{"token_count": 4211} # teleport-access-graph Chart Reference The `teleport-access-graph` Helm chart deploys the Access Graph service. See [Teleport Identity Security with Access Graph on Self-Hosted Clusters with Helm](https://goteleport.com/docs/identity-security/access-graph/self-hosted-helm.md) for more details. --- VERSION COMPATIBILITY The chart is versioned with the Access Graph service. No compatibility guarantees are ensured if the service and chart versions differ. It is strongly recommended to always align the chart and service versions by using the `--version` Helm flag. --- ## `postgres` `postgres` Database connection settings ### `postgres.connectionString` | Type | Default | | -------- | ------- | | `string` | `""` | `postgres.connectionString` is the connection string to the PostgreSQL database. Use this only when not using a Kubernetes secret and not using AWS or Azure IAM authentication. ### `postgres.secretName` | Type | Default | | -------- | ------- | | `string` | `""` | `postgres.secretName` is the name of an existing Kubernetes secret containing the connection string to the PostgreSQL database. ### `postgres.secretKey` | Type | Default | | -------- | ------- | | `string` | `"uri"` | `postgres.secretKey` is the name of the secret key for the provided Kubernetes secret containing the connection string to the PostgreSQL database. ### `postgres.aws` `postgres.aws` contains optional AWS connection settings for using AWS IAM authentication. This is only required if you are using an AWS RDS or Aurora PostgreSQL database with IAM authentication. #### `postgres.aws.enabled` | Type | Default | | ------ | ------- | | `bool` | `false` | `postgres.aws.enabled` enables IAM authentication for the PostgreSQL database. #### `postgres.aws.region` | Type | Default | | -------- | ------- | | `string` | `""` | `postgres.aws.region` is the optional AWS region where the PostgreSQL database is located. If not set, the region will be inferred from the `AWS_REGION` environment variable. ### `postgres.azure` | Type | Default | | -------- | ------------------- | | `object` | `{"enabled":false}` | `postgres.azure` contains optional settings for using Azure AD authentication with Azure Database for PostgreSQL. This is only required if you are using an Azure Database for PostgreSQL. #### `postgres.azure.enabled` | Type | Default | | ------ | ------- | | `bool` | `false` | `postgres.azure.enabled` enables Azure AD authentication for the PostgreSQL database. #### `postgres.azure.tenantId` | Type | Default | | -------- | ------- | | `string` | `""` | `postgres.azure.tenantId` is the Azure AD tenant ID to use for authentication. If not set, the default tenant ID will be used. ### `postgres.connection_parameters` | Type | Default | | -------- | ------- | | `object` | `null` | `postgres.connection_parameters` contains optional connection parameters configuration values for connecting to the database. ### `postgres.replica` | Type | Default | | -------- | ------- | | `object` | `{}` | `postgres.replica` contains the database replica connection settings. #### `postgres.replica.connectionString` | Type | Default | | -------- | ------- | | `string` | `""` | `postgres.replica.connectionString` is the connection string to the PostgreSQL database. It should be used only if you are not using a Kubernetes secret and AWS or Azure auth is enabled. #### `postgres.replica.secretName` | Type | Default | | -------- | ------- | | `string` | `""` | `postgres.replica.secretName` is the name of an existing Kubernetes secret containing the connection string to the replica PostgreSQL database. #### `postgres.replica.secretKey` | Type | Default | | -------- | ------- | | `string` | `"uri"` | `postgres.replica.secretKey` is the name of the secret key for the provided Kubernetes secret containing the connection string to the replica PostgreSQL database. #### `postgres.replica.connection_parameters` | Type | Default | | -------- | ------- | | `object` | `null` | `postgres.replica.connection_parameters` contains optional connection parameters configuration values for connecting to the replica database. ## `tls` `tls` TLS settings for the main gRPC listener. ### `tls.existingSecretName` | Type | Default | | -------- | ------- | | `string` | `""` | `tls.existingSecretName` is the name of an existing Kubernetes secret containing