a full trust chain on startup.
This can also be used to trust private CAs when contacting an OIDC provider, an S3-compatible backend, or any external service without
modifying the Teleport base image.
This is likely to be needed
if Teleport fails to start when tls.existingSecretName is set with a User Message: unable to verify HTTPS certificate chain error
in the pod logs.
You should create the secret in the same namespace as Teleport using a command like this:
kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
The filename used for the root CA in the secret must be ca.pem.
values.yaml example:
tls:
existingCASecretName: my-root-ca
image
| Type | Default value |
|---|---|
string | public.ecr.aws/gravitational/teleport |
image sets the Teleport container image used for Teleport Community pods in the cluster.
You can override this to use your own Teleport Community image rather than a Teleport-published image.
values.yaml example:
image: my.docker.registry/teleport-community-image-name
enterpriseImage
| Type | Default value |
|---|---|
string | public.ecr.aws/gravitational/teleport-ent |
enterpriseImage sets the container image used for Teleport Enterprise pods in the cluster.
You can override this to use your own Teleport Enterprise image rather than a Teleport-published image.
values.yaml example:
enterpriseImage: my.docker.registry/teleport-enterprise-image-name
log
log.level
This field used to be called logLevel. For backwards compatibility this name can still be used, but we recommend changing your values file to use log.level.
| Type | Default value | teleport.yaml equivalent |
|---|---|---|
string | INFO | teleport.log.severity |
log.level sets the log level used for the Teleport process.
Available log levels (in order of most to least verbose) are: DEBUG, INFO, WARNING, ERROR.
The default is INFO, which is recommended in production.
DEBUG is useful during first-time setup or to see more detailed logs for debugging.
values.yaml example:
log:
level: DEBUG
log.output
| Type | Default value | teleport.yaml equivalent |
|---|---|---|
string | stderr | teleport.log.output |
log.output sets the output destination for the Teleport process.
This can be set to any of the built-in values: stdout, stderr or syslog to use that destination.
The value can also be set to a file path (such as /var/log/teleport.log) to write logs to a file. Bear in mind that a few service startup messages will still go to stderr for resilience.
values.yaml example:
log:
output: stderr
log.format
| Type | Default value | teleport.yaml equivalent |
|---|---|---|
string | text | teleport.log.format.output |
log.format sets the output type for the Teleport process.
Possible values are text (default) or json.
values.yaml example:
log:
format: json
log.extraFields
| Type | Default value | teleport.yaml equivalent |
|---|---|---|
list | ["timestamp", "level", "component", "caller"] | teleport.log.format.extra_fields |
log.extraFields sets the fields used in logging for the Teleport process.
See the Teleport config file reference for more details on possible values for extra_fields.
values.yaml example:
log:
extraFields: ["timestamp", "level"]
nodeSelector
| Type | Default value |
|---|---|
object | {} |
nodeSelector can be used to add a map of key-value pairs to constrain the
nodes that Teleport pods will run on.
values.yaml example:
nodeSelector:
role: bastion
environment: security
affinity
| Type | Default value |
|---|---|
object | {} |
Kubernetes affinity to set for pod assignments.
You cannot set both affinity and highAvailability.requireAntiAffinity as they conflict with each other. Only set one or the other.
values.yaml example:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: gravitational.io/dedicated
operator: In
values:
- teleport
annotations.config
| Type | Default value | teleport.yaml equivalent |
|---|---|---|
object | {} | None |
Kubernetes annotations which should be applied to the ConfigMap created by the chart.
values.yaml example:
annotations:
config:
kubernetes.io/annotation: value
annotations.deployment
| Type | Default value |
|---|---|
object | {} |
Kubernetes annotations which should be applied to the Deployment created by the chart.
values.yaml example:
annotations:
deployment:
kubernetes.io/annotation: value
annotations.pod
| Type | Default value |
|---|---|
object | {} |
Kubernetes annotations which should be applied to each Pod created by the chart.
values.yaml example:
annotations:
pod:
kubernetes.io/annotation: value
annotations.service
| Type | Default value |
|---|---|
object | {} |
Kubernetes annotations which should be applied to the Service created by the chart.
values.yaml example:
annotations:
service:
kubernetes.io/annotation: value
annotations.serviceAccount
| Type | Default value |
|---|---|
object | {} |
Kubernetes annotations which should be applied to the serviceAccount created by the chart.
