teleport-cluster Chart Reference

The teleport-cluster Helm chart deploys a Teleport cluster on Kubernetes. This includes deploying proxies, auth servers, and kubernetes-access. See the Teleport HA Architecture page for more details.

You can browse the source on GitHub.

The teleport-cluster chart runs three Teleport services, split into two sets of pods:

The teleport-cluster chart can be deployed in four different modes. Get started with a guide for each mode:

clusterName

clusterName controls the name used to refer to the Teleport cluster, along with the externally-facing public address used to access it. In most setups this must be a fully-qualified domain name (e.g. teleport.example.com) as this value is used as the cluster's public address by default.

kubectl --namespace teleport-cluster get service/teleport -o jsonpath='{.status.loadBalancer.ingress[*].hostname}'
a5f22a02798f541e58c6641c1b158ea3-1989279894.us-east-1.elb.amazonaws.com

kubectl --namespace teleport-cluster get service/teleport -o jsonpath='{.status.loadBalancer.ingress[*].ip}'
35.203.56.38

kubeClusterName

kubeClusterName sets the name used for Kubernetes access. This name will be shown to Teleport users connecting to the Kubernetes cluster.

auth

The teleport-cluster chart deploys two sets of pods, one for the Auth Service and another for the Proxy Service.

auth allows you to set chart values only for Kubernetes resources related to the Teleport Auth Service. This is merged with chart-scoped values and takes precedence in case of conflict.

For example, to override the postStart value only for auth pods:

# By default all pods postStart command should be "echo starting"
postStart: ["echo", "starting"]

auth:
  # But we override the `postStart` value specifically for auth pods
  postStart: ["curl", "http://hook"]
  imagePullPolicy: Always

proxyProtocol

The proxyProtocol value controls whether the Proxy pods will accept PROXY lines with the client's IP address when they are behind a L4 load balancer (e.g. AWS ELB, GCP L4 LB, etc) with PROXY protocol enabled. Since L4 LBs do not preserve the client's IP address, PROXY protocol is required to ensure that Teleport can properly audit the client's IP address.

When Teleport pods are not behind a L4 LB with PROXY protocol enabled, this value should be set to off to prevent Teleport from accepting PROXY headers from untrusted sources.

Possible values are:

• on: will enable the PROXY protocol for all connections and will require the L4 LB to send a PROXY header.
• off will disable the PROXY protocol for all connections and denies all connections prefixed a PROXY header.

If proxyProtocol is unspecified, Teleport does not require PROXY header for the connection, but will accept it if present. This mode is considered insecure and should only be used for testing purposes.

See the PROXY Protocol security section for more details.

auth.teleportConfig

auth.teleportConfig contains YAML teleport configuration for auth pods. The configuration will be merged with the chart-generated configuration and will take precedence in case of conflict. This field allows customization of/overrides to any bit of configuration in teleport.yaml without having to use the scratch chart mode.

The merge logic is as follows:

• object fields are merged recursively
• lists are replaced
• values (string, integer, boolean, ...) are replaced
• fields can be unset by setting them to null or ~

See the Teleport Configuration Reference for the list of supported fields.

auth:
  teleportConfig:
    teleport:
      cache:
        enabled: false
    auth_service:
      client_idle_timeout: 2h
      client_idle_timeout_message: "Connection closed after 2 hours without activity"

proxy

The teleport-cluster charts deploys two sets of pods: one for the Auth Service and another for the Proxy Service.

proxy allows you to set chart values only for Kubernetes resources related to the Teleport Proxy Service. This is merged with chart-scoped values and takes precedence in case of conflict.

For example, to override the postStart value only for Teleport Proxy Service pods and annotate the Kubernetes Service deployed for the Teleport Proxy Service:

# By default all pods postStart command should be "echo starting"
postStart: ["echo", "starting"]

proxy:
  # But we override the `postStart` value specifically for proxy pods
  postStart: ["curl", "http://hook"]
  imagePullPolicy: Always

  # We also annotate only the Kubernetes Service sending traffic to Proxy Service pods.
  annotations:
    service:
      external-dns.alpha.kubernetes.io/hostname: "teleport.example.com"

proxy.teleportConfig

proxy.teleportConfig contains YAML teleport configuration for proxy pods The configuration will be merged with the chart-generated configuration and will take precedence in case of conflict. This field allows customization of/overrides to any bit of configuration in teleport.yaml without having to use the scratch chart mode.

The merge logic is as follows:

• object fields are merged recursively
• lists are replaced
• values (string, integer, boolean, ...) are replaced
• fields can be unset by setting them to null or ~

See the Teleport Configuration Reference for the list of supported fields.

proxy:
  teleportConfig:
    teleport:
      cache:
        enabled: false
    proxy_service:
      https_keypairs:
        - key_file: /my-custom-mount/key.pem
          cert_file: /my-custom-mount/cert.pem

authentication

authentication.type

authentication.type controls the authentication scheme used by Teleport. Possible values are local and github for Teleport Community Edition, plus oidc and saml for Enterprise.

authentication.connectorName

authentication.connectorName sets the default authentication connector. The SSO documentation explains how to create authentication connectors for common identity providers. In addition to SSO connector names, the following built-in connectors are supported:

• local for local users
• passwordless to enable by default passwordless authentication.

Defaults to local.

authentication.localAuth

authentication.localAuth controls whether local authentication is enabled. When disabled, users can only log in through authentication connectors like saml, oidc or github.

Disabling local auth is required for FedRAMP / FIPS.

authentication.lockingMode

authentication.lockingMode controls the locking mode cluster-wide. Possible values are best_effort and strict. See the locking modes documentation for more details.

Defaults to Teleport's binary default when empty: best_effort.

authentication.secondFactor

authentication.secondFactor controls the second factor used for local user authentication. Possible values supported by this chart are off (not recommended), on, otp, optional and webauthn.

When set to on, optional or webauthn, the authenticationSecondFactor.webauthn section can also be used. The configured rp_id defaults to clusterName.

authentication.webauthn

See Second Factor - WebAuthn for more details.

authentication.webauthn.attestationAllowedCas

authentication.webauthn.attestationAllowedCas is an optional allow list of certificate authorities (as local file paths or in-line PEM certificate string) for device verification. This field allows you to restrict which device models and vendors you trust. Devices outside of the list will be rejected during registration. By default all devices are allowed.

authentication.webauthn.attestationDeniedCas

authentication.webauthn.attestationDeniedCas is optional deny list of certificate authorities (as local file paths or in-line PEM certificate string) for device verification. This field allows you to forbid specific device models and vendors, while allowing all others (provided they clear attestation_allowed_cas as well). Devices within this list will be rejected during registration. By default no devices are forbidden.

proxyListenerMode

proxyListenerMode controls proxy TLS routing used by Teleport. Possible values are multiplex, separate.

values.yaml example:

proxyListenerMode: multiplex

sessionRecording

sessionRecording controls the session_recording field in the teleport.yaml configuration. It is passed as-is in the configuration. For possible values, see the Teleport Configuration Reference.

values.yaml example:

sessionRecording: proxy

separatePostgresListener

separatePostgresListener controls whether Teleport will multiplex PostgreSQL traffic for the Teleport Database Service over a separate TLS listener to Teleport's web UI.

When separatePostgresListener is false (the default), PostgreSQL traffic will be directed to port 443 (the default Teleport web UI port). This works in situations when Teleport is terminating its own TLS traffic, i.e. when using certificates from LetsEncrypt or providing a certificate/private key pair via Teleport's proxy_service.https_keypairs config.

When separatePostgresListener is true, PostgreSQL traffic will be directed to a separate Postgres-only listener on port 5432. This also adds the port to the Service that the chart creates. This is useful when terminating TLS at a load balancer in front of Teleport, such as when using AWS ACM.

These settings will not apply if proxyListenerMode is set to multiplex.

values.yaml example:

separatePostgresListener: true

separateMongoListener

separateMongoListener controls whether Teleport will multiplex PostgreSQL traffic for the Teleport Database Service over a separate TLS listener to Teleport's web UI.

