diff --git a/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx b/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx
new file mode 100644
index 0000000000000..51b6996268f2a
--- /dev/null
+++ b/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx
@@ -0,0 +1,450 @@
+
+{/* Generated file. Do not edit.*/}
+{/* Generate this file by navigating to examples/chart and running  make render-chart-ref*/}
+### `teleport.address`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`teleport.address` is the address of the Teleport cluster the plugin
+connects to. The address must contain both the domain name and the port of
+the Teleport cluster. It can be either the address of the auth servers or the
+proxy servers.
+
+For example:
+  - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080`
+  - joining an Auth: `teleport-auth.example.com:3025`
+
+When the address is empty, `tbot.teleportProxyAddress`
+or `tbot.teleportAuthAddress` will be used if they are set.
+
+### `teleport.identitySecretName`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`teleport.identitySecretName` is the name of the Kubernetes secret
+that contains the credentials for the connection to your Teleport cluster.
+
+The secret should be in the following format:
+
+```yaml
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: teleport-plugin-event-handler-identity
+data:
+  auth_id: #...
+```
+
+Check out the [Export Events with Fluentd]
+(../../zero-trust-access/export-audit-events/fluentd.mdx) guide
+for more information about how to acquire these credentials.
+
+### `teleport.identitySecretPath`
+
+| Type | Default |
+|------|---------|
+| `string` | `"auth_id"` |
+
+`teleport.identitySecretPath` is the key in the Kubernetes secret
+specified by `teleport.identitySecretName` that holds the credentials for
+the connection to your Teleport cluster. If the secret has the path,
+`"auth_id"`, you can omit this field.
+
+## `eventHandler`
+
+`eventHandler` contains the configuration used by the plugin to forward Teleport events.
+
+### `eventHandler.storagePath`
+
+| Type | Default |
+|------|---------|
+| `string` | `"/var/lib/teleport/plugins/event-handler/storage"` |
+
+`eventHandler.storagePath` is the storage directory for the event handler.
+
+### `eventHandler.timeout`
+
+| Type | Default |
+|------|---------|
+| `string` | `"10s"` |
+
+`eventHandler.timeout` is the polling timeout.
+
+### `eventHandler.batch`
+
+| Type | Default |
+|------|---------|
+| `int` | `20` |
+
+`eventHandler.batch` is the fetch batch size.
+
+### `eventHandler.windowSize`
+
+| Type | Default |
+|------|---------|
+| `string` | `"24h"` |
+
+`eventHandler.windowSize` configures the duration of the time window for the event handler
+to request events from Teleport. By default, this is set to 24 hours.
+Reduce the window size if the events backend cannot manage the event volume
+for the default window size.
+The window size should be specified as a duration string, parsed by Go's time.ParseDuration.
+
+### `eventHandler.debug`
+
+| Type | Default |
+|------|---------|
+| `bool` | `false` |
+
+`eventHandler.debug` enables debug logging.
+
+### `eventHandler.types`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`eventHandler.types` is the list of event types to forward.
+When unset, the event handler forwards all events.
+
+### `eventHandler.skipEventTypes`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`eventHandler.skipEventTypes` is the list of audit event types to skip.
+
+### `eventHandler.skipSessionTypes`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`eventHandler.skipSessionTypes` is the list of session recording event types to skip.
+When unset, the event handler skips noisy and binary events.
+
+See the [Teleport-event-handler README](https://github.com/gravitational/teleport/blob/1d2bd5eb8fc3500deb7d7108f6835efde98b7b24/integrations/event-handler/README.md)
+for a list of default skipped events.
+
+## `fluentd`
+
+`fluentd` contains the configuration for the fluentd forwarder.
+
+### `fluentd.url`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`fluentd.url` is the Fluentd URL where the events will be sent.
+
+### `fluentd.sessionUrl`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`fluentd.sessionUrl` is the Fluentd URL where the session logs will be sent.
+
+#### `fluentd.certificate.secretName`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`fluentd.certificate.secretName` is the secret containing the credentials to connect to Fluentd.
+It must contain the CA certificate, the client key and the client certificate.
+
+#### `fluentd.certificate.caPath`
+
+| Type | Default |
+|------|---------|
+| `string` | `"ca.crt"` |
+
+`fluentd.certificate.caPath` is the name of the key which contains the CA certificate inside the secret.
+
+#### `fluentd.certificate.certPath`
+
+| Type | Default |
+|------|---------|
+| `string` | `"client.crt"` |
+
+`fluentd.certificate.certPath` is the name of the key which contains the client's certificate inside the secret.
+
+#### `fluentd.certificate.keyPath`
+
+| Type | Default |
+|------|---------|
+| `string` | `"client.key"` |
+
+`fluentd.certificate.keyPath` is the name of the key which contains the client's private key inside the secret.
+
+## `tbot`
+
+`tbot` controls the optional tbot deployment that obtains and renews
+credentials for the plugin to connect to Teleport.
+Only default and mandatory values are described here, see the tbot chart reference
+for the full list of supported values.
+
+### `tbot.enabled`
+
+| Type | Default |
+|------|---------|
+| `bool` | `false` |
+
+`tbot.enabled` controls if tbot should be deployed with the event handler plugin.
+
+### `tbot.clusterName`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`tbot.clusterName` is the name of the Teleport cluster tbot and the event handler plugin will join.
+Setting this value is mandatory when tbot is enabled.
+
+### `tbot.teleportProxyAddress`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`tbot.teleportProxyAddress` is the teleport Proxy Service address the bot will connect to.
+This must contain the port number, usually 443 or 3080 for Proxy Service.
+Connecting to the Proxy Service is the most common and recommended way to connect to Teleport.
+This is mandatory to connect to Teleport Enterprise (Cloud).
+
+This setting is mutually exclusive with `teleportAuthAddress`.
+
+For example:
+```yaml
+tbot:
+  teleportProxyAddress: "test.teleport.sh:443"
+```
+
+### `tbot.teleportAuthAddress`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`tbot.teleportAuthAddress` is the teleport Auth Service address the bot will connect to.
+This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection
+should be used when you are deploying the bot in the same Kubernetes cluster than your `teleport-cluster`
+Helm release and have direct access to the Auth Service.
+Else, you should prefer connecting via the Proxy Service.
+
