From b4e203c64b2b1f985621e98d9fb1c2acefd431bd Mon Sep 17 00:00:00 2001
From: Kevin <76608931+kshi36@users.noreply.github.com>
Date: Tue, 16 Dec 2025 09:36:37 -0800
Subject: [PATCH 1/3] docs: Render Event Handler helm chart reference with
`render-helm-ref` (#62282)
* docs: Render Event Handler helm chart reference with `render-helm-ref`
* Add rendered doc
* Fix typos
* Fix spellings, change spammy to noisy
---
.../zz_generated.event-handler.mdx | 609 ++++++++++++++++++
.../plugins/finish-event-handler-config.mdx | 2 -
.../teleport-plugin-event-handler.mdx | 177 +----
examples/chart/Makefile | 16 +-
examples/chart/event-handler/values.yaml | 116 +++-
5 files changed, 722 insertions(+), 198 deletions(-)
create mode 100644 docs/pages/includes/helm-reference/zz_generated.event-handler.mdx
diff --git a/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx b/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx
new file mode 100644
index 0000000000000..4d4e66ec96e73
--- /dev/null
+++ b/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx
@@ -0,0 +1,609 @@
+
+{/* Generated file. Do not edit.*/}
+{/* Generate this file by navigating to examples/chart and running make render-chart-ref*/}
+## `teleport`
+
+`teleport` contains the configuration describing how the plugin connects to
+your Teleport cluster.
+
+### `teleport.address`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`teleport.address` is the address of the Teleport cluster the plugin
+connects to. The address must contain both the domain name and the port of
+the Teleport cluster. It can be either the address of the auth servers or the
+proxy servers.
+
+For example:
+ - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080`
+ - joining an Auth: `teleport-auth.example.com:3025`
+
+When the address is empty, `tbot.teleportProxyAddress`
+or `tbot.teleportAuthAddress` will be used if they are set.
+
+### `teleport.identitySecretName`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`teleport.identitySecretName` is the name of the Kubernetes secret
+that contains the credentials for the connection to your Teleport cluster.
+
+The secret should be in the following format:
+
+```yaml
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+ name: teleport-plugin-event-handler-identity
+data:
+ auth_id: #...
+```
+
+Check out the [Export Events with Fluentd]
+(../../zero-trust-access/export-audit-events/fluentd.mdx) guide
+for more information about how to acquire these credentials.
+
+### `teleport.identitySecretPath`
+
+| Type | Default |
+|------|---------|
+| `string` | `"auth_id"` |
+
+`teleport.identitySecretPath` is the key in the Kubernetes secret
+specified by `teleport.identitySecretName` that holds the credentials for
+the connection to your Teleport cluster. If the secret has the path,
+`"auth_id"`, you can omit this field.
+
+## `eventHandler`
+
+`eventHandler` contains the configuration used by the plugin to forward Teleport events.
+
+### `eventHandler.storagePath`
+
+| Type | Default |
+|------|---------|
+| `string` | `"/var/lib/teleport/plugins/event-handler/storage"` |
+
+`eventHandler.storagePath` is the storage directory for the event handler.
+
+### `eventHandler.timeout`
+
+| Type | Default |
+|------|---------|
+| `string` | `"10s"` |
+
+`eventHandler.timeout` is the polling timeout.
+
+### `eventHandler.batch`
+
+| Type | Default |
+|------|---------|
+| `int` | `20` |
+
+`eventHandler.batch` is the fetch batch size.
+
+### `eventHandler.windowSize`
+
+| Type | Default |
+|------|---------|
+| `string` | `"24h"` |
+
+`eventHandler.windowSize` configures the duration of the time window for the event handler
+to request events from Teleport. By default, this is set to 24 hours.
+Reduce the window size if the events backend cannot manage the event volume
+for the default window size.
+The window size should be specified as a duration string, parsed by Go's time.ParseDuration.
+
+### `eventHandler.debug`
+
+| Type | Default |
+|------|---------|
+| `bool` | `false` |
+
+`eventHandler.debug` enables debug logging.
+
+### `eventHandler.types`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`eventHandler.types` is the list of event types to forward.
+When unset, the event handler forwards all events.
+
+### `eventHandler.skipEventTypes`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`eventHandler.skipEventTypes` is the list of audit event types to skip.
+
+### `eventHandler.skipSessionTypes`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`eventHandler.skipSessionTypes` is the list of session recording event types to skip.
+When unset, the event handler skips noisy and binary events.
+
+See the [Teleport-event-handler README](https://github.com/gravitational/teleport/blob/1d2bd5eb8fc3500deb7d7108f6835efde98b7b24/integrations/event-handler/README.md)
+for a list of default skipped events.
+
+### `eventHandler.startTime`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`eventHandler.startTime` is the start time to start ingestion from (RFC3339 format).
+
+### `eventHandler.dryRun`
+
+| Type | Default |
+|------|---------|
+| `bool` | `false` |
+
+`eventHandler.dryRun` enables dry run without sending events to fluentd.
+
+### `eventHandler.concurrency`
+
+| Type | Default |
+|------|---------|
+| `int` | `5` |
+
+`eventHandler.concurrency` is the number of concurrent sessions to process. By default, this is set to 5.