values.yaml example:
annotations:
serviceAccount:
kubernetes.io/annotation: value
annotations.certSecret
| Type | Default value |
|---|---|
object | {} |
Kubernetes annotations which should be applied to the secret generated by
cert-manager from the certificate created by the chart. Only valid when
highAvailability.certManager.enabled is set to true and requires
cert-manager v1.5.0+.
values.yaml example:
annotations:
certSecret:
kubernetes.io/annotation: value
serviceAccount.create
| Type | Default value | Required? |
|---|---|---|
boolean | true | No |
Boolean value that specifies whether service account should be created or not.
serviceAccount.name
| Type | Default value | Required? |
|---|---|---|
string | "" | No |
Name to use for teleport service account.
If serviceAccount.create is false, service account with this name should be created in current namespace before installing helm chart.
service.type
| Type | Default value | Required? |
|---|---|---|
string | LoadBalancer | Yes |
Allows to specify the service type.
values.yaml example:
service:
type: LoadBalancer
service.spec.loadBalancerIP
| Type | Default value | Required? |
|---|---|---|
string | nil | No |
Allows to specify the loadBalancerIP.
values.yaml example:
service:
spec:
loadBalancerIP: 1.2.3.4
extraArgs
| Type | Default value |
|---|---|
list | [] |
A list of extra arguments to pass to the teleport start command when running a Teleport Pod.
values.yaml example:
extraArgs:
- "--bootstrap=/etc/teleport-bootstrap/roles.yaml"
extraEnv
| Type | Default value |
|---|---|
list | [] |
A list of extra environment variables to be set on the main Teleport container.
values.yaml example:
extraEnv:
- name: MY_ENV
value: my-value
extraVolumes
| Type | Default value |
|---|---|
list | [] |
A list of extra Kubernetes Volumes which should be available to any Pod created by the chart. These volumes
will also be available to any initContainers configured by the chart.
values.yaml example:
extraVolumes:
- name: myvolume
secret:
secretName: mysecret
extraVolumeMounts
| Type | Default value |
|---|---|
list | [] |
A list of extra Kubernetes volume mounts which should be mounted into any Pod created by the chart. These volume
mounts will also be mounted into any initContainers configured by the chart.
values.yaml example:
extraVolumeMounts:
- name: myvolume
mountPath: /path/to/mount/volume
imagePullPolicy
| Type | Default value |
|---|---|
string | IfNotPresent |
Allows the imagePullPolicy for any pods created by the chart to be overridden.
values.yaml example:
imagePullPolicy: Always
imagePullSecrets
| Type | Default value |
|---|---|
list | [] |
A list of secrets containing authorization tokens which can be optionally used to access a private Docker registry.
values.yaml example:
imagePullSecrets:
- name: my-docker-registry-key
initContainers
| Type | Default value |
|---|---|
list | [] |
A list of initContainers which will be run before the main Teleport container in any pod created by the chart.
values.yaml example:
initContainers:
- name: teleport-init
image: alpine
args: ['echo test']
postStart
| Type | Default value |
|---|---|
object | {} |
A postStart lifecycle handler to be configured on the main Teleport container.
values.yaml example:
postStart:
command:
- echo
- foo
resources
| Type | Default value |
|---|---|
object | {} |
Resource requests/limits which should be configured for Teleport containers. These resource limits will also be
applied to initContainers.
values.yaml example:
resources:
requests:
cpu: 1
memory: 2Gi
securityContext
| Type | Default value |
|---|---|
object | {} |
The securityContext applies to the main Teleport containers.
values.yaml example:
securityContext:
runAsUser: 99
tolerations
| Type | Default value |
|---|---|
list | [] |
Kubernetes Tolerations to set for pod assignment.
values.yaml example:
tolerations:
- key: "dedicated"
operator: "Equal"
value: "teleport"
effect: "NoSchedule"
priorityClassName
| Type | Default value |
|---|---|
string | "" |
Kubernetes PriorityClass to set for pod.
values.yaml example:
priorityClassName: "system-cluster-critical"
probeTimeoutSeconds
| Type | Default value |
|---|---|
integer | 1 |
Kubernetes timeouts for the liveness and readiness probes.
values.yaml example:
probeTimeoutSeconds: 5