+This setting is mutually exclusive with `teleportProxyAddress`.
+
+For example:
+```yaml
+teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025"
+```
+
+### `tbot.joinMethod`
+
+| Type | Default |
+|------|---------|
+| `string` | `"kubernetes"` |
+
+`tbot.joinMethod` describes how tbot joins the Teleport cluster.
+See [the join method reference](../../reference/join-methods.mdx) for a list fo supported values and detailed explanations.
+
+## `image`
+
+`image` sets the container image used for plugin pods created by the chart.
+
+You can override this to use your own plugin image rather than a Teleport-published image.
+
+### `image.repository`
+
+| Type | Default |
+|------|---------|
+| `string` | `"public.ecr.aws/gravitational/teleport-plugin-event-handler"` |
+
+`image.repository` is the image repository.
+
+### `image.pullPolicy`
+
+| Type | Default |
+|------|---------|
+| `string` | `"IfNotPresent"` |
+
+`image.pullPolicy` is the [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy).
+
+### `image.tag`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`image.tag` Overrides the image tag whose default is the chart appVersion.
+
+Normally, the version of the Teleport plugin matches the
+version of the chart. If you install chart version 15.0.0, you'll use
+the plugin version 15.0.0. Upgrading the plugin is done by upgrading the chart.
+
+<Admonition type="warning">
+`image.tag` is intended for development and custom tags. This MUST NOT be
+used to control the plugin version in a typical deployment. This
+chart is designed to run a specific plugin version. You will face
+compatibility issues trying to run a different version with it.
+
+If you want to run the Teleport plugin version `X.Y.Z`, you should use
+`helm install --version X.Y.Z` instead.
+</Admonition>
+
+## `imagePullSecrets`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`imagePullSecrets` is a list of secrets containing authorization tokens
+which can be optionally used to access a private Docker registry.
+
+See the [Kubernetes reference](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod) for more details.
+
+## `nameOverride`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`nameOverride` optionally overrides the name of the chart, used
+together with the release name when giving a name to resources.
+
+## `fullnameOverride`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`fullnameOverride` optionally overrides the full name of resources.
+
+## `podSecurityContext`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`podSecurityContext` sets the pod security context for any pods created by the chart.
+See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
+for more details.
+
+To unset the security context, set it to `null` or `~`.
+
+## `securityContext`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`securityContext` sets the container security context for any pods created by the chart.
+See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)
+for more details.
+
+To unset the security context, set it to `null` or `~`.
+
+## `resources`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`resources` sets the resource requests/limits for any pods created by the chart.
+See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
+for more details.
+
+## `nodeSelector`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`nodeSelector` sets the node selector for any pods created by the chart.
+See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector)
+for more details.
+
+## `tls`
+
+`tls` contains settings for mounting your own TLS material in the event-handler pod.
+The event-handler does not expose a TLS server, so this is only used to trust CAs.
+
+### `tls.existingCASecretName`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`tls.existingCASecretName` sets the `SSL_CERT_FILE` environment
+variable to load a trusted CA or bundle in PEM format into Teleport pods.
+The injected CA will be used to validate TLS communications with the Proxy
+Service.
+
+You must create a secret containing the CA certs in the same namespace as Teleport using a command like:
+
+$ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
+
+  The key containing the root CA in the secret must be `ca.pem`.
+
+## `tolerations`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`tolerations` sets the tolerations for any pods created by the chart.
+See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/)
+for more details.
+
+## `affinity`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`affinity` sets the affinities for any pods created by the chart.
+See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
+for more details.
+
+## `volumes`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`volumes` sets the volumes mounted into the main event-handler pod.
+See [the Kubernetes volume
+documentation](https://kubernetes.io/docs/concepts/storage/volumes/) for more
+details.
+
+For example:
+```yaml
+- name: storage
+  persistentVolumeClaim:
+    claimName: teleport-plugin-event-handler
+```
+
+## `volumeMounts`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`volumeMounts` sets the volume mounts for the main event-handler container.
+See [the Kubernetes volume
+documentation](https://kubernetes.io/docs/concepts/storage/volumes/) for more
+details.
+
+For example:
+```yaml
+- name: storage
+  mountPath: "/var/lib/teleport/plugins/event-handler/storage"
+```
diff --git a/docs/pages/includes/plugins/finish-event-handler-config.mdx b/docs/pages/includes/plugins/finish-event-handler-config.mdx
index cc66d961d3385..be6edf5dc1e5f 100644
--- a/docs/pages/includes/plugins/finish-event-handler-config.mdx
+++ b/docs/pages/includes/plugins/finish-event-handler-config.mdx
@@ -8,7 +8,6 @@ the Fluentd event handler. This file includes setting similar to the following:
 storage = "./storage"
 timeout = "10s"
 batch = 20
-namespace = "default"
 # The window size configures the duration of the time window for the event handler
 # to request events from Teleport. By default, this is set to 24 hours.
 # Reduce the window size if the events backend cannot manage the event volume
@@ -56,7 +55,6 @@ eventHandler:
   storagePath: "./storage"
   timeout: "10s"
   batch: 20
-  namespace: "default"
   # The window size configures the duration of the time window for the event handler
   # to request events from Teleport. By default, this is set to 24 hours.
   # Reduce the window size if the events backend cannot manage the event volume
diff --git a/docs/pages/reference/helm-reference/teleport-plugin-event-handler.mdx b/docs/pages/reference/helm-reference/teleport-plugin-event-handler.mdx
index c0cfbde0ab1fa..1c95e85fa20ac 100644
--- a/docs/pages/reference/helm-reference/teleport-plugin-event-handler.mdx
+++ b/docs/pages/reference/helm-reference/teleport-plugin-event-handler.mdx
@@ -14,179 +14,4 @@ This reference details available values for the `teleport-plugin-event-handler`
 