+
+#### `eventHandler.lock.enabled`
+
+| Type | Default |
+|------|---------|
+| `bool` | `false` |
+
+`eventHandler.lock.enabled` controls whether user auto-locking is enabled.
+
+#### `eventHandler.lock.failedAttemptsCount`
+
+| Type | Default |
+|------|---------|
+| `int` | `3` |
+
+`eventHandler.lock.failedAttemptsCount` is the number of failed attempts in the `lockPeriod` which
+triggers locking. By default, this is set to 3.
+
+#### `eventHandler.lock.period`
+
+| Type | Default |
+|------|---------|
+| `string` | `"1m"` |
+
+`eventHandler.lock.period` is the time period where `lock-failed-attempts-count` failed attempts
+will trigger locking. By default, this is set to 1 minute.
+
+#### `eventHandler.lock.for`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`eventHandler.lock.for` is the time period for which user gets lock.
+
+## `fluentd`
+
+`fluentd` contains the configuration for the fluentd forwarder.
+
+### `fluentd.url`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`fluentd.url` is the Fluentd URL where the events will be sent.
+
+### `fluentd.sessionUrl`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`fluentd.sessionUrl` is the Fluentd URL where the session logs will be sent.
+
+#### `fluentd.certificate.secretName`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`fluentd.certificate.secretName` is the secret containing the credentials to connect to Fluentd.
+It must contain the CA certificate, the client key and the client certificate.
+
+#### `fluentd.certificate.caPath`
+
+| Type | Default |
+|------|---------|
+| `string` | `"ca.crt"` |
+
+`fluentd.certificate.caPath` is the name of the key which contains the CA certificate inside the secret.
+
+#### `fluentd.certificate.certPath`
+
+| Type | Default |
+|------|---------|
+| `string` | `"client.crt"` |
+
+`fluentd.certificate.certPath` is the name of the key which contains the client's certificate inside the secret.
+
+#### `fluentd.certificate.keyPath`
+
+| Type | Default |
+|------|---------|
+| `string` | `"client.key"` |
+
+`fluentd.certificate.keyPath` is the name of the key which contains the client's private key inside the secret.
+
+### `fluentd.maxConnections`
+
+| Type | Default |
+|------|---------|
+| `int` | `0` |
+
+`fluentd.maxConnections` is the maximum number of connections to Fluentd. By default, or when set to 0,
+this becomes `eventHandler.concurrency` * 2.
+
+## `tbot`
+
+`tbot` controls the optional tbot deployment that obtains and renews
+credentials for the plugin to connect to Teleport.
+Only default and mandatory values are described here, see the tbot chart reference
+for the full list of supported values.
+
+### `tbot.enabled`
+
+| Type | Default |
+|------|---------|
+| `bool` | `false` |
+
+`tbot.enabled` controls if tbot should be deployed with the event handler plugin.
+
+### `tbot.clusterName`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`tbot.clusterName` is the name of the Teleport cluster tbot and the event handler plugin will join.
+Setting this value is mandatory when tbot is enabled.
+
+### `tbot.teleportProxyAddress`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`tbot.teleportProxyAddress` is the teleport Proxy Service address the bot will connect to.
+This must contain the port number, usually 443 or 3080 for Proxy Service.
+Connecting to the Proxy Service is the most common and recommended way to connect to Teleport.
+This is mandatory to connect to Teleport Enterprise (Cloud).
+
+This setting is mutually exclusive with `teleportAuthAddress`.
+
+For example:
+```yaml
+tbot:
+ teleportProxyAddress: "test.teleport.sh:443"
+```
+
+### `tbot.teleportAuthAddress`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`tbot.teleportAuthAddress` is the teleport Auth Service address the bot will connect to.
+This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection
+should be used when you are deploying the bot in the same Kubernetes cluster than your `teleport-cluster`
+Helm release and have direct access to the Auth Service.
+Else, you should prefer connecting via the Proxy Service.
+
+This setting is mutually exclusive with `teleportProxyAddress`.
+
+For example:
+```yaml
+teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025"
+```
+
+### `tbot.joinMethod`
+
+| Type | Default |
+|------|---------|
+| `string` | `"kubernetes"` |
+
+`tbot.joinMethod` describes how tbot joins the Teleport cluster.
+See [the join method reference](../../reference/deployment/join-methods.mdx) for a list of supported values and detailed explanations.
+
+## `annotations`
+
+`annotations` contains annotations to apply to the different Kubernetes
+objects created by the chart. See [the Kubernetes annotation
+documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
+for more details.
+
+### `annotations.config`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`annotations.config` are annotations to set on the ConfigMap.
+
+### `annotations.deployment`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`annotations.deployment` are annotations to set on the Deployment.
+
+### `annotations.pod`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`annotations.pod` are annotations to set on the Pods.
+
+## `extraLabels`
+
+`extraLabels` contains additional Kubernetes labels to apply on the resources
+created by the chart. See [the Kubernetes label documentation
+](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
+for more information.
+
+### `extraLabels.config`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`extraLabels.config` are labels to set on the ConfigMap.
+
+### `extraLabels.deployment`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`extraLabels.deployment` are labels to set on the Deployment.
