# teleport-plugin-jira Chart Reference The `teleport-plugin-jira` Helm chart runs the Jira Teleport plugin, which allows users to receive and manage Access Requests as tasks in a Jira project. You can [browse the source on GitHub](https://github.com/gravitational/teleport/tree/v18.7.3/examples/chart/access/jira). This reference details available values for the `teleport-plugin-jira` chart. --- WARNING Backing up production instances, environments, and/or settings before making permanent modifications is encouraged as a best practice. Doing so allows you to roll back to an existing state if needed. --- ## `teleport` `teleport` contains the configuration describing how the plugin connects to your Teleport cluster. ### `teleport.address` | Type | Default | | -------- | ------- | | `string` | `""` | `teleport.address` is the address of the Teleport cluster the plugin connects to. The address must contain both the domain name and the port of the Teleport cluster. It can be either the address of the auth servers or the proxy servers. For example: - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080` - joining an Auth: `teleport-auth.example.com:3025` When the address is empty, `tbot.teleportProxyAddress` or `tbot.teleportAuthAddress` will be used if they are set. ### `teleport.identityFromSecret` | Type | Default | | -------- | ------- | | `string` | `""` | `teleport.identityFromSecret` is the name of the Kubernetes secret that contains the credentials for the connection to your Teleport cluster. The secret should be in the following format: ``` apiVersion: v1 kind: Secret type: Opaque metadata: name: teleport-plugin-identity data: auth_id: #... ``` Check out the [Access Requests with Jira](https://goteleport.com/docs/identity-governance/access-requests/plugins/jira.md) guide for more information about how to acquire these credentials. ### `teleport.identitySecretPath` | Type | Default | | -------- | ----------- | | `string` | `"auth_id"` | `teleport.identitySecretPath` is the key in the Kubernetes secret specified by `teleport.identitySecretName` that holds the credentials for the connection to your Teleport cluster. If the secret has the path, `"auth_id"`, you can omit this field. ## `jira` `jira` contains the configuration used by the plugin to authenticate to Jira and open issues. You can pass the Jira apiToken: - via the chart Values by setting `jira.apiToken` - via an existing Kubernetes Secret by setting `jira.apiTokenFromSecret` ### `jira.url` | Type | Default | | -------- | ------- | | `string` | `""` | `jira.url` is the Jira URL. For example: - a self-hosted Jira instance URL would be `https://jira.example.com/`. - a Jira Cloud URL would be `https://[your-jira].atlassian.net`. ### `jira.url` | Type | Default | | -------- | ------- | | `string` | `""` | `jira.url` is the Jira username or email address associated with the API token. ### `jira.apiToken` | Type | Default | | -------- | ------- | | `string` | `""` | `jira.apiToken` is the Jira apiToken used by the plugin to interact with Jira. When set, the Chart creates a Kubernetes Secret for you. This value has no effect if `jira.apiTokenFromSecret` is set. ### `jira.apiTokenFromSecret` | Type | Default | | -------- | ------- | | `string` | `""` | `jira.apiTokenFromSecret` is the name of the Kubernetes Secret containing the Jira apiToken. When this value is set, you must create the Secret before creating the chart release. ### `jira.apiTokenSecretPath` | Type | Default | | -------- | ---------------- | | `string` | `"jiraApiToken"` | `jira.apiTokenSecretPath` is the Kubernetes Secret key containing the Jira apiToken. The secret name is set via `jira.apiTokenFromSecret`. ### `jira.project` | Type | Default | | -------- | ------- | | `string` | `""` | `jira.project` is the Jira project in which the issues are opened. This value is mandatory. ### `jira.issueType` | Type | Default | | -------- | -------- | | `string` | `"Task"` | `jira.issueType` is the issue type used when opening Jira issues. ## `http` `http` contains the webhook configuration. When an issue is updated in Jira (approved or denied), Jira contacts the plugin via webhook to trigger the Teleport Access Request approval. ### `http.publicAddress` | Type | Default | | -------- | ------- | | `string` | `""` | `http.publicAddress` is the URL on which the callback server is accessible externally, e.g. `[https://]teleport-proxy.example.com`. ### `http.tlsFromSecret` | Type | Default | | -------- | ------- | | `string` | `""` | `http.tlsFromSecret` is the name of the Kubernetes Secret containing the TLS private key and certificate used by the webhook server. ### `http.tlsKeySecretPath` | Type | Default | | -------- | ----------- | | `string` | `"tls.key"` | `http.tlsKeySecretPath` is the field of the Kubernetes Secret containing the TLS private key used by the webhook server. ### `http.tlsCertSecretPath` | Type | Default | | -------- | ----------- | | `string` | `"tls.crt"` | `http.tlsCertSecretPath` is the field of the Kubernetes Secret containing the TLS certificate used by the webhook server. ## `chartMode` | Type | Default | | -------- | ------- | | `string` | `""` | `chartMode` enables cloud-specific helpers. `aws` is the only supported value. When `chartMode` is `aws`, the created service wears the in-tree AWS LB controller annotations. ## `log` `log` controls the plugin logging. ### `log.severity` | Type | Default | | -------- | -------- | | `string` | `"INFO"` | `log.severity` is the log level for the Teleport process. Available log levels are: `DEBUG`, `INFO`, `WARN`, `ERROR`. The default is `INFO`, which is recommended in production. `DEBUG` is useful during first-time setup or to see more detailed logs for debugging. ### `log.output` | Type | Default | | -------- | ---------- | | `string` | `"stdout"` | `log.output` sets the output destination for the Teleport process. This can be set to any of the built-in values: `stdout`, `stderr`. The value can also be set to a file path (such as `/var/log/teleport.log`) to write logs to a file. Bear in mind that a few service startup messages will still go to `stderr` for resilience. ## `tbot` `tbot` controls the optional tbot deployment that obtains and renews credentials for the plugin to connect to Teleport. Only default and mandatory values are described here, see the tbot chart reference for the full list of supported values. ### `tbot.enabled` | Type | Default | | ------ | ------- | | `bool` | `false` | `tbot.enabled` controls if tbot should be deployed with the Jira plugin. ### `tbot.clusterName` | Type | Default | | -------- | ------- | | `string` | `""` | `tbot.clusterName` is the name of the Teleport cluster tbot and the Jira plugin will join. Setting this value is mandatory when tbot is enabled. ### `tbot.teleportProxyAddress` | Type | Default | | -------- | ------- | | `string` | `""` | `tbot.teleportProxyAddress` is the teleport Proxy Service address the bot will connect to. This must contain the port number, usually 443 or 3080 for Proxy Service. Connecting to the Proxy Service is the most common and recommended way to connect to Teleport. This is mandatory to connect to Teleport Enterprise (Cloud). This setting is mutually exclusive with `teleportAuthAddress`. For example: ``` tbot: teleportProxyAddress: "test.teleport.sh:443" ``` ### `tbot.teleportAuthAddress` | Type | Default | | -------- | ------- | | `string` | `""` | `tbot.teleportAuthAddress` is the teleport Auth Service address the bot will connect to. This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection should be used when you are deploying the bot in the same Kubernetes cluster than your `teleport-cluster` Helm release and have direct access to the Auth Service. Else, you should prefer connecting via the Proxy Service. This setting is mutually exclusive with `teleportProxyAddress`. For example: ``` teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025" ``` ### `tbot.joinMethod` | Type | Default | | -------- | -------------- | | `string` | `"kubernetes"` | `tbot.joinMethod` describes how tbot joins the Teleport cluster. See [the join method reference](https://goteleport.com/docs/reference/deployment/join-methods.md) for a list of supported values and detailed explanations. ## `annotations` `annotations` contains annotations to apply to the different Kubernetes objects created by the chart. See [the Kubernetes annotation documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) for more details. ### `annotations.config` | Type | Default | | -------- | ------- | | `object` | `{}` | `annotations.config` contains the Kubernetes annotations put on the `ConfigMap` resource created by the chart. ### `annotations.deployment` | Type | Default | | -------- | ------- | | `object` | `{}` | `annotations.deployment` contains the Kubernetes annotations put on the `Deployment` or `StatefulSet` resource created by the chart. ### `annotations.pod` | Type | Default | | -------- | ------- | | `object` | `{}` | `annotations.pod` contains the Kubernetes annotations put on the `Pod` resources created by the chart. ### `annotations.secret` | Type | Default | | -------- | ------- | | `object` | `{}` | `annotations.secret` contains the Kubernetes annotations put on the `Secret` resource created by the chart. This has no effect when `joinTokenSecret.create` is `false`. ### `annotations.service` | Type | Default | | -------- | ------- | | `object` | `{}` | `annotations.service` contains the Kubernetes annotations put on the `Service` resource created by the chart. ## `image` `image` sets the container image used for plugin pods created by the chart. You can override this to use your own plugin image rather than a Teleport-published image. ### `image.repository` | Type | Default | | -------- | ----------------------------------------------------- | | `string` | `"public.ecr.aws/gravitational/teleport-plugin-jira"` | `image.repository` is the image repository. ### `image.pullPolicy` | Type | Default | | -------- | ---------------- | | `string` | `"IfNotPresent"` | `image.pullPolicy` is the [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy). ### `image.tag` | Type | Default | | -------- | ------- | | `string` | `""` | `image.tag` Overrides the image tag whose default is the chart appVersion. Normally, the version of the Teleport plugin matches the version of the chart. If you install chart version 15.0.0, you'll use the plugin version 15.0.0. Upgrading the plugin is done by upgrading the chart. --- WARNING `image.tag` is intended for development and custom tags. This MUST NOT be used to control the plugin version in a typical deployment. This chart is designed to run a specific plugin version. You will face compatibility issues trying to run a different version with it. If you want to run the Teleport plugin version `X.Y.Z`, you should use `helm install --version X.Y.Z` instead. --- ## `imagePullSecrets` | Type | Default | | ------ | ------- | | `list` | `[]` | `imagePullSecrets` is a list of secrets containing authorization tokens which can be optionally used to access a private Docker registry. See the [Kubernetes reference](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod) for more details. ## `podSecurityContext` | Type | Default | | -------- | ------- | | `object` | `{}` | `podSecurityContext` sets the pod security context for any pods created by the chart. See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) for more details. To unset the security context, set it to `null` or `~`. ## `securityContext` | Type | Default | | -------- | ------- | | `object` | `{}` | `securityContext` sets the container security context for any pods created by the chart. See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) for more details. To unset the security context, set it to `null` or `~`. ## `resources` | Type | Default | | -------- | ------- | | `object` | `{}` | `resources` sets the resource requests/limits for any pods created by the chart. See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for more details. ## `nodeSelector` | Type | Default | | -------- | ------- | | `object` | `{}` | `nodeSelector` sets the node selector for any pods created by the chart. See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) for more details. ## `tolerations` | Type | Default | | ------ | ------- | | `list` | `[]` | `tolerations` sets the tolerations for any pods created by the chart. See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) for more details. ## `affinity` | Type | Default | | -------- | ------- | | `object` | `{}` | `affinity` sets the affinities for any pods created by the chart. See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) for more details. ## `serviceType` | Type | Default | | -------- | ---------------- | | `string` | `"LoadBalancer"` | `serviceType` sets the service type of the Kubernetes `Service` resource created by the chart.