Skip to content

Add full configuration file for Event Handler helm chart #62049

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kshi36 merged 5 commits into from
Dec 15, 2025
Merged

Add full configuration file for Event Handler helm chart #62049

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
75823ca
Added full configuration file for Event Handler helm chart
kshi36 Dec 6, 2025
259799a
Fix snapshot
kshi36 Dec 8, 2025
5ac3d62
Fix test
kshi36 Dec 8, 2025
3c6601d
Remove exitOnLastEvent, refresh options; refactoring
kshi36 Dec 8, 2025
ae2c95d
Refactor, fix test
kshi36 Dec 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 26 additions & 2 deletions examples/chart/event-handler/templates/configmap.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,34 @@ data:
types = "{{ join "," .Values.eventHandler.types }}"
{{- end }}
{{- if .Values.eventHandler.skipEventTypes }}
skip-event-types = "{{ join "," .Values.eventHandler.skipEventTypes }}"
skip-event-types = "{{ join "," .Values.eventHandler.skipEventTypes }}"
{{- end }}
{{- if .Values.eventHandler.skipSessionTypes }}
{{- if .Values.eventHandler.skipSessionTypes }}
skip-session-types = "{{ join "," .Values.eventHandler.skipSessionTypes }}"
{{- end }}
{{- if .Values.eventHandler.startTime }}
start-time = {{ .Values.eventHandler.startTime | quote }}
{{- end }}
{{- if .Values.eventHandler.dryRun }}
dry-run = {{ .Values.eventHandler.dryRun }}
{{- end }}
{{- if .Values.eventHandler.concurrency }}
concurrency = {{ .Values.eventHandler.concurrency }}
{{- end }}
{{- if .Values.eventHandler.lock }}
{{- if .Values.eventHandler.lock.enabled }}
lock-enabled = {{ .Values.eventHandler.lock.enabled }}
{{- end }}
{{- if .Values.eventHandler.lock.failedAttemptsCount }}
lock-failed-attempts-count = {{ .Values.eventHandler.lock.failedAttemptsCount }}
{{- end }}
{{- if .Values.eventHandler.lock.period }}
lock-period = {{ .Values.eventHandler.lock.period | quote }}
{{- end }}
{{- if .Values.eventHandler.lock.for }}
lock-for = {{ .Values.eventHandler.lock.for | quote }}
{{- end }}
{{- end }}
Comment on lines +32 to +45
Copy link
Copy Markdown
Contributor

@hugoShaka hugoShaka Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks to this PR I learned that the event handler is able to lock users out of Teleport. Now I want to unlearn this 🫠

This is not a great design because we stream event with potentially quite some delay (on athena we can be up to 5 minute late).

Copy link
Copy Markdown
Contributor

@hugoShaka hugoShaka Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok down the rabbit hole, we use some external rate-limiter that is mentioned in go's hall of shame https://go.dev/src/runtime/timestub.go?s=610:641

The fact it uses the current time make the logic completely broken because:

  • we might be backfilling events, so we should use the event time instead of the current time
  • on some backends we are consuming event potentially by chunks, so we only get event batches and they essentially all appear at the same time

I filed: #62252 , no need to do it now but I'll add this to the backlog.


[teleport]
addr = {{ coalesce .Values.teleport.address .Values.tbot.teleportProxyAddress .Values.tbot.teleportAuthAddress | quote }}
Expand All @@ -32,3 +55,4 @@ data:
ca = "/var/lib/teleport/plugins/event-handler/ca.crt"
cert = "/var/lib/teleport/plugins/event-handler/client.crt"
key = "/var/lib/teleport/plugins/event-handler/client.key"
max-connections = {{ default (mul .Values.eventHandler.concurrency 2) .Values.fluentd.maxConnections }}
9 changes: 8 additions & 1 deletion examples/chart/event-handler/tests/__snapshot__/configmap_test.yaml.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,13 @@ should match the snapshot:
timeout = "10s"
batch = 20
window-size = "24h"
debug = false
debug = true
start-time = "2025-01-01T00:00:00.000Z"
dry-run = true
concurrency = 2
lock-enabled = true
lock-failed-attempts-count = 3
lock-period = "1m"