+
+### `extraLabels.pod`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`extraLabels.pod` are labels to set on the Pods.
+
+## `image`
+
+`image` sets the container image used for plugin pods created by the chart.
+
+You can override this to use your own plugin image rather than a Teleport-published image.
+
+### `image.repository`
+
+| Type | Default |
+|------|---------|
+| `string` | `"public.ecr.aws/gravitational/teleport-plugin-event-handler"` |
+
+`image.repository` is the image repository.
+
+### `image.pullPolicy`
+
+| Type | Default |
+|------|---------|
+| `string` | `"IfNotPresent"` |
+
+`image.pullPolicy` is the [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy).
+
+### `image.tag`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`image.tag` Overrides the image tag whose default is the chart appVersion.
+
+Normally, the version of the Teleport plugin matches the
+version of the chart. If you install chart version 15.0.0, you'll use
+the plugin version 15.0.0. Upgrading the plugin is done by upgrading the chart.
+
+
+`image.tag` is intended for development and custom tags. This MUST NOT be
+used to control the plugin version in a typical deployment. This
+chart is designed to run a specific plugin version. You will face
+compatibility issues trying to run a different version with it.
+
+If you want to run the Teleport plugin version `X.Y.Z`, you should use
+`helm install --version X.Y.Z` instead.
+
+
+## `imagePullSecrets`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`imagePullSecrets` is a list of secrets containing authorization tokens
+which can be optionally used to access a private Docker registry.
+
+See the [Kubernetes reference](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod) for more details.
+
+## `nameOverride`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`nameOverride` optionally overrides the name of the chart, used
+together with the release name when giving a name to resources.
+
+## `fullnameOverride`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`fullnameOverride` optionally overrides the full name of resources.
+
+## `podSecurityContext`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`podSecurityContext` sets the pod security context for any pods created by the chart.
+See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
+for more details.
+
+To unset the security context, set it to `null` or `~`.
+
+## `securityContext`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`securityContext` sets the container security context for any pods created by the chart.
+See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)
+for more details.
+
+To unset the security context, set it to `null` or `~`.
+
+## `resources`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`resources` sets the resource requests/limits for any pods created by the chart.
+See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
+for more details.
+
+## `nodeSelector`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`nodeSelector` sets the node selector for any pods created by the chart.
+See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector)
+for more details.
+
+## `tls`
+
+`tls` contains settings for mounting your own TLS material in the event-handler pod.
+The event-handler does not expose a TLS server, so this is only used to trust CAs.
+
+### `tls.existingCASecretName`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`tls.existingCASecretName` sets the `SSL_CERT_FILE` environment
+variable to load a trusted CA or bundle in PEM format into Teleport pods.
+The injected CA will be used to validate TLS communications with the Proxy
+Service.
+
+You must create a secret containing the CA certs in the same namespace as Teleport using a command like:
+
+$ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem
+
+ The key containing the root CA in the secret must be `ca.pem`.
+
+## `tolerations`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`tolerations` sets the tolerations for any pods created by the chart.
+See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/)
+for more details.
+
+## `affinity`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`affinity` sets the affinities for any pods created by the chart.
+See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
+for more details.
+
+## `volumes`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`volumes` sets the volumes mounted into the main event-handler pod.
+See [the Kubernetes volume
+documentation](https://kubernetes.io/docs/concepts/storage/volumes/) for more
+details.
+
+For example:
+```yaml
+- name: storage
+ persistentVolumeClaim:
+ claimName: teleport-plugin-event-handler
+```
+
+## `volumeMounts`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`volumeMounts` sets the volume mounts for the main event-handler container.
+See [the Kubernetes volume
+documentation](https://kubernetes.io/docs/concepts/storage/volumes/) for more
+details.
+
+For example:
+```yaml
+- name: storage
+ mountPath: "/var/lib/teleport/plugins/event-handler/storage"
+```
+
+## `extraArgs`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`extraArgs` contains extra arguments to pass to `teleport-plugin start` for
+the main event-handler container.
+
+## `extraEnv`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`extraEnv` contains extra environment variables to set in the main
+event-handler container.
+
+For example:
+```yaml
+extraEnv:
+ - name: HTTPS_PROXY
+ value: "http://username:password@my.proxy.host:3128"
+```
diff --git a/docs/pages/includes/plugins/finish-event-handler-config.mdx b/docs/pages/includes/plugins/finish-event-handler-config.mdx
index cc66d961d3385..be6edf5dc1e5f 100644
--- a/docs/pages/includes/plugins/finish-event-handler-config.mdx
+++ b/docs/pages/includes/plugins/finish-event-handler-config.mdx
@@ -8,7 +8,6 @@ the Fluentd event handler. This file includes setting similar to the following:
storage = "./storage"
timeout = "10s"
batch = 20
-namespace = "default"
# The window size configures the duration of the time window for the event handler
# to request events from Teleport. By default, this is set to 24 hours.
# Reduce the window size if the events backend cannot manage the event volume
@@ -56,7 +55,6 @@ eventHandler:
storagePath: "./storage"
timeout: "10s"
batch: 20
- namespace: "default"
# The window size configures the duration of the time window for the event handler
# to request events from Teleport. By default, this is set to 24 hours.
# Reduce the window size if the events backend cannot manage the event volume
diff --git a/docs/pages/reference/helm-reference/teleport-plugin-event-handler.mdx b/docs/pages/reference/helm-reference/teleport-plugin-event-handler.mdx
index c0cfbde0ab1fa..1c95e85fa20ac 100644
--- a/docs/pages/reference/helm-reference/teleport-plugin-event-handler.mdx
+++ b/docs/pages/reference/helm-reference/teleport-plugin-event-handler.mdx
@@ -14,179 +14,4 @@ This reference details available values for the `teleport-plugin-event-handler`
(!docs/pages/includes/backup-warning.mdx!)