the certificate and its private key to use for the gRPC listener. The secret must be of type `kubernetes.io/tls`, see [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) for more details. Setting this is required, as Teleport Access Graph always operates via TLS-protected connections. ## `clusterHostCAs` | Type | Default | | ------- | ------- | | `array` | `[]` | `clusterHostCAs` is a list of strings containing PEM-encoded Host CA certificates of Teleport clusters that are allowed to use this instance of TAG. Setting this to a non-empty array is required. ## `identity_activity_center` `identity_activity_center` contains options for the Identity Activity Center feature. This feature allows Access Graph to store security events in a central location and to query them using Athena, providing a way to analyze and correlate security events across multiple Teleport clusters. ### `identity_activity_center.enabled` | Type | Default | | ------ | ------- | | `bool` | `false` | `identity_activity_center.enabled` enables the Identity Activity Center feature. ### `identity_activity_center.region` | Type | Default | | -------- | ------- | | `string` | `""` | `identity_activity_center.region` the AWS region where the SQS queue, Athena database and S3 bucket are located. ### `identity_activity_center.database` | Type | Default | | -------- | ------- | | `string` | `""` | `identity_activity_center.database` the name of the Athena database to use for storing security events. ### `identity_activity_center.table` | Type | Default | | -------- | ------- | | `string` | `""` | `identity_activity_center.table` the name of the Athena table to use for storing security events. ### `identity_activity_center.workgroup` | Type | Default | | -------- | ------- | | `string` | `""` | `identity_activity_center.workgroup` the name of the Athena workgroup to use for executing queries. ### `identity_activity_center.s3` | Type | Default | | -------- | ------- | | `string` | `""` | `identity_activity_center.s3` the S3 bucket to use for storing security events. Example: s3://bucket-events/data/ ### `identity_activity_center.s3_results` | Type | Default | | -------- | ------- | | `string` | `""` | `identity_activity_center.s3_results` the S3 bucket to use for storing results of Athena queries. Example: s3://bucket-events/results/ ### `identity_activity_center.s3_large_files` | Type | Default | | -------- | ------- | | `string` | `""` | `identity_activity_center.s3_large_files` the S3 bucket to use for storing large files that cannot be stored in the Athena database. This is used to store large files that cannot be shared via SQS, such as large JSON files. Example: s3://bucket-events/s3\_large\_files ### `identity_activity_center.sqs_queue_url` | Type | Default | | -------- | ------- | | `string` | `""` | `identity_activity_center.sqs_queue_url` the URL of the SQS queue to use for processing security events. ### `identity_activity_center.maxmind_geoip_city_db_path` | Type | Default | | -------- | ------- | | `string` | `""` | `identity_activity_center.maxmind_geoip_city_db_path` the path to the MaxMind GeoIP City database file. This is used to enrich security events with geolocation information. Use this together with the volumeMounts and volumes options to mount the database file into the TAG pod. Example: ``` kubectl create secret generic maxmind-geoip-city-db --from-file=GeoLite2-City.mmdb ``` Then, add the following to your TAG deployment: ``` volumes: - name: maxmind-geoip-city-db secret: secretName: maxmind-geoip-city-db optional: false volumeMounts: - name: maxmind-geoip-city-db mountPath: "/etc/maxmindGeoIP/" readOnly: true identity_activity_center: ... # other options maxmind_geoip_city_db_path: "/etc/maxmindGeoIP/GeoLite2-City.mmdb" ``` If you do not want to use the MaxMind GeoIP City database, set this to an empty string. ## `service` | Type | Default | | -------- | -------------------------------------------------------- | | `object` | `{"grpcPort":443,"metricsPort":3000,"type":"ClusterIP"}` | `service` contains options for the TAG Kubernetes service that the Chart exposes. ### `service.type` | Type | Default | | -------- | ------------- | | `string` | `"ClusterIP"` | `service.type` the type of Kubernetes service to create. The `LoadBalancer` type is only supported when using a Layer 4 (TCP) or lower load balancer. TAG expects to terminate its own TLS, as it uses mTLS to authenticate its clients. ### `service.grpcPort` | Type | Default | | ----- | ------- | | `int` | `443` | `service.grpcPort` the port that the gRPC service is exposed on. This is the port that Teleport Auth Service and Proxy Service will need to connect to TAG on. ### `service.metricsPort` | Type | Default | | ----- | ------- | | `int` | `3000` | `service.metricsPort` the port that the metrics service is exposed on. Requires `metrics.enabled` to be `true`. ## `replicaCount` | Type | Default | | ----- | ------- | | `int` | `2` | `replicaCount` the number of TAG pods that should be deployed. ## `metrics` | Type | Default | | -------- | --------------------------------- | | `object` | `{"enabled":false,"pprof":false}` | `metrics` contains options for the TAG metrics service. ### `metrics.enabled` | Type | Default | | ------ | ------- | | `bool` | `false` | `metrics.enabled` enables the metrics service. ### `metrics.pprof` | Type | Default | | ------ | ------- | | `bool` | `false` | `metrics.pprof` Enables pprof metrics endpoints ## `log` `log` contains logging settings for TAG. ### `log.level` | Type | Default | | -------- | -------- | | `string` | `"INFO"` | `log.level` the minimum severity of log messages to output. Supported values are `DEBUG`, `INFO`, `WARN` and `ERROR`. ## `image` | Type | Default | | -------- | ------------------------------------------------------------------------------------------------- | | `object` | `{"pullPolicy":"IfNotPresent","repository":"public.ecr.aws/gravitational/access-graph","tag":""}` | ### `image.tag` | Type | Default | | -------- | ------- | | `string` | `""` | `image.tag` sets the version of the Teleport Access Graph image used. By default, this is the same as the Helm Chart version, i.e. TAG will be upgraded when you upgrade the Helm chart. ## `podAnnotations` | Type | Default | | -------- | ------- | | `object` | `{}` | `podAnnotations` contains the Kubernetes annotations put on the `Pod` resources created by the chart. ## `podLabels` | Type | Default | | -------- | ------- | | `object` | `{}` | `podLabels` contains the Kubernetes labels put on the `Pod` resources created by the chart. ## `podSecurityContext` | Type | Default | | -------- | ------------------------------------------------------------ | | `object` | `{"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532}` | `podSecurityContext` sets the pod security context for any pods created by the chart. See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for more details. The default value supports running under the `restricted` [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/). ## `securityContext` | Type | Default | | -------- | --------------------------------------------------------------------------------------------------------------- | | `object` | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"seccompProfile":{"type":"RuntimeDefault"}}` | `securityContext` sets the container security context for any pods created by the chart. See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for more details. The default value supports running under the `restricted` [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/). ## `extraEnv` | Type | Default | | ------ | ------- | | `list` | `[]` | `extraEnv` allows specifying additional environment variables. ## `volumes` | Type | Default | | ------- | ------- | | `array` | `[]` | `volumes` allows you to define additional volumes on the output Deployment definition. ## `nodeSelector` | Type | Default | | -------- | ------- | | `object` | `{}` | `nodeSelector` sets the node selector for any pods created by the chart. See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) for more details. ## `tolerations` | Type | Default | | ------ | ------- | | `list` | `[]` | `tolerations` sets the tolerations for any pods created by the chart. See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) for more details. ## `affinity` | Type | Default | | -------- | ------- | | `object` | `{}` | `affinity` sets the affinities for any pods created by the chart. See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) for more details. ## `labels` | Type | Default | | -------- | ------- | | `object` | `{}` | `labels` contains additional labels to add to the Pod Disruption Budget.