diff --git a/docs/pages/includes/helm-reference/zz_generated.access-datadog.mdx b/docs/pages/includes/helm-reference/zz_generated.access-datadog.mdx
new file mode 100644
index 0000000000000..cc90d24bab68e
--- /dev/null
+++ b/docs/pages/includes/helm-reference/zz_generated.access-datadog.mdx
@@ -0,0 +1,417 @@
+
+{/* Generated file. Do not edit.*/}
+{/* Generate this file by navigating to examples/chart and running make render-chart-ref*/}
+## `teleport`
+
+`teleport` contains the configuration describing how the plugin connects to
+your Teleport cluster.
+
+### `teleport.address`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`teleport.address` is the address of the Teleport cluster the plugin
+connects to. The address must contain both the domain name and the port of
+the Teleport cluster. It can be either the address of the auth servers or the
+proxy servers.
+
+For example:
+ - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080`
+ - joining an Auth: `teleport-auth.example.com:3025`
+
+When the address is empty, `tbot.teleportProxyAddress`
+or `tbot.teleportAuthAddress` will be used if they are set.
+
+### `teleport.identitySecretName`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`teleport.identitySecretName` is the name of the Kubernetes secret
+that contains the credentials for the connection to your Teleport cluster.
+
+The secret should be in the following format:
+
+```yaml
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+ name: teleport-plugin-datadog-identity
+data:
+ auth_id: #...
+```
+
+Check out the [Access Requests with
+Datadog Incident Management](../../admin-guides/access-controls/access-request-plugins/datadog-hosted.mdx) guide
+for more information about how to acquire these credentials.
+
+### `teleport.identitySecretPath`
+
+| Type | Default |
+|------|---------|
+| `string` | `"auth_id"` |
+
+`teleport.identitySecretPath` is the key in the Kubernetes secret
+specified by `teleport.identitySecretName` that holds the credentials for
+the connection to your Teleport cluster. If the secret has the path,
+`"auth_id"`, you can omit this field.
+
+## `datadog`
+
+`datadog` contains the configuration used by the plugin to authenticate to Datadog.
+
+You can pass the Datadog keys by setting the chart values or using an existing Kubernetes Secret.
+
+### `datadog.apiEndpoint`
+
+| Type | Default |
+|------|---------|
+| `string` | `"https://api.datadoghq.com"` |
+
+`datadog.apiEndpoint` specifies which Datadog API site to set API
+requests.
+
+### `datadog.apiKey`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`datadog.apiKey` is the Datadog API key used by the plugin to interact
+with Datadog. When set, the Chart creates a Kubernetes Secret for you.
+
+This value has no effect if `datadog.apiKeyFromSecret` is set.
+
+### `datadog.apiKeyFromSecret`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`datadog.apiKeyFromSecret` is the name of the Kubernetes Secret
+containing the Datadog apiKey. When this value is set, you must create the
+Secret before creating the chart release.
+
+### `datadog.apiKeySecretPath`
+
+| Type | Default |
+|------|---------|
+| `string` | `"datadogApiKey"` |
+
+`datadog.apiKeySecretPath` is the Kubernetes Secret key
+containing the Datadog API key. The secret name is set via `datadog.apiKeyFromSecret`.
+
+### `datadog.applicationKey`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`datadog.applicationKey` is the Datadog Application key used by the plugin to interact
+with Datadog. When set, the Chart creates a Kubernetes Secret for you.
+
+This value has no effect if `datadog.applicationKeyFromSecret` is set.
+
+### `datadog.applicationKeyFromSecret`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`datadog.applicationKeyFromSecret` is the name of the Kubernetes Secret
+containing the Datadog applicationKey. When this value is set, you must create the
+Secret before creating the chart release.
+
+### `datadog.applicationKeySecretPath`
+
+| Type | Default |
+|------|---------|
+| `string` | `"datadogApplicationKey"` |
+
+`datadog.applicationKeySecretPath` is the Kubernetes Secret key
+containing the Datadog Application key. The secret name is set via `datadog.applicationKeyFromSecret`.
+
+### `datadog.fallbackRecipient`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`datadog.fallbackRecipient` specifies the default recipient for
+Access Request notifications. The recipient can be a Datadog user email or
+a team handle.
+
+### `datadog.severity`
+
+| Type | Default |
+|------|---------|
+| `string` | `"SEV-3"` |
+
+`datadog.severity` specifies the Datadog incident severity.