-## `teleport.address`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `""` | Yes |
-
-This parameter contains the host/port combination of the Teleport Auth Service.
-
-`values.yaml` example:
-
- ```yaml
- teleport:
- address: "teleport.example.com:3025"
- ```
-
-## `teleport.identitySecretName`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `""` | Yes |
-
-Name of the Kubernetes secret that contains the credentials for the connection.
-
-The secret should be in the following format:
-
-```yaml
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
- name: teleport-plugin-event-handler-identity
-data:
- auth_id: ...
-```
-
-`values.yaml` example:
-
- ```yaml
- teleport:
- identitySecretName: "teleport-plugin-event-handler-identity"
- ```
-
-## `teleport.identitySecretPath`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `"auth_id"` | No |
-
-Name of the key in the Kubernetes secret that holds the credentials for the connection. If the secret follows the format above, it can be omitted.
-
-`values.yaml` example:
-
- ```yaml
- teleport:
- identitySecretPath: "auth_id"
- ```
-
-## `fluentd.url`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `""` | Yes |
-
-Fluentd URL where the events will be sent.
-
-`values.yaml` example:
-
- ```yaml
- fluentd:
- url: "https://fluentd:24224/events.log"
- ```
-
-## `fluentd.sessionUrl`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `""` | Yes |
-
-Fluentd URL where the session logs will be sent.
-
-`values.yaml` example:
-
- ```yaml
- fluentd:
- sessionUrl: "https://fluentd:24224/session.log"
- ```
-
-## `fluentd.certificate.secretName`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `""` | Yes |
-
-Secret containing the credentials to connect to Fluentd. It must to contain the CA certificate, the client key and the client certificate.
-
-`values.yaml` example:
-
- ```yaml
- fluentd:
- secretName: "teleport-plugin-event-handler-fluentd"
- ```
-
-## `fluentd.certificate.caPath`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `"ca.crt"` | No |
-
-Name of the key which contains the CA certificate inside the secret.
-
-`values.yaml` example:
-
- ```yaml
- fluentd:
- caPath: "ca.crt"
- ```
-
-## `fluentd.certificate.keyPath`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `"client.key"` | No |
-
-Name of the key which contains the client's private key inside the secret.
-
-`values.yaml` example:
-
- ```yaml
- fluentd:
- keyPath: "client.key"
- ```
-
-## `fluentd.certificate.certPath`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `"client.crt"` | No |
-
-Name of the key which contains the client's certificate inside the secret.
-
-`values.yaml` example:
-
- ```yaml
- fluentd:
- certPath: "client.crt"
- ```
-
-## `log.output`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `stdout` | No |
-
-Logger output. Can be `stdout`, `stderr` or a file name, eg. `/var/log/teleport/fluentd.log`.
-
-`values.yaml` example:
-
- ```yaml
- log:
- output: /var/log/teleport/fluentd.log
- ```
-
-## `log.severity`
-
-| Type | Default value | Required? |
-| - | - | - |
-| `string` | `stdout` | No |
-
-Logger severity. Possible values are `INFO`, `ERROR`, `DEBUG` or `WARN`.
-
-`values.yaml` example:
-
- ```yaml
- log:
- severity: DEBUG
- ```
+(!docs/pages/includes/helm-reference/zz_generated.event-handler.mdx!)