[teleport]
addr = "teleport.example.com:1234"
Expand All @@ -20,6 +26,7 @@ should match the snapshot:
ca = "/var/lib/teleport/plugins/event-handler/ca.crt"
cert = "/var/lib/teleport/plugins/event-handler/client.crt"
key = "/var/lib/teleport/plugins/event-handler/client.key"
max-connections = 4
kind: ConfigMap
metadata:
labels:
Expand Down
7 changes: 7 additions & 0 deletions examples/chart/event-handler/tests/configmap_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,13 @@ templates:
tests:
- it: should match the snapshot
set:
eventHandler:
debug: true
startTime: "2025-01-01T00:00:00.000Z"
dryRun: true
concurrency: 2
lock:
enabled: true
teleport:
address: teleport.example.com:1234
fluentd:
Expand Down
101 changes: 97 additions & 4 deletions examples/chart/event-handler/values.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -351,17 +351,26 @@
"timeout": {
"$id": "#/properties/eventHandler/properties/timeout",
"type": "string",
"default": "10s"
"default": "10s",
"examples": [
"10s"
]
},
"batch": {
"$id": "#/properties/eventHandler/properties/batch",
"type": "number",
"default": 20
"type": "integer",
"default": 20,
"examples": [
20
]
},
"window-size": {
"$id": "#/properties/eventHandler/properties/window-size",
"type": "string",
"default": "24h"
"default": "24h",
"examples": [
"24h"
]
},
"debug": {
"$id": "#/properties/eventHandler/properties/debug",
Expand Down Expand Up @@ -394,6 +403,82 @@
"examples": [
["print", "desktop.recording"]
]
},
"startTime": {
"$id": "#/properties/eventHandler/properties/startTime",
"type": "string",
"default": "",
"examples": [
"2025-01-01T00:00:00.000Z"
]
},
"dryRun": {
"$id": "#/properties/eventHandler/properties/dryRun",
"type": "boolean",
"default": false,
"examples": [
false
]
},
"concurrency": {
"$id": "#/properties/eventHandler/properties/concurrency",
"type": "integer",
"default": 5,
"examples": [
5
]
},
"lock": {
"$id": "#/properties/eventHandler/properties/lock",
"type": "object",
"default": {
"enabled": false
},
"examples": [
{
"enabled": true,
"failedAttemptsCount": 3,
"period": "1m",
"for": "5s"
}
],
"required": [
"enabled"
],
"properties": {
"enabled": {
"$id": "#/properties/eventHandler/properties/lock/enabled",
"type": "boolean",
"default": false,
"examples": [
true
]
},
"failedAttemptsCount": {
"$id": "#/properties/eventHandler/properties/lock/failedAttemptsCount",
"type": "integer",
"default": 3,
"examples": [
3
]
},
"period": {
"$id": "#/properties/eventHandler/properties/lock/period",
"type": "string",
"default": "1m",
"examples": [
"1m"
]
},
"for": {
"$id": "#/properties/eventHandler/properties/lock/for",
"type": "string",
"default": "5s",
"examples": [
"5s"
]
}
}
}
},
"additionalProperties": true
Expand Down Expand Up @@ -481,6 +566,14 @@
"default": "client.key"
}
}
},
"maxConnections": {
"$id": "#/properties/fluentd/properties/maxConnections",
"type": "integer",
"default": 0,
"examples": [
10
]
}
},
"additionalProperties": true
Expand Down
62 changes: 50 additions & 12 deletions examples/chart/event-handler/values.yaml
View file
Open in desktop
Copy link
Copy Markdown
Contributor

@hugoShaka hugoShaka Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for converting the chart to the default values format :)

Once this PR is merged, can you open a followup PR to change examples/chart/Makefile, add render-chart-ref-event-handler and check-chart-ref-event-handle so we use the comments from values.yaml to generate the reference?

Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,10 @@
#
# Plugin specific options
#

# teleport -- contains the configuration describing how the plugin connects to
# your Teleport cluster.
teleport:
# When the address is empty, `tbot.teleportProxyAddress`
# or `tbot.teleportAuthAddress` will be used if they are set.
# teleport.address(string) -- is the address of the Teleport cluster the plugin
# connects to. The address must contain both the domain name and the port of
# the Teleport cluster. It can be either the address of the auth servers or the
Expand Down Expand Up @@ -45,33 +46,70 @@ teleport:
# `"auth_id"`, you can omit this field.
identitySecretPath: "auth_id"

# eventHandler -- contains the configuration used by the plugin to forward Teleport events.
eventHandler:
# eventHandler.storagePath(string) -- is the storage directory for the event handler.
storagePath: "/var/lib/teleport/plugins/event-handler/storage"
# eventHandler.timeout(string) -- is the polling timeout.
timeout: "10s"
# eventHandler.batch(int) -- is the fetch batch size.
batch: 20
# The window size configures the duration of the time window for the event handler
# eventHandler.windowSize(string) -- configures the duration of the time window for the event handler
# to request events from Teleport. By default, this is set to 24 hours.
# Reduce the window size if the events backend cannot manage the event volume
# for the default window size.
# The window size should be specified as a duration string, parsed by Go's time.ParseDuration.
windowSize: "24h"
# Optional setting to enable debug logging
# debug: true
# Optional setting for event types to forward
# types: ["TYPE1", "TYPE2"]
# Optional setting for audit event types to skip
# skipEventTypes: ["TYPE1"]
# Optional setting for session recording event types to skip
# skipSessionTypes: ["TYPE1"]

# eventHandler.debug(bool) -- enables debug logging.
debug: false
# eventHandler.types(list) -- is the list of event types to forward.
# When unset, the event handler forwards all events.
types: []
# eventHandler.skipEventTypes(list) -- is the list of audit event types to skip.
skipEventTypes: []
# eventHandler.skipSessionTypes(list) -- is the list of session recording event types to skip.
# When unset, the event handler skips spammy and binary events.
#
# See the [Teleport-event-handler README](https://github.com/gravitational/teleport/blob/1d2bd5eb8fc3500deb7d7108f6835efde98b7b24/integrations/event-handler/README.md)
# for a list of default skipped events.
skipSessionTypes: []
# eventHandler.startTime(string) -- is the start time to start ingestion from (RFC3339 format).
startTime: ""
# eventHandler.dryRun(bool) -- enables dry run without sending events to fluentd.
dryRun: false
# eventHandler.concurrency(int) -- is the number of concurent sessions to process. By default, this is set to 5.
concurrency: 5
lock:
# eventHandler.lock.enabled(bool) -- controls whether user auto-locking is enabled.
enabled: false
# eventHandler.lock.failedAttemptsCount(int) -- is the number of failed attempts in the `lockPeriod` which
# triggers locking. By default, this is set to 3.
failedAttemptsCount: 3
# eventHandler.lock.period(string) -- is the time period where `lock-failed-attempts-count` failed attempts
# will trigger locking. By default, this is set to 1 minute.
period: "1m"
# eventHandler.lock.for(string) -- is the time period for which user gets lock.
for: ""