 (!docs/pages/includes/backup-warning.mdx!)
 
-## `teleport.address`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `""` | Yes |
-
-This parameter contains the host/port combination of the Teleport Auth Service.
-
-`values.yaml` example:
-
-  ```yaml
-  teleport:
-    address: "teleport.example.com:3025"
-  ```
-
-## `teleport.identitySecretName`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `""` | Yes |
-
-Name of the Kubernetes secret that contains the credentials for the connection.
-
-The secret should be in the following format:
-
-```yaml
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  name: teleport-plugin-event-handler-identity
-data:
-  auth_id: ...
-```
-
-`values.yaml` example:
-
-  ```yaml
-  teleport:
-    identitySecretName: "teleport-plugin-event-handler-identity"
-  ```
-
-## `teleport.identitySecretPath`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `"auth_id"` | No |
-
-Name of the key in the Kubernetes secret that holds the credentials for the connection. If the secret follows the format above, it can be omitted.
-
-`values.yaml` example:
-
-  ```yaml
-  teleport:
-    identitySecretPath: "auth_id"
-  ```
-
-## `fluentd.url`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `""` | Yes |
-
-Fluentd URL where the events will be sent.
-
-`values.yaml` example:
-
-  ```yaml
-  fluentd:
-    url: "https://fluentd:24224/events.log"
-  ```
-
-## `fluentd.sessionUrl`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `""` | Yes |
-
-Fluentd URL where the session logs will be sent.
-
-`values.yaml` example:
-
-  ```yaml
-  fluentd:
-    sessionUrl: "https://fluentd:24224/session.log"
-  ```
-
-## `fluentd.certificate.secretName`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `""` | Yes |
-
-Secret containing the credentials to connect to Fluentd. It must to contain the CA certificate, the client key and the client certificate.
-
-`values.yaml` example:
-
-  ```yaml
-  fluentd:
-    secretName: "teleport-plugin-event-handler-fluentd"
-  ```
-
-## `fluentd.certificate.caPath`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `"ca.crt"` | No |
-
-Name of the key which contains the CA certificate inside the secret.
-
-`values.yaml` example:
-
-  ```yaml
-  fluentd:
-    caPath: "ca.crt"
-  ```
-
-## `fluentd.certificate.keyPath`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `"client.key"` | No |
-
-Name of the key which contains the client's private key inside the secret.
-
-`values.yaml` example:
-
-  ```yaml
-  fluentd:
-    keyPath: "client.key"
-  ```
-
-## `fluentd.certificate.certPath`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `"client.crt"` | No |
-
-Name of the key which contains the client's certificate inside the secret.
-
-`values.yaml` example:
-
-  ```yaml
-  fluentd:
-    certPath: "client.crt"
-  ```
-
-## `log.output`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `stdout` | No |
-
-Logger output. Can be `stdout`, `stderr` or a file name, eg. `/var/log/teleport/fluentd.log`.
-
-`values.yaml` example:
-
-  ```yaml
-  log:
-    output: /var/log/teleport/fluentd.log
-  ```
-
-## `log.severity`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `stdout` | No |
-
-Logger severity. Possible values are `INFO`, `ERROR`, `DEBUG` or `WARN`.
-
-`values.yaml` example:
-
-  ```yaml
-  log:
-    severity: DEBUG
-  ```
+(!docs/pages/includes/helm-reference/zz_generated.event-handler.mdx!)
diff --git a/examples/chart/Makefile b/examples/chart/Makefile
index 017864ae573b5..c0510bd8d13d2 100644
--- a/examples/chart/Makefile
+++ b/examples/chart/Makefile
@@ -7,7 +7,7 @@ check_access = $(addprefix check-chart-ref-access-,$(access))
 render_access = $(addprefix render-chart-ref-access-,$(access))
 