diff --git a/examples/chart/Makefile b/examples/chart/Makefile
index 017864ae573b5..c0510bd8d13d2 100644
--- a/examples/chart/Makefile
+++ b/examples/chart/Makefile
@@ -7,7 +7,7 @@ check_access = $(addprefix check-chart-ref-access-,$(access))
render_access = $(addprefix render-chart-ref-access-,$(access))
.PHONY: render-chart-ref
-render-chart-ref: render-chart-ref-example render-chart-ref-teleport-operator render-chart-ref-teleport-kube-agent render-chart-ref-tbot $(render_access) # render-chart-ref-teleport-cluster
+render-chart-ref: render-chart-ref-example render-chart-ref-teleport-operator render-chart-ref-teleport-kube-agent render-chart-ref-tbot $(render_access) render-chart-ref-event-handler # render-chart-ref-teleport-cluster
.PHONY: render-chart-ref-example
render-chart-ref-example:
@@ -40,8 +40,13 @@ render-chart-ref-access-%:
cd ../../build.assets/tooling && \
go run ./cmd/render-helm-ref -chart ../../examples/chart/access/$* -output ../../docs/pages/includes/helm-reference/zz_generated.access-$*.mdx
+.PHONY: render-chart-ref-event-handler
+render-chart-ref-event-handler:
+ cd ../../build.assets/tooling && \
+ go run ./cmd/render-helm-ref -chart ../../examples/chart/event-handler -output ../../docs/pages/includes/helm-reference/zz_generated.event-handler.mdx
+
.PHONY: check-chart-ref
-check-chart-ref: check-chart-ref-example check-chart-ref-teleport-operator check-chart-ref-teleport-kube-agent check-chart-ref-tbot $(check_access) #check-chart-ref-teleport-cluster
+check-chart-ref: check-chart-ref-example check-chart-ref-teleport-operator check-chart-ref-teleport-kube-agent check-chart-ref-tbot $(check_access) check-chart-ref-event-handler #check-chart-ref-teleport-cluster
.PHONY: check-chart-ref-example
check-chart-ref-example:
@@ -84,3 +89,10 @@ check-chart-ref-access-%:
@ cd ../../build.assets/tooling && \
go run ./cmd/render-helm-ref -chart ../../examples/chart/access/$* -output - | diff ../../docs/pages/includes/helm-reference/zz_generated.access-$*.mdx - || \
( echo "Chart values.yaml and reference differ, please run 'make -C examples/chart render-chart-ref'" && exit 1 )
+
+.PHONY: check-chart-ref-event-handler
+check-chart-ref-event-handler:
+ @echo "Checking event-handler reference"
+ @ cd ../../build.assets/tooling && \
+ go run ./cmd/render-helm-ref -chart ../../examples/chart/event-handler -output - | diff ../../docs/pages/includes/helm-reference/zz_generated.event-handler.mdx - || \
+ ( echo "Chart values.yaml and reference differ, please run 'make -C examples/chart render-chart-ref'" && exit 1 )
diff --git a/examples/chart/event-handler/values.yaml b/examples/chart/event-handler/values.yaml
index 8d108647bef9b..9c48caf06c284 100644
--- a/examples/chart/event-handler/values.yaml
+++ b/examples/chart/event-handler/values.yaml
@@ -6,8 +6,6 @@
# Plugin specific options
#
teleport:
- # When the address is empty, `tbot.teleportProxyAddress`
- # or `tbot.teleportAuthAddress` will be used if they are set.
# teleport.address(string) -- is the address of the Teleport cluster the plugin
# connects to. The address must contain both the domain name and the port of
# the Teleport cluster. It can be either the address of the auth servers or the
@@ -30,7 +28,7 @@ teleport:
# kind: Secret
# type: Opaque
# metadata:
- # name: teleport-plugin-event-handeler-identity
+ # name: teleport-plugin-event-handler-identity
# data:
# auth_id: #...
# ```
@@ -45,32 +43,49 @@ teleport:
# `"auth_id"`, you can omit this field.
identitySecretPath: "auth_id"
+# eventHandler -- contains the configuration used by the plugin to forward Teleport events.
eventHandler:
+ # eventHandler.storagePath(string) -- is the storage directory for the event handler.
storagePath: "/var/lib/teleport/plugins/event-handler/storage"
+ # eventHandler.timeout(string) -- is the polling timeout.
timeout: "10s"
+ # eventHandler.batch(int) -- is the fetch batch size.
batch: 20
- # The window size configures the duration of the time window for the event handler
+ # eventHandler.windowSize(string) -- configures the duration of the time window for the event handler
# to request events from Teleport. By default, this is set to 24 hours.
# Reduce the window size if the events backend cannot manage the event volume
# for the default window size.
# The window size should be specified as a duration string, parsed by Go's time.ParseDuration.
windowSize: "24h"
- # Optional setting to enable debug logging
- # debug: true
- # Optional setting for event types to forward
- # types: ["TYPE1", "TYPE2"]
- # Optional setting for audit event types to skip
- # skipEventTypes: ["TYPE1"]
- # Optional setting for session recording event types to skip
- # skipSessionTypes: ["TYPE1"]
+ # eventHandler.debug(bool) -- enables debug logging.
+ # debug: false
+ # eventHandler.types(list) -- is the list of event types to forward.
+ # When unset, the event handler forwards all events.
+ # types: []
+ # eventHandler.skipEventTypes(list) -- is the list of audit event types to skip.
+ # skipEventTypes: []
+ # eventHandler.skipSessionTypes(list) -- is the list of session recording event types to skip.
+ # When unset, the event handler skips noisy and binary events.
+ #
+ # See the [Teleport-event-handler README](https://github.com/gravitational/teleport/blob/1d2bd5eb8fc3500deb7d7108f6835efde98b7b24/integrations/event-handler/README.md)
+ # for a list of default skipped events.
+ # skipSessionTypes: []
+# fluentd -- contains the configuration for the fluentd forwarder.
fluentd:
+ # fluentd.url(string) -- is the Fluentd URL where the events will be sent.
url: ""
+ # fluentd.sessionUrl(string) -- is the Fluentd URL where the session logs will be sent.
sessionUrl: ""
certificate:
+ # fluentd.certificate.secretName(string) -- is the secret containing the credentials to connect to Fluentd.