When separateMongoListener is false (the default), MongoDB traffic will be directed to port 443 (the default Teleport web UI port). This works in situations when Teleport is terminating its own TLS traffic, i.e. when using certificates from LetsEncrypt or providing a certificate/private key pair via Teleport's proxy_service.https_keypairs config.

When separateMongoListener is true, MongoDB traffic will be directed to a separate Mongo-only listener on port 27017. This also adds the port to the Service that the chart creates. This is useful when terminating TLS at a load balancer in front of Teleport, such as when using AWS ACM.

These settings will not apply if proxyListenerMode is set to multiplex.

values.yaml example:

separateMongoListener: true

publicAddr

publicAddr controls the advertised addresses for TLS connections.

When publicAddr is not set, the address used is clusterName on port 443.

values.yaml example:

publicAddr: ["loadbalancer.example.com:443"]

kubePublicAddr

kubePublicAddr controls the advertised addresses for the Kubernetes proxy. This setting will not apply if proxyListenerMode is set to multiplex.

When kubePublicAddr is not set, the addresses are inferred from publicAddr if set, else clusterName is used. Default port is 3026.

values.yaml example:

kubePublicAddr: ["loadbalancer.example.com:3026"]

mongoPublicAddr

mongoPublicAddr controls the advertised addresses to MongoDB clients. This setting will not apply if proxyListenerMode is set to multiplex and requires separateMongoListener enabled.

When mongoPublicAddr is not set, the addresses are inferred from clusterName is used. Default port is 27017.

values.yaml example:

mongoPublicAddr: ["loadbalancer.example.com:27017"]

mysqlPublicAddr

mysqlPublicAddr controls the advertised addresses for the MySQL proxy. This setting will not apply if proxyListenerMode is set to multiplex.

When mysqlPublicAddr is not set, the addresses are inferred from publicAddr if set, else clusterName is used. Default port is 3036.

values.yaml example:

mysqlPublicAddr: ["loadbalancer.example.com:3036"]

postgresPublicAddr

postgresPublicAddr controls the advertised addresses to postgres clients. This setting will not apply if proxyListenerMode is set to multiplex and requires separatePostgresListener enabled.

When postgresPublicAddr is not set, the addresses are inferred from publicAddr if set, else clusterName is used. Default port is 5432.

values.yaml example:

postgresPublicAddr: ["loadbalancer.example.com:5432"]

sshPublicAddr

sshPublicAddr controls the advertised addresses for SSH clients. This is also used by the tsh client. This setting will not apply if proxyListenerMode is set to multiplex.

When sshPublicAddr is not set, the addresses are inferred from publicAddr if set, else clusterName is used. Default port is 3023.

values.yaml example:

sshPublicAddr: ["loadbalancer.example.com:3023"]

tunnelPublicAddr

tunnelPublicAddr controls the advertised addresses to trusted clusters or nodes joining via node-tunneling. This setting will not apply if proxyListenerMode is set to multiplex.

When tunnelPublicAddr is not set, the addresses are inferred from publicAddr if set, else clusterName is used. Default port is 3024.

values.yaml example:

tunnelPublicAddr: ["loadbalancer.example.com:3024"]

enterprise

enterprise controls whether to use Teleport Community Edition or Teleport Enterprise.

Setting enterprise to true will use the Teleport Enterprise image.

You will also need to download your Enterprise license from the Teleport dashboard and add it as a Kubernetes secret to use this:

kubectl --namespace teleport create secret generic license --from-file=/path/to/downloaded/license.pem

kubectl --namespace teleport create secret generic license --from-file=license.pem=/path/to/downloaded/this-is-my-teleport-license.pem

values.yaml example:

enterprise: true

installCRDs

CRDs are not namespace-scoped resources - they can be installed only once in a cluster.

CRDs are required by the Teleport Kubernetes Operator and are installed by default when operator.enabled is true. installCRDs overrides this behavior and allows users to indicate whether to deploy Teleport CRDs.