# fluentd -- contains the configuration for the fluentd forwarder.
fluentd:
# fluentd.url(string) -- is the Fluentd URL where the events will be sent.
url: ""
# fluentd.sessionUrl(string) -- is the Fluentd URL where the session logs will be sent.
sessionUrl: ""
certificate:
# fluentd.certificate.secretName(string) -- is the secret containing the credentials to connect to Fluentd.
# It must to contain the CA certificate, the client key and the client certificate.
secretName: ""
# fluentd.certificate.caPath(string) -- is the name of the key which contains the CA certificate inside the secret.
caPath: "ca.crt"
# fluentd.certificate.certPath(string) -- is the name of the key which contains the client's certificate inside the secret.
certPath: "client.crt"
# fluentd.certificate.keyPath(string) -- is the name of the key which contains the client's private key inside the secret.
keyPath: "client.key"
# fluentd.maxConnections(int) -- is the maximum number of connections to Fluentd. By default, or when set to 0,
# this becomes `eventHandler.concurrency` * 2.
maxConnections: 0

# tbot -- controls the optional tbot deployment that obtains and renews
# credentials for the plugin to connect to Teleport.
Expand Down
13 changes: 11 additions & 2 deletions integrations/event-handler/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ You may specify configuration options via command line arguments, environment va
|---------------------------|-------------------------------------------------------------------------------------------------------|---------------------------------|
| teleport-addr | Teleport host and port | FDFWD_TELEPORT_ADDR |
| teleport-ca | Teleport TLS CA file | FDFWD_TELEPORT_CA |
| teleport-cert | Teleport TLS certificate file | FDWRD_TELEPORT_CERT |
| teleport-cert | Teleport TLS certificate file | FDFWD_TELEPORT_CERT |
| teleport-key | Teleport TLS key file | FDFWD_TELEPORT_KEY |
| teleport-identity | Teleport identity file | FDFWD_TELEPORT_IDENTITY |
| teleport-refresh-enabled | Controls if the identity file should be reloaded from disk after the initial start on interval. | FDFWD_TELEPORT_REFRESH_ENABLED |
Expand All @@ -31,15 +31,24 @@ You may specify configuration options via command line arguments, environment va
| fluentd-ca | fluentd TLS CA file | FDFWD_FLUENTD_CA |
| fluentd-cert | Fluentd TLS certificate file | FDFWD_FLUENTD_CERT |
| fluentd-key | Fluentd TLS key file | FDFWD_FLUENTD_KEY |
| fluentd-max-connections | Maximum number of connections to Fluentd | FDFWD_MAX_CONNECTIONS |
| storage | Storage directory | FDFWD_STORAGE |
| batch | Fetch batch size | FDFWD_BATCH |
| types | Comma-separated list of event types to forward | FDFWD_TYPES |
| skip-event-types | Comma-separated list of event types to skip | FDFWD_SKIP_EVENT_TYPES |
| skip-event-types | Comma-separated list of event types to skip | FDFWD_SKIP_EVENT_TYPES |
| skip-session-types | Comma-separated list of session event types to skip | FDFWD_SKIP_SESSION_TYPES |
| start-time | Minimum event time (RFC3339 format) | FDFWD_START_TIME |
| timeout | Polling timeout | FDFWD_TIMEOUT |
| cursor | Start cursor value | FDFWD_CURSOR |
| debug | Debug logging | FDFWD_DEBUG |
| dry-run | Simulates execution without sending events to Fluentd | FDFWD_DRY_RUN |
| exit-on-last-event | Exit when last event is processed | FDFWD_EXIT_ON_LAST_EVENT |
| concurrency | Number of concurrent sessions | FDFWD_CONCURRENCY |
| window-size | Window size to process events | FDFWD_WINDOW_SIZE |
| lock-enabled | Enable user auto-locking | FDFWD_LOCKING_ENABLED |
| lock-failed-attempts-count| Number of failed attempts in lock-period which triggers locking | FDFWD_LOCKING_FAILED_ATTEMPTS |
| lock-period | Time period where lock-failed-attempts-count failed attempts will trigger locking | FDFWD_LOCKING_PERIOD |
| lock-for | Time period for which user gets lock | FDFWD_LOCKING_FOR |

TOML configuration keys are the same as CLI args. Teleport and Fluentd variables can be grouped into sections. See [example TOML](example/config.toml). You can specify TOML file location using `--config` CLI flag.

Expand Down
Loading
Loading