+ # It must contain the CA certificate, the client key and the client certificate.
secretName: ""
+ # fluentd.certificate.caPath(string) -- is the name of the key which contains the CA certificate inside the secret.
caPath: "ca.crt"
+ # fluentd.certificate.certPath(string) -- is the name of the key which contains the client's certificate inside the secret.
certPath: "client.crt"
+ # fluentd.certificate.keyPath(string) -- is the name of the key which contains the client's private key inside the secret.
keyPath: "client.key"
# tbot -- controls the optional tbot deployment that obtains and renews
@@ -131,24 +146,67 @@ persistentVolumeClaim:
#
# Deployment
#
+# image -- sets the container image used for plugin pods created by the chart.
+#
+# You can override this to use your own plugin image rather than a Teleport-published image.
image:
+ # image.repository(string) -- is the image repository.
repository: public.ecr.aws/gravitational/teleport-plugin-event-handler
+ # image.pullPolicy(string) -- is the [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy).
pullPolicy: IfNotPresent
- # Overrides the image tag whose default is the chart appVersion.
+ # image.tag(string) -- Overrides the image tag whose default is the chart appVersion.
+ #
+ # Normally, the version of the Teleport plugin matches the
+ # version of the chart. If you install chart version 15.0.0, you'll use
+ # the plugin version 15.0.0. Upgrading the plugin is done by upgrading the chart.
+ #
+ #
+ # `image.tag` is intended for development and custom tags. This MUST NOT be
+ # used to control the plugin version in a typical deployment. This
+ # chart is designed to run a specific plugin version. You will face
+ # compatibility issues trying to run a different version with it.
+ #
+ # If you want to run the Teleport plugin version `X.Y.Z`, you should use
+ # `helm install --version X.Y.Z` instead.
+ #
tag: ""
+# imagePullSecrets(list) -- is a list of secrets containing authorization tokens
+# which can be optionally used to access a private Docker registry.
+#
+# See the [Kubernetes reference](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod) for more details.
imagePullSecrets: []
+
+# nameOverride(string) -- optionally overrides the name of the chart, used
+# together with the release name when giving a name to resources.
nameOverride: ""
+# fullnameOverride(string) -- optionally overrides the full name of resources.
fullnameOverride: ""
podAnnotations: {}
+# podSecurityContext(object) -- sets the pod security context for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
+# for more details.
+#
+# To unset the security context, set it to `null` or `~`.
podSecurityContext: {}
+# securityContext(object) -- sets the container security context for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)
+# for more details.
+#
+# To unset the security context, set it to `null` or `~`.
securityContext: {}
+# resources(object) -- sets the resource requests/limits for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
+# for more details.
resources: {}
+# nodeSelector(object) -- sets the node selector for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector)
+# for more details.
nodeSelector: {}
# tls -- contains settings for mounting your own TLS material in the event-handler pod.
@@ -166,15 +224,37 @@ tls:
# The key containing the root CA in the secret must be `ca.pem`.
existingCASecretName: ""
+# tolerations(list) -- sets the tolerations for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/)
+# for more details.
tolerations: []
+# affinity(object) -- sets the affinities for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
+# for more details.
affinity: {}
+# volumes(list) -- sets the volumes mounted into the main event-handler pod.
+# See [the Kubernetes volume
+# documentation](https://kubernetes.io/docs/concepts/storage/volumes/) for more
+# details.
+#
+# For example:
+# ```yaml
+# - name: storage
+# persistentVolumeClaim:
+# claimName: teleport-plugin-event-handler
+# ```
volumes: []
- # - name: storage
- # persistentVolumeClaim:
- # claimName: teleport-plugin-event-handler
+# volumeMounts(list) -- sets the volume mounts for the main event-handler container.
+# See [the Kubernetes volume
+# documentation](https://kubernetes.io/docs/concepts/storage/volumes/) for more
+# details.
+#
+# For example:
+# ```yaml
+# - name: storage
+# mountPath: "/var/lib/teleport/plugins/event-handler/storage"
+# ```
volumeMounts: []
- # - name: storage
- # mountPath: "/var/lib/teleport/plugins/event-handler/storage"
From 14717bec94dfb8c518590cc313ca7a760200608b Mon Sep 17 00:00:00 2001
From: Kevin Shi
Date: Tue, 16 Dec 2025 13:43:20 -0800
Subject: [PATCH 2/3] Re-render docs
---
.../zz_generated.event-handler.mdx | 190 +-----------------
examples/chart/event-handler/values.yaml | 8 +-
2 files changed, 9 insertions(+), 189 deletions(-)
diff --git a/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx b/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx
index 4d4e66ec96e73..33c18c20a229f 100644
--- a/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx
+++ b/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx
@@ -1,11 +1,6 @@
{/* Generated file. Do not edit.*/}
{/* Generate this file by navigating to examples/chart and running make render-chart-ref*/}
-## `teleport`
-
-`teleport` contains the configuration describing how the plugin connects to
-your Teleport cluster.
-
### `teleport.address`
| Type | Default |
@@ -104,97 +99,18 @@ The window size should be specified as a duration string, parsed by Go's time.Pa
| Type | Default |
|------|---------|
-| `bool` | `false` |
+| `bool` | `[]` |
`eventHandler.debug` enables debug logging.
