Add full configuration file for Event Handler helm chart by kshi36 · Pull Request #62049 · gravitational/teleport

kshi36 · 2025-12-06T00:22:37Z

This PR updates the Event Handler helm chart to set any arbitrary configuration option. In addition, the Event Handler README was updated with all existing options, and the CLI extended with more environment variables and more dump statements.

A follow-up docs PR will be made to auto-generate the helm chart reference and replace the existing static version (via render-helm-ref).

Manual Tests

Verify generated toml file (setting all added config options) is correctly parsed by teleport-event-handler plugin when calling

teleport-event-handler start -c teleport-event-handler.toml

Verify new environment variables (FDFWD_ prefix) and old environment variables (FDWRD_ prefix) both correctly set CLI options' values.

changelog: Added full configuration file for teleport-plugin-event-handler helm chart
changelog: Added full environment variable configuration for event handler CLI

kshi36 · 2025-12-06T00:53:32Z

integrations/event-handler/cli.go


 	// Timeout is the time poller will wait before the new request if there are no events in the queue
-	Timeout time.Duration `help:"Polling timeout" default:"5s" env:"FDFWD_TIMEOUT"`
+	Timeout time.Duration `help:"Polling timeout" default:"10s" env:"FDFWD_TIMEOUT"`


All default values for helm chart values.yaml were added based on internal event handler CLI default values. However, I set CLI's timeout to "10s" which matches existing reference examples as well as current helm chart default value.

integrations/event-handler/cli.go

kshi36 · 2025-12-06T01:04:12Z

integrations/event-handler/cli.go

-	FluentdCert string `help:"fluentd TLS certificate file" type:"existingfile" env:"FDWRD_FLUENTD_CERT"`
+	FluentdCert string `help:"fluentd TLS certificate file" type:"existingfile" env:"FDFWD_FLUENTD_CERT,FDWRD_FLUENTD_CERT"`


Unless I am missing something, FDWRD_ prefix is inconsistent/typo, since FDFWD_ is adopted most everywhere else. I included the fixed env var as well as retained old env var, for backwards compatibility. README also reflects new preferred env var.

Alternatively can include both FDWRD_ and FDFWD_ prefixes everywhere for maximum consistency...

examples/chart/event-handler/templates/configmap.yaml

examples/chart/event-handler/values.yaml

hugoShaka · 2025-12-08T20:47:13Z

examples/chart/event-handler/values.yaml

Thank you for converting the chart to the default values format :)

Once this PR is merged, can you open a followup PR to change examples/chart/Makefile, add render-chart-ref-event-handler and check-chart-ref-event-handle so we use the comments from values.yaml to generate the reference?

integrations/event-handler/cli.go

hugoShaka · 2025-12-15T15:00:59Z

examples/chart/event-handler/templates/configmap.yaml

+    {{- if .Values.eventHandler.lock }}
+    {{- if .Values.eventHandler.lock.enabled }}
+    lock-enabled = {{ .Values.eventHandler.lock.enabled }}
+    {{- end }}
+    {{- if .Values.eventHandler.lock.failedAttemptsCount }}
+    lock-failed-attempts-count = {{ .Values.eventHandler.lock.failedAttemptsCount }}
+    {{- end }}
+    {{- if .Values.eventHandler.lock.period }}
+    lock-period = {{ .Values.eventHandler.lock.period | quote }}
+    {{- end }}
+    {{- if .Values.eventHandler.lock.for }}
+    lock-for = {{ .Values.eventHandler.lock.for | quote }}
+    {{- end }}
+    {{- end }}


Thanks to this PR I learned that the event handler is able to lock users out of Teleport. Now I want to unlearn this 🫠

This is not a great design because we stream event with potentially quite some delay (on athena we can be up to 5 minute late).

Ok down the rabbit hole, we use some external rate-limiter that is mentioned in go's hall of shame https://go.dev/src/runtime/timestub.go?s=610:641

The fact it uses the current time make the logic completely broken because:

we might be backfilling events, so we should use the event time instead of the current time

on some backends we are consuming event potentially by chunks, so we only get event batches and they essentially all appear at the same time

I filed: #62252 , no need to do it now but I'll add this to the backlog.

backport-bot-workflows · 2025-12-15T22:34:18Z

@kshi36 See the table below for backport results.

Branch	Result
branch/v18	Create PR

* Added full configuration file for Event Handler helm chart * Fix snapshot * Fix test * Remove exitOnLastEvent, refresh options; refactoring * Refactor, fix test

kshi36 changed the title ~~Added full configuration file for Event Handler helm chart~~ Add full configuration file for Event Handler helm chart Dec 6, 2025

kshi36 commented Dec 6, 2025

View reviewed changes

integrations/event-handler/cli.go Outdated Show resolved Hide resolved

kshi36 commented Dec 6, 2025

View reviewed changes

Added full configuration file for Event Handler helm chart

75823ca

kshi36 force-pushed the kevin/event-handler-chart-options branch from d93eee4 to 75823ca Compare December 8, 2025 17:18

kshi36 added 2 commits December 8, 2025 09:29

Fix snapshot

259799a

Fix test

5ac3d62

kshi36 marked this pull request as ready for review December 8, 2025 18:56

kshi36 added the backport/branch/v18 label Dec 8, 2025

github-actions bot added helm size/md labels Dec 8, 2025

github-actions bot requested review from hugoShaka, marcoandredinis and tigrato December 8, 2025 18:57

hugoShaka reviewed Dec 8, 2025

View reviewed changes

kshi36 added 2 commits December 8, 2025 14:36

Remove exitOnLastEvent, refresh options; refactoring

3c6601d

Refactor, fix test

ae2c95d

kshi36 requested review from bernardjkim and hugoShaka December 9, 2025 22:08

bernardjkim approved these changes Dec 12, 2025

View reviewed changes

hugoShaka approved these changes Dec 15, 2025

View reviewed changes

public-teleport-github-review-bot bot removed request for marcoandredinis and tigrato December 15, 2025 15:24