 .PHONY: render-chart-ref
-render-chart-ref: render-chart-ref-example render-chart-ref-teleport-operator render-chart-ref-teleport-kube-agent render-chart-ref-tbot $(render_access)  # render-chart-ref-teleport-cluster
+render-chart-ref: render-chart-ref-example render-chart-ref-teleport-operator render-chart-ref-teleport-kube-agent render-chart-ref-tbot $(render_access) render-chart-ref-event-handler # render-chart-ref-teleport-cluster
 
 .PHONY: render-chart-ref-example
 render-chart-ref-example:
@@ -40,8 +40,13 @@ render-chart-ref-access-%:
 	cd ../../build.assets/tooling && \
 	go run ./cmd/render-helm-ref -chart ../../examples/chart/access/$* -output ../../docs/pages/includes/helm-reference/zz_generated.access-$*.mdx
 
+.PHONY: render-chart-ref-event-handler
+render-chart-ref-event-handler:
+	cd ../../build.assets/tooling && \
+	go run ./cmd/render-helm-ref -chart ../../examples/chart/event-handler -output ../../docs/pages/includes/helm-reference/zz_generated.event-handler.mdx
+
 .PHONY: check-chart-ref
-check-chart-ref: check-chart-ref-example check-chart-ref-teleport-operator check-chart-ref-teleport-kube-agent check-chart-ref-tbot $(check_access) #check-chart-ref-teleport-cluster
+check-chart-ref: check-chart-ref-example check-chart-ref-teleport-operator check-chart-ref-teleport-kube-agent check-chart-ref-tbot $(check_access) check-chart-ref-event-handler #check-chart-ref-teleport-cluster
 