-
-### `eventHandler.types`
-
-| Type | Default |
-|------|---------|
-| `list` | `[]` |
-
-`eventHandler.types` is the list of event types to forward.
+eventHandler.types(list) -- is the list of event types to forward.
When unset, the event handler forwards all events.
-
-### `eventHandler.skipEventTypes`
-
-| Type | Default |
-|------|---------|
-| `list` | `[]` |
-
-`eventHandler.skipEventTypes` is the list of audit event types to skip.
-
-### `eventHandler.skipSessionTypes`
-
-| Type | Default |
-|------|---------|
-| `list` | `[]` |
-
-`eventHandler.skipSessionTypes` is the list of session recording event types to skip.
+eventHandler.skipEventTypes(list) -- is the list of audit event types to skip.
+eventHandler.skipSessionTypes(list) -- is the list of session recording event types to skip.
When unset, the event handler skips noisy and binary events.
See the [Teleport-event-handler README](https://github.com/gravitational/teleport/blob/1d2bd5eb8fc3500deb7d7108f6835efde98b7b24/integrations/event-handler/README.md)
for a list of default skipped events.
-### `eventHandler.startTime`
-
-| Type | Default |
-|------|---------|
-| `string` | `""` |
-
-`eventHandler.startTime` is the start time to start ingestion from (RFC3339 format).
-
-### `eventHandler.dryRun`
-
-| Type | Default |
-|------|---------|
-| `bool` | `false` |
-
-`eventHandler.dryRun` enables dry run without sending events to fluentd.
-
-### `eventHandler.concurrency`
-
-| Type | Default |
-|------|---------|
-| `int` | `5` |
-
-`eventHandler.concurrency` is the number of concurrent sessions to process. By default, this is set to 5.
-
-#### `eventHandler.lock.enabled`
-
-| Type | Default |
-|------|---------|
-| `bool` | `false` |
-
-`eventHandler.lock.enabled` controls whether user auto-locking is enabled.
-
-#### `eventHandler.lock.failedAttemptsCount`
-
-| Type | Default |
-|------|---------|
-| `int` | `3` |
-
-`eventHandler.lock.failedAttemptsCount` is the number of failed attempts in the `lockPeriod` which
-triggers locking. By default, this is set to 3.
-
-#### `eventHandler.lock.period`
-
-| Type | Default |
-|------|---------|
-| `string` | `"1m"` |
-
-`eventHandler.lock.period` is the time period where `lock-failed-attempts-count` failed attempts
-will trigger locking. By default, this is set to 1 minute.
-
-#### `eventHandler.lock.for`
-
-| Type | Default |
-|------|---------|
-| `string` | `""` |
-
-`eventHandler.lock.for` is the time period for which user gets lock.
-
## `fluentd`
`fluentd` contains the configuration for the fluentd forwarder.
@@ -248,15 +164,6 @@ It must contain the CA certificate, the client key and the client certificate.
`fluentd.certificate.keyPath` is the name of the key which contains the client's private key inside the secret.
-### `fluentd.maxConnections`
-
-| Type | Default |
-|------|---------|
-| `int` | `0` |
-
-`fluentd.maxConnections` is the maximum number of connections to Fluentd. By default, or when set to 0,
-this becomes `eventHandler.concurrency` * 2.
-
## `tbot`
`tbot` controls the optional tbot deployment that obtains and renews
@@ -326,69 +233,7 @@ teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025"
| `string` | `"kubernetes"` |
`tbot.joinMethod` describes how tbot joins the Teleport cluster.
-See [the join method reference](../../reference/deployment/join-methods.mdx) for a list of supported values and detailed explanations.
-
-## `annotations`
-
-`annotations` contains annotations to apply to the different Kubernetes
-objects created by the chart. See [the Kubernetes annotation
-documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
-for more details.
-
-### `annotations.config`
-
-| Type | Default |
-|------|---------|
-| `object` | `{}` |
-
-`annotations.config` are annotations to set on the ConfigMap.
-
-### `annotations.deployment`
-
-| Type | Default |
-|------|---------|
-| `object` | `{}` |
-
-`annotations.deployment` are annotations to set on the Deployment.
-
-### `annotations.pod`
-
-| Type | Default |
-|------|---------|
-| `object` | `{}` |
-
-`annotations.pod` are annotations to set on the Pods.
-
-## `extraLabels`
-
-`extraLabels` contains additional Kubernetes labels to apply on the resources
-created by the chart. See [the Kubernetes label documentation
-](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/)
-for more information.
-
-### `extraLabels.config`
-
-| Type | Default |
-|------|---------|
-| `object` | `{}` |
-
-`extraLabels.config` are labels to set on the ConfigMap.
-
-### `extraLabels.deployment`
-
-| Type | Default |
-|------|---------|
-| `object` | `{}` |
-
-`extraLabels.deployment` are labels to set on the Deployment.
-
-### `extraLabels.pod`
-
-| Type | Default |
-|------|---------|
-| `object` | `{}` |
-
-`extraLabels.pod` are labels to set on the Pods.
