# teleport-access-graph Chart Reference

The `teleport-access-graph` Helm chart deploys the Access Graph service.

See [Teleport Identity Security with Access Graph on Self-Hosted Clusters with Helm](https://goteleport.com/docs/identity-security/access-graph/self-hosted-helm.md) for more details.

---

VERSION COMPATIBILITY

The chart is versioned with the Access Graph service. No compatibility guarantees are ensured if the service and chart versions differ. It is strongly recommended to always align the chart and service versions by using the `--version` Helm flag.

---

## `tls`

`tls` TLS settings for the main gRPC listener.

### `tls.existingSecretName`

| Type     | Default |
| -------- | ------- |
| `string` | `""`    |

`tls.existingSecretName` is the name of an existing Kubernetes secret containing the certificate and its private key to use for the gRPC listener. The secret must be of type `kubernetes.io/tls`, see [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets) for more details.

Setting this is required, as Access Graph always operates via TLS-protected connections.

## `clusterHostCAs`

| Type    | Default |
| ------- | ------- |
| `array` | `[]`    |

`clusterHostCAs` is a list of strings containing PEM-encoded Host CA certificates of Teleport clusters that are allowed to use this instance of Access Graph. Setting this to a non-empty array is required.

## `service`

| Type     | Default                               |
| -------- | ------------------------------------- |
| `object` | `{"grpcPort":443,"type":"ClusterIP"}` |

`service` contains options for the Access Graph Kubernetes service that the Chart exposes.

### `service.type`

| Type     | Default       |
| -------- | ------------- |
| `string` | `"ClusterIP"` |

`service.type` the type of Kubernetes service to create. The `LoadBalancer` type is only supported when using a Layer 4 (TCP) or lower load balancer. Access Graph expects to terminate its own TLS, as it uses mTLS to authenticate its clients.

### `service.grpcPort`

| Type  | Default |
| ----- | ------- |
| `int` | `443`   |

`service.grpcPort` the port that the gRPC service is exposed on. This is the port that Teleport Auth Service and Proxy Service will need to connect to Access Graph on.

## `replicaCount`

| Type  | Default |
| ----- | ------- |
| `int` | `2`     |

`replicaCount` the number of Access Graph pods that should be deployed.

## `image`

### `image.tag`

| Type     | Default |
| -------- | ------- |
| `string` | `""`    |

`image.tag` sets the version of the Access Graph image used. By default, this is the same as the Helm Chart version, i.e. Access Graph will be upgraded when you upgrade the Helm chart.

## `podAnnotations`

| Type     | Default |
| -------- | ------- |
| `object` | `{}`    |

`podAnnotations` contains the Kubernetes annotations put on the `Pod` resources created by the chart.

## `podLabels`

| Type     | Default |
| -------- | ------- |
| `object` | `{}`    |

`podLabels` contains the Kubernetes labels put on the `Pod` resources created by the chart.

## `podSecurityContext`

| Type     | Default                                                      |
| -------- | ------------------------------------------------------------ |
| `object` | `{"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532}` |

`podSecurityContext` sets the pod security context for any pods created by the chart. See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for more details.

The default value supports running under the `restricted` [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/).

## `securityContext`

| Type     | Default                                                                                                         |
| -------- | --------------------------------------------------------------------------------------------------------------- |
| `object` | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"seccompProfile":{"type":"RuntimeDefault"}}` |

`securityContext` sets the container security context for any pods created by the chart. See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for more details.

The default value supports running under the `restricted` [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/).

## `volumes`

| Type    | Default |
| ------- | ------- |
| `array` | `[]`    |

`volumes` allows to define additional volumes on the output Deployment definition.

## `nodeSelector`

| Type     | Default |
| -------- | ------- |
| `object` | `{}`    |

`nodeSelector` sets the node selector for any pods created by the chart. See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) for more details.

## `tolerations`

| Type   | Default |
| ------ | ------- |
| `list` | `[]`    |

`tolerations` sets the tolerations for any pods created by the chart. See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) for more details.

## `affinity`

| Type     | Default |
| -------- | ------- |
| `object` | `{}`    |

`affinity` sets the affinities for any pods created by the chart. See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) for more details.