+
+## `log`
+
+`log` controls the plugin logging.
+
+### `log.severity`
+
+| Type | Default |
+|------|---------|
+| `string` | `"INFO"` |
+
+`log.severity` is the log level for the Teleport process.
+Available log levels are: `DEBUG`, `INFO`, `WARN`, `ERROR`.
+
+The default is `INFO`, which is recommended in production.
+`DEBUG` is useful during first-time setup or to see more detailed logs for debugging.
+
+### `log.output`
+
+| Type | Default |
+|------|---------|
+| `string` | `"stdout"` |
+
+`log.output` sets the output destination for the Teleport process.
+This can be set to any of the built-in values: `stdout`, `stderr`.
+
+The value can also be set to a file path (such as `/var/log/teleport.log`)
+to write logs to a file. Bear in mind that a few service startup messages
+will still go to `stderr` for resilience.
+
+## `tbot`
+
+`tbot` controls the optional tbot deployment that obtains and renews
+credentials for the plugin to connect to Teleport.
+Only default and mandatory values are described here, see the tbot chart reference
+for the full list of supported values.
+
+### `tbot.enabled`
+
+| Type | Default |
+|------|---------|
+| `bool` | `false` |
+
+`tbot.enabled` controls if tbot should be deployed with the datadog plugin.
+
+### `tbot.clusterName`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`tbot.clusterName` is the name of the Teleport cluster tbot and the Datadog plugin will join.
+Setting this value is mandatory when tbot is enabled.
+
+### `tbot.teleportProxyAddress`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`tbot.teleportProxyAddress` is the teleport Proxy Service address the bot will connect to.
+This must contain the port number, usually 443 or 3080 for Proxy Service.
+Connecting to the Proxy Service is the most common and recommended way to connect to Teleport.
+This is mandatory to connect to Teleport Enterprise (Cloud).
+
+This setting is mutually exclusive with `teleportAuthAddress`.
+
+For example:
+```yaml
+tbot:
+ teleportProxyAddress: "test.teleport.sh:443"
+```
+
+### `tbot.teleportAuthAddress`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`tbot.teleportAuthAddress` is the teleport Auth Service address the bot will connect to.
+This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection
+should be used when you are deploying the bot in the same Kubernetes cluster than your `teleport-cluster`
+Helm release and have direct access to the Auth Service.
+Else, you should prefer connecting via the Proxy Service.
+
+This setting is mutually exclusive with `teleportProxyAddress`.
+
+For example:
+```yaml
+teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025"
+```
+
+### `tbot.joinMethod`
+
+| Type | Default |
+|------|---------|
+| `string` | `"kubernetes"` |
+
+`tbot.joinMethod` describes how tbot joins the Teleport cluster.
+See [the join method reference](../../reference/join-methods.mdx) for a list fo supported values and detailed explanations.
+
+## `annotations`
+
+`annotations` contains annotations to apply to the different Kubernetes
+objects created by the chart. See [the Kubernetes annotation
+documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
+for more details.
+
+### `annotations.config`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`annotations.config` contains the Kubernetes annotations
+put on the `ConfigMap` resource created by the chart.
+
+### `annotations.deployment`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`annotations.deployment` contains the Kubernetes annotations
+put on the `Deployment` or `StatefulSet` resource created by the chart.
+
+### `annotations.pod`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`annotations.pod` contains the Kubernetes annotations
+put on the `Pod` resources created by the chart.
+
+### `annotations.secret`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`annotations.secret` contains the Kubernetes annotations
+put on the `Secret` resource created by the chart.
+This has no effect when `joinTokenSecret.create` is `false`.
+
+## `image`
+
+`image` sets the container image used for plugin pods created by the chart.
+
+You can override this to use your own plugin image rather than a Teleport-published image.
+
+### `image.repository`
+
+| Type | Default |
+|------|---------|
+| `string` | `"public.ecr.aws/gravitational/teleport-plugin-datadog"` |
+
+`image.repository` is the image repository.
+
+### `image.pullPolicy`
+
+| Type | Default |
+|------|---------|
+| `string` | `"IfNotPresent"` |
+
+`image.pullPolicy` is the [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy).
+
+### `image.tag`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`image.tag` Overrides the image tag whose default is the chart appVersion.