If several releases of the teleport-cluster chart are deployed in the same Kubernetes cluster, only one release should have installCRDs enabled. Unless you are deploying multiple teleport-cluster Helm releases in the same Kubernetes cluster or installing the CRDs on your own you should not have to set this value.

values.yaml example:

installCRDs: true

operator

operator.enabled

operator.enabled controls whether to deploy the Teleport Kubernetes Operator as a side-car.

Enabling the operator will also deploy the Teleport CRDs in the Kubernetes cluster. If you are deploying multiple releases of the Helm chart in the same cluster you can override this behavior with installCRDs.

values.yaml example:

operator:
 enabled: true

operator.image

operator.image sets the Teleport Kubernetes Operator container image used for Teleport pods in the cluster. You can override this to use your own Teleport Operator image rather than a Teleport-published image.

This setting requires operator.enabled.

values.yaml example:

operator:
  image: my.docker.registry/teleport-operator-image-name

operator.resources

See the Kubernetes resource documentation.

It is recommended to set resource requests/limits for each container based on their observed usage.

values.yaml example:

operator:
  resources:
    requests:
      cpu: 1
      memory: 2Gi

teleportVersionOverride

Normally the version of Teleport being used will match the version of the chart being installed. If you install chart version 10.0.0, you'll be using Teleport 10.0.0. Upgrading the Helm chart will use the latest version from the repo.

You can optionally override this to use a different published Teleport Docker image tag like 10.1.2 or 11.

See our installation guide for information on Docker image versions.

values.yaml example:

teleportVersionOverride: "11"

acme

ACME is a protocol for getting Web X.509 certificates.

Setting acme to true enables the ACME protocol and will attempt to get a free TLS certificate from Let's Encrypt. Setting acme to false (the default) will cause Teleport to generate and use self-signed certificates for its web UI.

acmeEmail

acmeEmail is the email address to provide during certificate registration (this is a Let's Encrypt requirement).

acmeURI

acmeURI is the ACME server to use for getting certificates.

As an example, this can be overridden to use the Let's Encrypt staging server for testing.

You can also use any other ACME-compatible server.

values.yaml example:

acme: true
acmeEmail: [email protected]
acmeURI: https://acme-staging-v02.api.letsencrypt.org/directory

podSecurityPolicy

podSecurityPolicy.enabled

By default, Teleport charts used to install a podSecurityPolicy.

PodSecurityPolicy resource has been removed in Kubernetes 1.25 and replaced since 1.23 by PodSecurityAdmission. If you are running on Kubernetes 1.23 or later it is recommended to disable PSPs and use PSAs. The steps are documented in the PSP removal guide.

To disable PSP creation, you can set enabled to false.

Kubernetes reference

values.yaml example:

podSecurityPolicy:
  enabled: false

labels

labels can be used to add a map of key-value pairs relating to the Teleport cluster being deployed. These labels can then be used with Teleport's RBAC policies to define access rules for the cluster.

values.yaml example:

labels:
  environment: production
  region: us-east

chartMode

chartMode is used to configure the chart's operation mode. You can find more information about each mode on its specific guide page:

podMonitor

podMonitor controls the PodMonitor CR (from monitoring.coreos.com/v1) that monitors the workload (Auth and Proxy Services) deployed by the chart. This custom resource configures Prometheus and makes it scrape Teleport metrics.

The CRD is deployed by the prometheus-operator and allows workload to get monitored. You need to deploy the prometheus-operator in the cluster prior to configuring the podMonitor section of the chart. See the prometheus-operator documentation for setup instructions.

podMonitor.enabled

Whether the chart should deploy a PodMonitor resource. This is disabled by default as it requires the PodMonitor CRD to be installed in the cluster.

podMonitor.additionalLabels

Additional labels to put on the created PodMonitor Resource. Those labels are used to be selected by a specific Prometheus instance.

podMonitor.interval

interval is the interval between two metrics scrapes by Prometheus.

persistence

persistence.enabled

persistence.enabled can be used to enable data persistence using either a new or pre-existing PersistentVolumeClaim.

values.yaml example:

persistence:
  enabled: true

persistence.existingClaimName

persistence.existingClaimName can be used to provide the name of a pre-existing PersistentVolumeClaim to use if desired.

