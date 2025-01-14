teleport-plugin-datadog Chart Reference
The
teleport-plugin-datadog Helm chart runs the Datadog Teleport plugin, which
allows users to receive and manage Access Requests as Datadog incidents.
This reference details available values for the
teleport-plugin-datadog chart.
teleport
teleport contains the configuration describing how the plugin connects to
your Teleport cluster.
teleport.address
|Type
|Default
string
""
teleport.address is the address of the Teleport cluster the plugin
connects to. The address must contain both the domain name and the port of
the Teleport cluster. It can be either the address of the auth servers or the
proxy servers.
For example:
- joining a Proxy:
teleport.example.com:443or
teleport.example.com:3080
- joining an Auth:
teleport-auth.example.com:3025
When the address is empty,
tbot.teleportProxyAddress
or
tbot.teleportAuthAddress will be used if they are set.
teleport.identitySecretName
|Type
|Default
string
""
teleport.identitySecretName is the name of the Kubernetes secret
that contains the credentials for the connection to your Teleport cluster.
The secret should be in the following format:
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: teleport-plugin-datadog-identity
data:
auth_id: #...
Check out the Access Requests with Datadog Incident Management guide for more information about how to acquire these credentials.
teleport.identitySecretPath
|Type
|Default
string
"auth_id"
teleport.identitySecretPath is the key in the Kubernetes secret
specified by
teleport.identitySecretName that holds the credentials for
the connection to your Teleport cluster. If the secret has the path,
"auth_id", you can omit this field.
datadog
datadog contains the configuration used by the plugin to authenticate to Datadog.
You can pass the Datadog keys by setting the chart values or using an existing Kubernetes Secret.
datadog.apiEndpoint
|Type
|Default
string
"https://api.datadoghq.com"
datadog.apiEndpoint specifies which Datadog API site to set API
requests.
datadog.apiKey
|Type
|Default
string
""
datadog.apiKey is the Datadog API key used by the plugin to interact
with Datadog. When set, the Chart creates a Kubernetes Secret for you.
This value has no effect if
datadog.apiKeyFromSecret is set.
datadog.apiKeyFromSecret
|Type
|Default
string
""
datadog.apiKeyFromSecret is the name of the Kubernetes Secret
containing the Datadog apiKey. When this value is set, you must create the
Secret before creating the chart release.
datadog.apiKeySecretPath
|Type
|Default
string
"datadogApiKey"
datadog.apiKeySecretPath is the Kubernetes Secret key
containing the Datadog API key. The secret name is set via
datadog.apiKeyFromSecret.
datadog.applicationKey
|Type
|Default
string
""
datadog.applicationKey is the Datadog Application key used by the plugin to interact
with Datadog. When set, the Chart creates a Kubernetes Secret for you.
This value has no effect if
datadog.applicationKeyFromSecret is set.
datadog.applicationKeyFromSecret
|Type
|Default
string
""
datadog.applicationKeyFromSecret is the name of the Kubernetes Secret
containing the Datadog applicationKey. When this value is set, you must create the
Secret before creating the chart release.
datadog.applicationKeySecretPath
|Type
|Default
string
"datadogApplicationKey"
datadog.applicationKeySecretPath is the Kubernetes Secret key
containing the Datadog Application key. The secret name is set via
datadog.applicationKeyFromSecret.
datadog.fallbackRecipient
|Type
|Default
string
""
datadog.fallbackRecipient specifies the default recipient for
Access Request notifications. The recipient can be a Datadog user email or
a team handle.
datadog.severity
|Type
|Default
string
"SEV-3"
datadog.severity specifies the Datadog incident severity.
log
log controls the plugin logging.
log.severity
|Type
|Default
string
"INFO"
log.severity is the log level for the Teleport process.
Available log levels are:
DEBUG,
INFO,
WARN,
ERROR.
The default is
INFO, which is recommended in production.
DEBUG is useful during first-time setup or to see more detailed logs for debugging.
log.output
|Type
|Default
string
"stdout"
log.output sets the output destination for the Teleport process.
This can be set to any of the built-in values:
stdout,
stderr.
The value can also be set to a file path (such as
/var/log/teleport.log)
to write logs to a file. Bear in mind that a few service startup messages
will still go to
stderr for resilience.
tbot
tbot controls the optional tbot deployment that obtains and renews
credentials for the plugin to connect to Teleport.