+
+Normally, the version of the Teleport plugin matches the
+version of the chart. If you install chart version 15.0.0, you'll use
+the plugin version 15.0.0. Upgrading the plugin is done by upgrading the chart.
+
+
+`image.tag` is intended for development and custom tags. This MUST NOT be
+used to control the plugin version in a typical deployment. This
+chart is designed to run a specific plugin version. You will face
+compatibility issues trying to run a different version with it.
+
+If you want to run the Teleport plugin version `X.Y.Z`, you should use
+`helm install --version X.Y.Z` instead.
+
+
+## `imagePullSecrets`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`imagePullSecrets` is a list of secrets containing authorization tokens
+which can be optionally used to access a private Docker registry.
+
+See the [Kubernetes reference](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod) for more details.
+
+## `podSecurityContext`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`podSecurityContext` sets the pod security context for any pods created by the chart.
+See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
+for more details.
+
+To unset the security context, set it to `null` or `~`.
+
+## `securityContext`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`securityContext` sets the container security context for any pods created by the chart.
+See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)
+for more details.
+
+To unset the security context, set it to `null` or `~`.
+
+## `resources`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`resources` sets the resource requests/limits for any pods created by the chart.
+See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
+for more details.
+
+## `nodeSelector`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`nodeSelector` sets the node selector for any pods created by the chart.
+See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector)
+for more details.
+
+## `tolerations`
+
+| Type | Default |
+|------|---------|
+| `list` | `[]` |
+
+`tolerations` sets the tolerations for any pods created by the chart.
+See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/)
+for more details.
+
+## `affinity`
+
+| Type | Default |
+|------|---------|
+| `object` | `{}` |
+
+`affinity` sets the affinities for any pods created by the chart.
+See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
+for more details.
diff --git a/docs/pages/reference/helm-reference.mdx b/docs/pages/reference/helm-reference.mdx
index 8a7a939304c7d..daac382c8ba6d 100644
--- a/docs/pages/reference/helm-reference.mdx
+++ b/docs/pages/reference/helm-reference.mdx
@@ -39,3 +39,6 @@ layout: tocless-doc
- [teleport-plugin-slack](./helm-reference/teleport-plugin-slack.mdx): Deploy
the Teleport Slack Plugin, which allows notifying Slack users and channels
when Access Requests are made.
+- [teleport-plugin-datadog](./helm-reference/teleport-plugin-datadog.mdx): Deploy
+ the Teleport Datadog Incident Management Plugin, which allows Access Requests
+ to be managed as Datadog incidents.
\ No newline at end of file
diff --git a/docs/pages/reference/helm-reference/teleport-plugin-datadog.mdx b/docs/pages/reference/helm-reference/teleport-plugin-datadog.mdx
new file mode 100644
index 0000000000000..6afc4634da03a
--- /dev/null
+++ b/docs/pages/reference/helm-reference/teleport-plugin-datadog.mdx
@@ -0,0 +1,15 @@
+---
+title: teleport-plugin-datadog Chart Reference
+description: Values that can be set using the teleport-plugin-datadog Helm chart
+---
+
+The `teleport-plugin-datadog` Helm chart runs the Datadog Teleport plugin, which
+allows users to receive and manage Access Requests as Datadog incidents.
+
+You can [browse the source on GitHub](https://github.com/gravitational/teleport/tree/v(=teleport.version=)/examples/chart/access/datadog).
+
+This reference details available values for the `teleport-plugin-datadog` chart.
+
+(!docs/pages/includes/backup-warning.mdx!)
+
+(!docs/pages/includes/helm-reference/zz_generated.access-datadog.mdx!)
diff --git a/examples/chart/Makefile b/examples/chart/Makefile
index e48ee95f70a1c..017864ae573b5 100644
--- a/examples/chart/Makefile
+++ b/examples/chart/Makefile
@@ -1,7 +1,7 @@
# TODO(hugoShaka): uncomment the additional targets as we start sync-ing
# the reference and the values.yaml
-access = discord email jira mattermost msteams pagerduty slack
+access = discord email jira mattermost msteams pagerduty slack datadog
check_access = $(addprefix check-chart-ref-access-,$(access))
render_access = $(addprefix render-chart-ref-access-,$(access))
diff --git a/examples/chart/access/datadog/.helmignore b/examples/chart/access/datadog/.helmignore
new file mode 100644
index 0000000000000..0e8a0eb36f4ca
--- /dev/null
+++ b/examples/chart/access/datadog/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/examples/chart/access/datadog/Chart.yaml b/examples/chart/access/datadog/Chart.yaml
new file mode 100644
index 0000000000000..cd2ee76d02052
--- /dev/null
+++ b/examples/chart/access/datadog/Chart.yaml
@@ -0,0 +1,13 @@
+.version: &version "17.0.0-dev"
+
+apiVersion: v2
+name: teleport-plugin-datadog
+description: A Helm chart for the Teleport Datadog Incident Management Plugin
+type: application
+version: *version
+appVersion: *version
+
+dependencies:
+ - name: tbot
+ version: *version
+ condition: tbot.enabled
diff --git a/examples/chart/access/datadog/README.md b/examples/chart/access/datadog/README.md
new file mode 100644
index 0000000000000..5a88a98868994
--- /dev/null
+++ b/examples/chart/access/datadog/README.md
@@ -0,0 +1,11 @@
+# Teleport Access Request Datadog Incident Management Plugin
+
+This chart sets up and configures a Deployment for the Access Request Datadog Incident Management plugin.
+
+## Installation
+
+See the [Access Requests with Datadog Incident Management guide](https://goteleport.com/docs/access-controls/access-request-plugins/datadog-hosted/).
+
+## Values
+
+See [teleport-plugin-datadog Chart Reference](https://goteleport.com/docs/reference/helm-reference/teleport-plugin-datadog/) for available Helm Chart configuration.
diff --git a/examples/chart/access/datadog/charts/tbot b/examples/chart/access/datadog/charts/tbot
new file mode 120000
index 0000000000000..bc5284c76fa10
--- /dev/null
+++ b/examples/chart/access/datadog/charts/tbot
@@ -0,0 +1 @@
+../../../tbot
\ No newline at end of file
diff --git a/examples/chart/access/datadog/templates/_helpers.tpl b/examples/chart/access/datadog/templates/_helpers.tpl
new file mode 100644
index 0000000000000..86e3fb5b1f677
--- /dev/null
+++ b/examples/chart/access/datadog/templates/_helpers.tpl
@@ -0,0 +1,82 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "datadog.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "datadog.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "datadog.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "datadog.labels" -}}
+helm.sh/chart: {{ include "datadog.chart" . }}
+{{ include "datadog.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "datadog.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "datadog.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "datadog.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "datadog.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "datadog.identitySecretName" -}}
+{{- if .Values.teleport.identitySecretName -}}
+{{- .Values.teleport.identitySecretName -}}
+{{- else if .Values.tbot.enabled -}}
+ {{- .Release.Name }}-{{ default .Values.tbot.nameOverride "tbot" }}-out
+{{- end }}
+{{- end -}}
+
+{{- define "datadog.identitySecretPath" -}}
+{{- if .Values.tbot.enabled -}}
+identity
+{{- else -}}
+{{- .Values.teleport.identitySecretPath -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "datadog.teleportAddress" -}}
+
+{{- end -}}
diff --git a/examples/chart/access/datadog/templates/configmap.yaml b/examples/chart/access/datadog/templates/configmap.yaml
new file mode 100644
index 0000000000000..418c1db7d4903
--- /dev/null
+++ b/examples/chart/access/datadog/templates/configmap.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "datadog.fullname" . }}
+ {{- with .Values.annotations.config }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ labels:
+ {{- include "datadog.labels" . | nindent 4 }}
+data:
+ teleport-datadog.toml: |
+ [teleport]
+ addr = {{ coalesce .Values.teleport.address .Values.tbot.teleportProxyAddress .Values.tbot.teleportAuthAddress | quote }}
+ identity = "/var/lib/teleport/plugins/datadog/teleport-identity/{{ include "datadog.identitySecretPath" . }}"
+ refresh_identity = true
+
+ [datadog]
+ api_endpoint = "{{ .Values.datadog.apiEndpoint }}"
+ api_key = "/var/lib/teleport/plugins/datadog/datadog-api-key"
+ application_key = "/var/lib/teleport/plugins/datadog/datadog-application-key"
+ severity = "{{ .Values.datadog.severity }}"
+
+ [role_to_recipients]
+ "*" = ["{{ .Values.datadog.fallbackRecipient }}"]
+
+ [log]
+ output = "{{ .Values.log.output }}"
+ severity = "{{ .Values.log.severity }}"
diff --git a/examples/chart/access/datadog/templates/deployment.yaml b/examples/chart/access/datadog/templates/deployment.yaml
new file mode 100644
index 0000000000000..75550b87b2ca8
--- /dev/null
+++ b/examples/chart/access/datadog/templates/deployment.yaml
@@ -0,0 +1,87 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "datadog.fullname" . }}
+ {{- with .Values.annotations.deployment }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ labels:
+ {{- include "datadog.labels" . | nindent 4 }}
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ {{- include "datadog.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ {{- with coalesce .Values.annotations.pod .Values.podAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ {{- include "datadog.labels" . | nindent 8 }}
+ spec:
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ securityContext:
+ {{- toYaml .Values.podSecurityContext | nindent 8 }}
+ containers:
+ - name: {{ .Chart.Name }}
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 12 }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ command:
+ - /usr/local/bin/teleport-plugin
+ - start
+ - "--config"
+ - "/etc/teleport-datadog.toml"
+ env:
+ - name: "TELEPORT_PLUGIN_FAIL_FAST"
+ value: "true"
+ resources:
+ {{- toYaml .Values.resources | nindent 12 }}
+ volumeMounts:
+ - name: config
+ mountPath: /etc/teleport-datadog.toml
+ subPath: teleport-datadog.toml
+ - name: teleport-identity
+ mountPath: /var/lib/teleport/plugins/datadog/teleport-identity
+ - name: {{ .Values.secretVolumeName }}-api-key
+ mountPath: /var/lib/teleport/plugins/datadog/datadog-api-key
+ subPath: {{ .Values.datadog.apiKeySecretPath }}
+ - name: {{ .Values.secretVolumeName }}-application-key
+ mountPath: /var/lib/teleport/plugins/datadog/datadog-application-key
+ subPath: {{ .Values.datadog.applicationKeySecretPath }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ volumes:
+ - name: config
+ configMap:
+ name: {{ include "datadog.fullname" . }}
+ defaultMode: 0600
+ - name: teleport-identity
+ secret:
+ secretName: {{ include "datadog.identitySecretName" . | quote }}
+ defaultMode: 0600
+ - name: {{ .Values.secretVolumeName }}-api-key
+ secret:
+ secretName: "{{ coalesce .Values.datadog.apiKeyFromSecret (printf "%s-api-key" (include "datadog.fullname" .)) }}"
+ defaultMode: 0600
+ - name: {{ .Values.secretVolumeName }}-application-key
+ secret:
+ secretName: "{{ coalesce .Values.datadog.applicationKeyFromSecret (printf "%s-application-key" (include "datadog.fullname" .)) }}"
+ defaultMode: 0600
diff --git a/examples/chart/access/datadog/templates/secret.yaml b/examples/chart/access/datadog/templates/secret.yaml
new file mode 100644
index 0000000000000..60a50e58d6052
--- /dev/null
+++ b/examples/chart/access/datadog/templates/secret.yaml
@@ -0,0 +1,28 @@
+{{- if not .Values.datadog.apiKeyFromSecret}}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+ name: {{ include "datadog.fullname" . }}-api-key
+ {{- with .Values.annotations.secret }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+data:
+ datadogApiKey: {{ .Values.datadog.apiKey | b64enc }}
+{{- end }}
+
+{{- if not .Values.datadog.applicationKeyFromSecret}}
+---
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+ name: {{ include "datadog.fullname" . }}-application-key