The default is left blank, which will automatically create a PersistentVolumeClaim to use for Teleport storage in standalone or scratch mode.

values.yaml example:

persistence:
  existingClaimName: my-existing-pvc-name

persistence.storageClassName

persistence.storageClassName can be used to set the storage class for the PersistentVolumeClaim.

values.yaml example:

persistence:
  storageClassName: ebs-ssd

persistence.volumeSize

You can set volumeSize to request a different size of persistent volume when installing the Teleport chart in standalone or scratch mode.

values.yaml example:

persistence:
  volumeSize: 50Gi

aws

aws settings are described in the AWS guide: Running an HA Teleport cluster using an AWS EKS Cluster

aws.region

aws.region is the AWS region where the DynamoDB tables are located.

aws.backendTable

aws.backendTable is the DynamoDB table name to use for backend storage. Teleport will attempt to create this table automatically if it does not exist. The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables.

aws.auditLogTable

aws.auditLogTable is the DynamoDB table name to use for audit log storage. Teleport will attempt to create this table automatically if it does not exist. The container will need an appropriately-provisioned IAM role with permissions to create DynamoDB tables. This MUST NOT be the same table name as used for aws.backendTable as the schemas are different.

If you are using the Athena backend, you don't need to set this value. If you set this value, audit logs will be sent both to the Athena and DynamoDB backends, this is useful when migrating backends. If both aws.athenaURL and aws.auditLogTable (DynamoDB) are set, the aws.auditLogPrimaryBackend value configures which backend is used for querying. Teleport queries the audit backend to display the audit log in the web UI, export events using the audit log collector, or perform any action that needs to inspect past audit events.

aws.auditLogMirrorOnStdout

aws.auditLogMirrorOnStdout controls whether to mirror audit log entries to stdout in JSON format (useful for external log collectors).

Defaults to false.

aws.auditLogPrimaryBackend

auditLogPrimaryBackend controls which backend is used for queries when multiple audit backends are enabled. This setting has no effect when a single audit log backend is enabled.

This setting is used when migrating from DynamoDB to Athena. Possible values are dynamo and athena.

aws.athenaURL

athenaURL contains the Athena audit log backend configuration. When this value is set, Teleport will export events to the Athena audit backend.

To use the Athena audit backend, you must set up the required infrastructure (S3 buckets, SQS queue, AthenaDB, IAM roles and permissions, ...).

The requirements are described in the Athena backend documentation

If both aws.athenaURL and aws.auditLogTable (DynamoDB) are set, the aws.auditLogPrimaryBackend value configures which backend is used for querying.

aws.sessionRecordingBucket

aws.sessionRecordingBucket is the S3 bucket name to use for recorded session storage. Teleport will attempt to create this bucket automatically if it does not exist.

The container will need an appropriately-provisioned IAM role with permissions to create S3 buckets.

aws.backups

aws.backups controls if DynamoDB backups are enabled when Teleport configures the Dynamo backend.

aws.dynamoAutoScaling

Whether Teleport should configure DynamoDB's autoscaling. Defaults to false.

gcp

gcp settings are described in the GCP guide: Running an HA Teleport cluster using a Google Cloud GKE cluster

azure

azure settings are described in the Azure guide: Running an HA Teleport cluster using a Microsoft Azure AKS cluster

highAvailability

highAvailability contains settings controlling how Teleport pods are replicated and scheduled. This allows Teleport to run in a highly-available fashion: Teleport should sustain the crash/loss of a machine without interrupting the service.

For auth pods

When using "standalone" or "scratch" mode, you must use highly-available storage (etcd, DynamoDB or Firestore) for multiple replicas to be supported. Manually configuring NFS-based storage or ReadWriteMany volume claims is NOT supported and will result in errors. Using Teleport's built-in ACME client (as opposed to using cert-manager or passing certs through a secret) is not supported with multiple replicas.