+See [the join method reference](../../reference/join-methods.mdx) for a list fo supported values and detailed explanations.
## `image`
@@ -582,28 +427,3 @@ For example:
- name: storage
mountPath: "/var/lib/teleport/plugins/event-handler/storage"
```
-
-## `extraArgs`
-
-| Type | Default |
-|------|---------|
-| `list` | `[]` |
-
-`extraArgs` contains extra arguments to pass to `teleport-plugin start` for
-the main event-handler container.
-
-## `extraEnv`
-
-| Type | Default |
-|------|---------|
-| `list` | `[]` |
-
-`extraEnv` contains extra environment variables to set in the main
-event-handler container.
-
-For example:
-```yaml
-extraEnv:
- - name: HTTPS_PROXY
- value: "http://username:password@my.proxy.host:3128"
-```
diff --git a/examples/chart/event-handler/values.yaml b/examples/chart/event-handler/values.yaml
index 9c48caf06c284..0d50d1d6312fb 100644
--- a/examples/chart/event-handler/values.yaml
+++ b/examples/chart/event-handler/values.yaml
@@ -58,18 +58,18 @@ eventHandler:
# The window size should be specified as a duration string, parsed by Go's time.ParseDuration.
windowSize: "24h"
# eventHandler.debug(bool) -- enables debug logging.
- # debug: false
+ # @default -- false
# eventHandler.types(list) -- is the list of event types to forward.
# When unset, the event handler forwards all events.
- # types: []
+ # @default -- []
# eventHandler.skipEventTypes(list) -- is the list of audit event types to skip.
- # skipEventTypes: []
+ # @default -- []
# eventHandler.skipSessionTypes(list) -- is the list of session recording event types to skip.
# When unset, the event handler skips noisy and binary events.
#
# See the [Teleport-event-handler README](https://github.com/gravitational/teleport/blob/1d2bd5eb8fc3500deb7d7108f6835efde98b7b24/integrations/event-handler/README.md)
# for a list of default skipped events.
- # skipSessionTypes: []
+ # @default -- []
# fluentd -- contains the configuration for the fluentd forwarder.
fluentd:
From 3e0ee0ed809c2fd925e34d24ebfab5773314ba8d Mon Sep 17 00:00:00 2001
From: Kevin Shi
Date: Wed, 17 Dec 2025 10:17:20 -0800
Subject: [PATCH 3/3] Add default yaml nodes to values.yaml
---
.../zz_generated.event-handler.mdx | 29 ++++++++++++++++---
examples/chart/event-handler/values.yaml | 8 ++---
2 files changed, 29 insertions(+), 8 deletions(-)
diff --git a/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx b/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx
index 33c18c20a229f..51b6996268f2a 100644
--- a/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx
+++ b/docs/pages/includes/helm-reference/zz_generated.event-handler.mdx
@@ -99,13 +99,34 @@ The window size should be specified as a duration string, parsed by Go's time.Pa
| Type | Default |
|------|---------|
-| `bool` | `[]` |
+| `bool` | `false` |
`eventHandler.debug` enables debug logging.
-eventHandler.types(list) -- is the list of event types to forward.
+
+### `eventHandler.types`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`eventHandler.types` is the list of event types to forward.
When unset, the event handler forwards all events.
-eventHandler.skipEventTypes(list) -- is the list of audit event types to skip.
-eventHandler.skipSessionTypes(list) -- is the list of session recording event types to skip.
+
+### `eventHandler.skipEventTypes`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`eventHandler.skipEventTypes` is the list of audit event types to skip.
+
+### `eventHandler.skipSessionTypes`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`eventHandler.skipSessionTypes` is the list of session recording event types to skip.
When unset, the event handler skips noisy and binary events.
See the [Teleport-event-handler README](https://github.com/gravitational/teleport/blob/1d2bd5eb8fc3500deb7d7108f6835efde98b7b24/integrations/event-handler/README.md)
diff --git a/examples/chart/event-handler/values.yaml b/examples/chart/event-handler/values.yaml
index 0d50d1d6312fb..6aaf6a9fe9cfd 100644
--- a/examples/chart/event-handler/values.yaml
+++ b/examples/chart/event-handler/values.yaml
@@ -58,18 +58,18 @@ eventHandler:
# The window size should be specified as a duration string, parsed by Go's time.ParseDuration.
windowSize: "24h"
# eventHandler.debug(bool) -- enables debug logging.
- # @default -- false
+ debug: false
# eventHandler.types(list) -- is the list of event types to forward.
# When unset, the event handler forwards all events.
- # @default -- []
+ types: []
# eventHandler.skipEventTypes(list) -- is the list of audit event types to skip.
- # @default -- []
+ skipEventTypes: []
# eventHandler.skipSessionTypes(list) -- is the list of session recording event types to skip.
# When unset, the event handler skips noisy and binary events.
#
# See the [Teleport-event-handler README](https://github.com/gravitational/teleport/blob/1d2bd5eb8fc3500deb7d7108f6835efde98b7b24/integrations/event-handler/README.md)
# for a list of default skipped events.
- # @default -- []
+ skipSessionTypes: []
# fluentd -- contains the configuration for the fluentd forwarder.
fluentd: