teleport-access-graph Chart Reference
The teleport-access-graph
Helm chart deploys the Teleport Access Graph service.
See Teleport Policy's Access Graph on Self-Hosted Clusters with Helm for more details.
The chart is versioned with the Teleport Access Graph service. No compatibility
guarantees are ensured if the service and chart versions differ.
It is strongly recommended to always align the chart and service versions
by using the --version
Helm flag.
tls
tls
TLS settings for the main gRPC listener.
tls.existingSecretName
Type | Default |
---|---|
string | "" |
tls.existingSecretName
is the name of an existing Kubernetes secret
containing the certificate and its private key to use for the gRPC listener.
The secret must be of type kubernetes.io/tls
, see
the Kubernetes documentation for more details.
Setting this is required, as Teleport Access Graph always operates via TLS-protected connections.
clusterHostCAs
Type | Default |
---|---|
array | [] |
clusterHostCAs
is a list of strings containing PEM-encoded Host CA certificates of Teleport clusters that are allowed to use this instance of TAG.
Setting this to a non-empty array is required.
service
Type | Default |
---|---|
object | {"grpcPort":443,"type":"ClusterIP"} |
service
contains options for the TAG Kubernetes service that the Chart exposes.
service.type
Type | Default |
---|---|
string | "ClusterIP" |
service.type
the type of Kubernetes service to create.
The LoadBalancer
type is only supported when using a Layer 4 (TCP) or lower load balancer.
TAG expects to terminate its own TLS, as it uses mTLS to authenticate its clients.
service.grpcPort
Type | Default |
---|---|
int | 443 |
service.grpcPort
the port that the gRPC service is exposed on.
This is the port that Teleport Auth Service and Proxy Service will need to connect to TAG on.
replicaCount
Type | Default |
---|---|
int | 2 |
replicaCount
the number of TAG pods that should be deployed.
image
image.tag
Type | Default |
---|---|
string | "" |
image.tag
sets the version of the Teleport Access Graph image used.
By default, this is the same as the Helm Chart version, i.e. TAG will be upgraded when you upgrade the Helm chart.
podAnnotations
Type | Default |
---|---|
object | {} |
podAnnotations
contains the Kubernetes annotations put on the Pod
resources created by the chart.
podLabels
Type | Default |
---|---|
object | {} |
podLabels
contains the Kubernetes labels put on the Pod
resources created by the chart.
podSecurityContext
Type | Default |
---|---|
object | {"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532} |
podSecurityContext
sets the pod security context for any pods created by the chart.
See the Kubernetes documentation
for more details.
The default value supports running under the restricted
Pod Security Standard.
securityContext
Type | Default |
---|---|
object | {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"seccompProfile":{"type":"RuntimeDefault"}} |
securityContext
sets the container security context for any pods created by the chart.
See the Kubernetes documentation
for more details.
The default value supports running under the restricted
Pod Security Standard.
volumes
Type | Default |
---|---|
array | [] |
volumes
allows to define additional volumes on the output Deployment definition.
nodeSelector
Type | Default |
---|---|
object | {} |
nodeSelector
sets the node selector for any pods created by the chart.
See the Kubernetes documentation
for more details.
tolerations
Type | Default |
---|---|
list | [] |
tolerations
sets the tolerations for any pods created by the chart.
See the Kubernetes documentation
for more details.
affinity
Type | Default |
---|---|
object | {} |
affinity
sets the affinities for any pods created by the chart.
See the Kubernetes documentation
for more details.