 .PHONY: check-chart-ref-example
 check-chart-ref-example:
@@ -84,3 +89,10 @@ check-chart-ref-access-%:
 	@ cd ../../build.assets/tooling && \
 	go run ./cmd/render-helm-ref -chart ../../examples/chart/access/$* -output - | diff ../../docs/pages/includes/helm-reference/zz_generated.access-$*.mdx - || \
 	( echo "Chart values.yaml and reference differ, please run 'make -C examples/chart render-chart-ref'" && exit 1 )
+
+.PHONY: check-chart-ref-event-handler
+check-chart-ref-event-handler:
+	@echo "Checking event-handler reference"
+	@ cd ../../build.assets/tooling && \
+	go run ./cmd/render-helm-ref -chart ../../examples/chart/event-handler -output - | diff ../../docs/pages/includes/helm-reference/zz_generated.event-handler.mdx - || \
+	( echo "Chart values.yaml and reference differ, please run 'make -C examples/chart render-chart-ref'" && exit 1 )
diff --git a/examples/chart/event-handler/values.yaml b/examples/chart/event-handler/values.yaml
index 8d108647bef9b..6aaf6a9fe9cfd 100644
--- a/examples/chart/event-handler/values.yaml
+++ b/examples/chart/event-handler/values.yaml
@@ -6,8 +6,6 @@
 # Plugin specific options
 #
 teleport:
-  # When the address is empty, `tbot.teleportProxyAddress`
-  # or `tbot.teleportAuthAddress` will be used if they are set.
   # teleport.address(string) -- is the address of the Teleport cluster the plugin
   # connects to. The address must contain both the domain name and the port of
   # the Teleport cluster. It can be either the address of the auth servers or the
@@ -30,7 +28,7 @@ teleport:
   # kind: Secret
   # type: Opaque
   # metadata:
-  #   name: teleport-plugin-event-handeler-identity
+  #   name: teleport-plugin-event-handler-identity
   # data:
   #   auth_id: #...
   # ```
@@ -45,32 +43,49 @@ teleport:
   # `"auth_id"`, you can omit this field.
   identitySecretPath: "auth_id"
 
+# eventHandler -- contains the configuration used by the plugin to forward Teleport events.
 eventHandler:
+  # eventHandler.storagePath(string) -- is the storage directory for the event handler.
   storagePath: "/var/lib/teleport/plugins/event-handler/storage"
+  # eventHandler.timeout(string) -- is the polling timeout.
   timeout: "10s"
+  # eventHandler.batch(int) -- is the fetch batch size.
   batch: 20
-  # The window size configures the duration of the time window for the event handler
+  # eventHandler.windowSize(string) -- configures the duration of the time window for the event handler
   # to request events from Teleport. By default, this is set to 24 hours.
   # Reduce the window size if the events backend cannot manage the event volume
   # for the default window size.
   # The window size should be specified as a duration string, parsed by Go's time.ParseDuration.
   windowSize: "24h"
-  # Optional setting to enable debug logging
-  # debug: true
-  # Optional setting for event types to forward
-  # types: ["TYPE1", "TYPE2"]
-  # Optional setting for audit event types to skip
-  # skipEventTypes: ["TYPE1"]
-  # Optional setting for session recording event types to skip
-  # skipSessionTypes: ["TYPE1"]
+  # eventHandler.debug(bool) -- enables debug logging.
+  debug: false
+  # eventHandler.types(list) -- is the list of event types to forward.
+  # When unset, the event handler forwards all events.
+  types: []
+  # eventHandler.skipEventTypes(list) -- is the list of audit event types to skip.
+  skipEventTypes: []
+  # eventHandler.skipSessionTypes(list) -- is the list of session recording event types to skip.
+  # When unset, the event handler skips noisy and binary events.
+  #
+  # See the [Teleport-event-handler README](https://github.com/gravitational/teleport/blob/1d2bd5eb8fc3500deb7d7108f6835efde98b7b24/integrations/event-handler/README.md)
+  # for a list of default skipped events.
+  skipSessionTypes: []
 