For proxy pods

Proxy pods need to be provided a certificate to be replicated (via either tls.existingSecretName or highAvailability.certManager) or be exposed via an ingress (ingress.enabled). If proxy pods are replicable, they will default to 2 replicas, even if highAvailability.replicaCount is 1. To force a single proxy replica, set proxy.highAvailability.replicaCount: 1.

highAvailability.replicaCount

Controls the amount of pod replicas. The highAvailability section describes the replication requirements.

highAvailability.requireAntiAffinity

Kubernetes reference

Setting highAvailability.requireAntiAffinity to true will use requiredDuringSchedulingIgnoredDuringExecution to require that multiple Teleport pods must not be scheduled on the same physical host.

Setting highAvailability.requireAntiAffinity to false (the default) uses preferredDuringSchedulingIgnoredDuringExecution to make node anti-affinity a soft requirement.

values.yaml example:

highAvailability:
  requireAntiAffinity: true

highAvailability.podDisruptionBudget

highAvailability.podDisruptionBudget.enabled

Kubernetes reference

Enable a Pod Disruption Budget for the Teleport Pod to ensure HA during voluntary disruptions.

values.yaml example:

highAvailability:
  podDisruptionBudget:
    enabled: true

highAvailability.podDisruptionBudget.minAvailable

Kubernetes reference

Ensures that this number of replicas is available during voluntary disruptions, can be a number of replicas or a percentage.

values.yaml example:

highAvailability:
  podDisruptionBudget:
    minAvailable: 1

highAvailability.certManager

See the cert-manager docs for more information.

highAvailability.certManager.enabled

Setting highAvailability.certManager.enabled to true will use cert-manager to provision a TLS certificate for a Teleport cluster deployed in HA mode.

highAvailability.certManager.addCommonName

Setting highAvailability.certManager.addCommonName to true will instruct cert-manager to set the commonName field in its certificate signing request to the issuing CA.

values.yaml example:

highAvailability:
  certManager:
    enabled: true
    addCommonName: true
    issuerName: letsencrypt-production

highAvailability.certManager.addPublicAddrs

Setting highAvailability.certManager.addPublicAddrs to true will instruct cert-manager to also add any additional addresses configured under the publicAddr chart value in its certificate signing request to the issuing CA.

values.yaml example:

publicAddr: ['teleport.example.com:443']
highAvailability:
  certManager:
    enabled: true
    addPublicAddrs: true
    issuerName: letsencrypt-production

highAvailability.certManager.issuerName

Sets the name of the cert-manager Issuer or ClusterIssuer to use for issuing certificates.

values.yaml example:

highAvailability:
  certManager:
    enabled: true
    issuerName: letsencrypt-production

highAvailability.certManager.issuerKind

Sets the Kind of Issuer to be used when issuing certificates with cert-manager. Defaults to Issuer to keep permissions scoped to a single namespace.

values.yaml example:

highAvailability:
  certManager:
    issuerKind: ClusterIssuer

highAvailability.certManager.issuerGroup

Sets the Group of Issuer to be used when issuing certificates with cert-manager. Defaults to cert-manager.io to use built-in issuers.

values.yaml example:

highAvailability:
  certManager:
    issuerGroup: cert-manager.io

highAvailability.minReadySeconds

Amount of time to wait during a pod rollout before moving to the next pod. See Kubernetes documentation.

This is used to give time for the agents to connect back to newly created pods before continuing the rollout.

values.yaml example:

highAvailability:
  minReadySeconds: 15

tls.existingSecretName

tls.existingSecretName tells Teleport to use an existing Kubernetes TLS secret to secure its web UI using HTTPS. This can be set to use a TLS certificate issued by a trusted internal CA rather than a public-facing CA like Let's Encrypt.