Only default and mandatory values are described here, see the tbot chart reference
for the full list of supported values.
tbot.enabled
|Type
|Default
bool
false
tbot.enabled controls if tbot should be deployed with the datadog plugin.
tbot.clusterName
|Type
|Default
string
""
tbot.clusterName is the name of the Teleport cluster tbot and the Datadog plugin will join.
Setting this value is mandatory when tbot is enabled.
tbot.teleportProxyAddress
|Type
|Default
string
""
tbot.teleportProxyAddress is the teleport Proxy Service address the bot will connect to.
This must contain the port number, usually 443 or 3080 for Proxy Service.
Connecting to the Proxy Service is the most common and recommended way to connect to Teleport.
This is mandatory to connect to Teleport Enterprise (Cloud).
This setting is mutually exclusive with
teleportAuthAddress.
For example:
tbot:
teleportProxyAddress: "test.teleport.sh:443"
tbot.teleportAuthAddress
|Type
|Default
string
""
tbot.teleportAuthAddress is the teleport Auth Service address the bot will connect to.
This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection
should be used when you are deploying the bot in the same Kubernetes cluster than your
teleport-cluster
Helm release and have direct access to the Auth Service.
Else, you should prefer connecting via the Proxy Service.
This setting is mutually exclusive with
teleportProxyAddress.
For example:
teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025"
tbot.joinMethod
|Type
|Default
string
"kubernetes"
tbot.joinMethod describes how tbot joins the Teleport cluster.
See the join method reference for a list fo supported values and detailed explanations.
annotations
annotations contains annotations to apply to the different Kubernetes
objects created by the chart. See the Kubernetes annotation
documentation
for more details.
annotations.config
|Type
|Default
object
{}
annotations.config contains the Kubernetes annotations
put on the
ConfigMap resource created by the chart.
annotations.deployment
|Type
|Default
object
{}
annotations.deployment contains the Kubernetes annotations
put on the
Deployment or
StatefulSet resource created by the chart.
annotations.pod
|Type
|Default
object
{}
annotations.pod contains the Kubernetes annotations
put on the
Pod resources created by the chart.
annotations.secret
|Type
|Default
object
{}
annotations.secret contains the Kubernetes annotations
put on the
Secret resource created by the chart.
This has no effect when
joinTokenSecret.create is
false.
image
image sets the container image used for plugin pods created by the chart.
You can override this to use your own plugin image rather than a Teleport-published image.
image.repository
|Type
|Default
string
"public.ecr.aws/gravitational/teleport-plugin-datadog"
image.repository is the image repository.
image.pullPolicy
|Type
|Default
string
"IfNotPresent"
image.pullPolicy is the Kubernetes image pull policy.
image.tag
|Type
|Default
string
""
image.tag Overrides the image tag whose default is the chart appVersion.
Normally, the version of the Teleport plugin matches the version of the chart. If you install chart version 15.0.0, you'll use the plugin version 15.0.0. Upgrading the plugin is done by upgrading the chart.
image.tag is intended for development and custom tags. This MUST NOT be
used to control the plugin version in a typical deployment. This
chart is designed to run a specific plugin version. You will face
compatibility issues trying to run a different version with it.
If you want to run the Teleport plugin version
X.Y.Z, you should use
helm install --version X.Y.Z instead.
imagePullSecrets
|Type
|Default
list
[]
imagePullSecrets is a list of secrets containing authorization tokens
which can be optionally used to access a private Docker registry.
See the Kubernetes reference for more details.
podSecurityContext
|Type
|Default
object
{}
podSecurityContext sets the pod security context for any pods created by the chart.
See the Kubernetes documentation
for more details.
To unset the security context, set it to
null or
~.
securityContext
|Type
|Default
object
{}
securityContext sets the container security context for any pods created by the chart.
See the Kubernetes documentation
for more details.
To unset the security context, set it to
null or
~.
resources
|Type
|Default
object
{}
resources sets the resource requests/limits for any pods created by the chart.
See the Kubernetes documentation
for more details.
nodeSelector
|Type
|Default
object
{}
nodeSelector sets the node selector for any pods created by the chart.
See the Kubernetes documentation
for more details.
tolerations
|Type
|Default
list
[]
tolerations sets the tolerations for any pods created by the chart.
See the Kubernetes documentation
for more details.
affinity
|Type
|Default
object
{}
affinity sets the affinities for any pods created by the chart.
See the Kubernetes documentation
for more details.