+# fluentd -- contains the configuration for the fluentd forwarder.
 fluentd:
+  # fluentd.url(string) -- is the Fluentd URL where the events will be sent.
   url: ""
+  # fluentd.sessionUrl(string) -- is the Fluentd URL where the session logs will be sent.
   sessionUrl: ""
   certificate:
+    # fluentd.certificate.secretName(string) -- is the secret containing the credentials to connect to Fluentd.
+    # It must contain the CA certificate, the client key and the client certificate.
     secretName: ""
+    # fluentd.certificate.caPath(string) -- is the name of the key which contains the CA certificate inside the secret.
     caPath: "ca.crt"
+    # fluentd.certificate.certPath(string) -- is the name of the key which contains the client's certificate inside the secret.
     certPath: "client.crt"
+    # fluentd.certificate.keyPath(string) -- is the name of the key which contains the client's private key inside the secret.
     keyPath: "client.key"
 
 # tbot -- controls the optional tbot deployment that obtains and renews
@@ -131,24 +146,67 @@ persistentVolumeClaim:
 #
 # Deployment
 #
+# image -- sets the container image used for plugin pods created by the chart.
+#
+# You can override this to use your own plugin image rather than a Teleport-published image.
 image:
+  # image.repository(string) -- is the image repository.
   repository: public.ecr.aws/gravitational/teleport-plugin-event-handler
+  # image.pullPolicy(string) -- is the [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy).
   pullPolicy: IfNotPresent
-  # Overrides the image tag whose default is the chart appVersion.
+  # image.tag(string) -- Overrides the image tag whose default is the chart appVersion.
+  #
+  # Normally, the version of the Teleport plugin matches the
+  # version of the chart. If you install chart version 15.0.0, you'll use
+  # the plugin version 15.0.0. Upgrading the plugin is done by upgrading the chart.
+  #
+  # <Admonition type="warning">
+  # `image.tag` is intended for development and custom tags. This MUST NOT be
+  # used to control the plugin version in a typical deployment. This
+  # chart is designed to run a specific plugin version. You will face
+  # compatibility issues trying to run a different version with it.
+  #
+  # If you want to run the Teleport plugin version `X.Y.Z`, you should use
+  # `helm install --version X.Y.Z` instead.
+  # </Admonition>
   tag: ""
 
+# imagePullSecrets(list) -- is a list of secrets containing authorization tokens
+# which can be optionally used to access a private Docker registry.
+#
+# See the [Kubernetes reference](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod) for more details.
 imagePullSecrets: []
+
+# nameOverride(string) -- optionally overrides the name of the chart, used
+# together with the release name when giving a name to resources.
 nameOverride: ""
+# fullnameOverride(string) -- optionally overrides the full name of resources.
 fullnameOverride: ""
 
 podAnnotations: {}
 
+# podSecurityContext(object) -- sets the pod security context for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
+# for more details.
+#
+# To unset the security context, set it to `null` or `~`.
 podSecurityContext: {}
 
+# securityContext(object) -- sets the container security context for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)
+# for more details.
+#
+# To unset the security context, set it to `null` or `~`.
 securityContext: {}
 
+# resources(object) -- sets the resource requests/limits for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
+# for more details.
 resources: {}
 
+# nodeSelector(object) -- sets the node selector for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector)
+# for more details.
 nodeSelector: {}
 
 # tls -- contains settings for mounting your own TLS material in the event-handler pod.
@@ -166,15 +224,37 @@ tls:
   #   The key containing the root CA in the secret must be `ca.pem`.
   existingCASecretName: ""
 
+# tolerations(list) -- sets the tolerations for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/)
+# for more details.
 tolerations: []
 
+# affinity(object) -- sets the affinities for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
+# for more details.
 affinity: {}
 
+# volumes(list) -- sets the volumes mounted into the main event-handler pod.
+# See [the Kubernetes volume
+# documentation](https://kubernetes.io/docs/concepts/storage/volumes/) for more
+# details.
+#
+# For example:
+# ```yaml
+# - name: storage
+#   persistentVolumeClaim:
+#     claimName: teleport-plugin-event-handler
+# ```
 volumes: []
-  # - name: storage
-  #   persistentVolumeClaim:
-  #     claimName: teleport-plugin-event-handler
 
+# volumeMounts(list) -- sets the volume mounts for the main event-handler container.
+# See [the Kubernetes volume
+# documentation](https://kubernetes.io/docs/concepts/storage/volumes/) for more
+# details.
+#
+# For example:
+# ```yaml
+# - name: storage
+#   mountPath: "/var/lib/teleport/plugins/event-handler/storage"
+# ```
 volumeMounts: []
-  # - name: storage
-  #   mountPath: "/var/lib/teleport/plugins/event-handler/storage"