You should create the secret in the same namespace as Teleport using a command like this:

kubectl create secret tls my-tls-secret --cert=/path/to/cert/file --key=/path/to/key/file

See https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets for more information.

values.yaml example:

tls:
  existingSecretName: my-tls-secret

tls.existingCASecretName

tls.existingCASecretName sets the SSL_CERT_FILE environment variable to load a trusted CA or bundle in PEM format into Teleport pods. This can be set to inject a root and/or intermediate CA so that Teleport can build a full trust chain on startup. This can also be used to trust private CAs when contacting an OIDC provider, an S3-compatible backend, or any external service without modifying the Teleport base image.

This is likely to be needed if Teleport fails to start when tls.existingSecretName is set with a User Message: unable to verify HTTPS certificate chain error in the pod logs.

You should create the secret in the same namespace as Teleport using a command like this:

kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem

values.yaml example:

tls:
  existingCASecretName: my-root-ca

image

image sets the Teleport container image used for Teleport Community pods in the cluster.

You can override this to use your own Teleport Community image rather than a Teleport-published image.

values.yaml example:

image: my.docker.registry/teleport-community-image-name

enterpriseImage

enterpriseImage sets the container image used for Teleport Enterprise pods in the cluster.

You can override this to use your own Teleport Enterprise image rather than a Teleport-published image.

values.yaml example:

enterpriseImage: my.docker.registry/teleport-enterprise-image-name

log

log.level

log.level sets the log level used for the Teleport process.

Available log levels (in order of most to least verbose) are: DEBUG, INFO, WARNING, ERROR.

The default is INFO, which is recommended in production.

DEBUG is useful during first-time setup or to see more detailed logs for debugging.

values.yaml example:

log:
  level: DEBUG

log.output

log.output sets the output destination for the Teleport process.

This can be set to any of the built-in values: stdout, stderr or syslog to use that destination.

The value can also be set to a file path (such as /var/log/teleport.log) to write logs to a file. Bear in mind that a few service startup messages will still go to stderr for resilience.

values.yaml example:

log:
  output: stderr

log.format

log.format sets the output type for the Teleport process.

Possible values are text (default) or json.

values.yaml example:

log:
  format: json

log.extraFields

log.extraFields sets the fields used in logging for the Teleport process.

See the Teleport config file reference for more details on possible values for extra_fields.

values.yaml example:

log:
  extraFields: ["timestamp", "level"]

nodeSelector

nodeSelector can be used to add a map of key-value pairs to constrain the nodes that Teleport pods will run on.

Kubernetes reference

values.yaml example:

nodeSelector:
  role: bastion
  environment: security

affinity

Kubernetes reference

Kubernetes affinity to set for pod assignments.

values.yaml example:

affinity:
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      nodeSelectorTerms:
      - matchExpressions:
        - key: gravitational.io/dedicated
          operator: In
          values:
          - teleport

annotations.config

Kubernetes reference

Kubernetes annotations which should be applied to the ConfigMap created by the chart.

values.yaml example:

annotations:
  config:
    kubernetes.io/annotation: value

annotations.deployment

Kubernetes reference

Kubernetes annotations which should be applied to the Deployment created by the chart.

values.yaml example:

annotations:
  deployment:
    kubernetes.io/annotation: value

annotations.pod

Kubernetes reference

Kubernetes annotations which should be applied to each Pod created by the chart.

values.yaml example:

annotations:
  pod:
    kubernetes.io/annotation: value

annotations.service

Kubernetes reference

Kubernetes annotations which should be applied to the Service created by the chart.

values.yaml example:

annotations:
  service:
    kubernetes.io/annotation: value

annotations.serviceAccount

Kubernetes reference

Kubernetes annotations which should be applied to the serviceAccount created by the chart.

values.yaml example:

annotations:
  serviceAccount:
    kubernetes.io/annotation: value

annotations.certSecret

Kubernetes reference

Kubernetes annotations which should be applied to the secret generated by cert-manager from the certificate created by the chart. Only valid when highAvailability.certManager.enabled is set to true and requires cert-manager v1.5.0+.

values.yaml example:

annotations:
  certSecret:
    kubernetes.io/annotation: value

annotations.ingress

Kubernetes reference

Kubernetes annotations which should be applied to the Ingress created by the chart.

values.yaml example:

annotations:
  ingress:
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/backend-protocol: HTTPS

serviceAccount.create

Kubernetes reference

Boolean value that specifies whether service account should be created or not.

serviceAccount.name

Name to use for teleport service account. If serviceAccount.create is false, service account with this name should be created in current namespace before installing helm chart.

service.type

Kubernetes reference

Allows to specify the service type.

values.yaml example:

service:
  type: LoadBalancer

service.spec.loadBalancerIP

Kubernetes reference

Allows to specify the loadBalancerIP.

values.yaml example:

service:
  spec:
    loadBalancerIP: 1.2.3.4

ingress.enabled

Kubernetes reference

Boolean value that specifies whether to generate a Kubernetes Ingress for the Teleport deployment.

values.yaml example:

ingress:
  enabled: true

ingress.suppressAutomaticWildcards

Setting suppressAutomaticWildcards to true will not automatically add *.<clusterName> as a hostname served by the Ingress. This may be desirable if you don't use Teleport application access, or want to configure individual public addresses for applications instead.

values.yaml example:

ingress:
  enabled: true
  suppressAutomaticWildcards: true

ingress.spec

Object value which can be used to define additional properties for the configured Ingress.

For example, you can use this to set an ingressClassName:

values.yaml example:

ingress:
  enabled: true
  spec:
    ingressClassName: alb

extraArgs

A list of extra arguments to pass to the teleport start command when running a Teleport Pod.

values.yaml example:

extraArgs:
- "--bootstrap=/etc/teleport-bootstrap/roles.yaml"

extraEnv

Kubernetes reference

A list of extra environment variables to be set on the main Teleport container.

values.yaml example:

extraEnv:
- name: MY_ENV
  value: my-value

extraVolumes

Kubernetes reference

A list of extra Kubernetes Volumes which should be available to any Pod created by the chart. These volumes will also be available to any initContainers configured by the chart.

values.yaml example:

extraVolumes:
- name: myvolume
  secret:
    secretName: mysecret

extraVolumeMounts

Kubernetes reference

A list of extra Kubernetes volume mounts which should be mounted into any Pod created by the chart. These volume mounts will also be mounted into any initContainers configured by the chart.

values.yaml example:

extraVolumeMounts:
- name: myvolume
  mountPath: /path/to/mount/volume

imagePullPolicy

Kubernetes reference

Allows the imagePullPolicy for any pods created by the chart to be overridden.

values.yaml example:

imagePullPolicy: Always

imagePullSecrets

Kubernetes reference

A list of secrets containing authorization tokens which can be optionally used to access a private Docker registry.

values.yaml example:

imagePullSecrets:
- name: my-docker-registry-key

initContainers

Kubernetes reference

A list of initContainers which will be run before the main Teleport container in any pod created by the chart.

values.yaml example:

initContainers:
- name: teleport-init
  image: alpine
  args: ['echo test']

postStart

Kubernetes reference

A postStart lifecycle handler to be configured on the main Teleport container.

values.yaml example:

postStart:
  command:
  - echo
  - foo

resources

Kubernetes reference

Resource requests/limits which should be configured for Teleport containers. These resource limits will also be applied to initContainers.

values.yaml example:

resources:
  requests:
    cpu: 1
    memory: 2Gi

securityContext

Kubernetes reference

The securityContext applies to the main Teleport containers.

values.yaml example:

securityContext:
  runAsUser: 99

tolerations

Kubernetes reference

Kubernetes Tolerations to set for pod assignment.

values.yaml example:

tolerations:
- key: "dedicated"
  operator: "Equal"
  value: "teleport"
  effect: "NoSchedule"

priorityClassName

Kubernetes reference

Kubernetes PriorityClass to set for pod.

values.yaml example:

priorityClassName: "system-cluster-critical"

probeTimeoutSeconds

Kubernetes reference

Kubernetes timeouts for the liveness and readiness probes.

values.yaml example:

probeTimeoutSeconds: 5