+ {{- with .Values.annotations.secret }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+data:
+ datadogApplicationKey: {{ .Values.datadog.applicationKey | b64enc }}
+{{- end }}
diff --git a/examples/chart/access/datadog/tests/__snapshot__/configmap_test.yaml.snap b/examples/chart/access/datadog/tests/__snapshot__/configmap_test.yaml.snap
new file mode 100644
index 0000000000000..501c844054d76
--- /dev/null
+++ b/examples/chart/access/datadog/tests/__snapshot__/configmap_test.yaml.snap
@@ -0,0 +1,31 @@
+should match the snapshot:
+ 1: |
+ apiVersion: v1
+ data:
+ teleport-datadog.toml: |
+ [teleport]
+ addr = "teleport.example.com:1234"
+ identity = "/var/lib/teleport/plugins/datadog/teleport-identity/auth_id"
+ refresh_identity = true
+
+ [datadog]
+ api_endpoint = "https://api.datadoghq.com"
+ api_key = "/var/lib/teleport/plugins/datadog/datadog-api-key"
+ application_key = "/var/lib/teleport/plugins/datadog/datadog-application-key"
+ severity = "SEV-3"
+
+ [role_to_recipients]
+ "*" = ["admin@example.com"]
+
+ [log]
+ output = "/var/log/teleport-datadog.log"
+ severity = "DEBUG"
+ kind: ConfigMap
+ metadata:
+ labels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: teleport-plugin-datadog
+ app.kubernetes.io/version: 17.0.0-dev
+ helm.sh/chart: teleport-plugin-datadog-17.0.0-dev
+ name: RELEASE-NAME-teleport-plugin-datadog
diff --git a/examples/chart/access/datadog/tests/__snapshot__/deployment_test.yaml.snap b/examples/chart/access/datadog/tests/__snapshot__/deployment_test.yaml.snap
new file mode 100644
index 0000000000000..2059ce41c0b04
--- /dev/null
+++ b/examples/chart/access/datadog/tests/__snapshot__/deployment_test.yaml.snap
@@ -0,0 +1,71 @@
+should match the snapshot:
+ 1: |
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: teleport-plugin-datadog
+ app.kubernetes.io/version: 17.0.0-dev
+ helm.sh/chart: teleport-plugin-datadog-17.0.0-dev
+ name: RELEASE-NAME-teleport-plugin-datadog
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: teleport-plugin-datadog
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: teleport-plugin-datadog
+ app.kubernetes.io/version: 17.0.0-dev
+ helm.sh/chart: teleport-plugin-datadog-17.0.0-dev
+ spec:
+ containers:
+ - command:
+ - /usr/local/bin/teleport-plugin
+ - start
+ - --config
+ - /etc/teleport-datadog.toml
+ env:
+ - name: TELEPORT_PLUGIN_FAIL_FAST
+ value: "true"
+ image: gcr.io/overridden/repository:v98.76.54
+ imagePullPolicy: IfNotPresent
+ name: teleport-plugin-datadog
+ resources: {}
+ securityContext: {}
+ volumeMounts:
+ - mountPath: /etc/teleport-datadog.toml
+ name: config
+ subPath: teleport-datadog.toml
+ - mountPath: /var/lib/teleport/plugins/datadog/teleport-identity
+ name: teleport-identity
+ - mountPath: /var/lib/teleport/plugins/datadog/datadog-api-key
+ name: password-file-api-key
+ subPath: datadogApiKey
+ - mountPath: /var/lib/teleport/plugins/datadog/datadog-application-key
+ name: password-file-application-key
+ subPath: datadogApplicationKey
+ securityContext: {}
+ volumes:
+ - configMap:
+ defaultMode: 384
+ name: RELEASE-NAME-teleport-plugin-datadog
+ name: config
+ - name: teleport-identity
+ secret:
+ defaultMode: 384
+ secretName: ""
+ - name: password-file-api-key
+ secret:
+ defaultMode: 384
+ secretName: RELEASE-NAME-teleport-plugin-datadog-api-key
+ - name: password-file-application-key
+ secret:
+ defaultMode: 384
+ secretName: RELEASE-NAME-teleport-plugin-datadog-application-key
diff --git a/examples/chart/access/datadog/tests/__snapshot__/secret_test.yaml.snap b/examples/chart/access/datadog/tests/__snapshot__/secret_test.yaml.snap
new file mode 100644
index 0000000000000..fc9ff6af65c5e
--- /dev/null
+++ b/examples/chart/access/datadog/tests/__snapshot__/secret_test.yaml.snap
@@ -0,0 +1,17 @@
+should contain the api and application key:
+ 1: |
+ apiVersion: v1
+ data:
+ datadogApiKey: ZGF0YWRvZ0FwaUtleQ==
+ kind: Secret
+ metadata:
+ name: RELEASE-NAME-teleport-plugin-datadog-api-key
+ type: Opaque
+ 2: |
+ apiVersion: v1
+ data:
+ datadogApplicationKey: ZGF0YWRvZ0FwcGxpY2F0aW9uS2V5
+ kind: Secret
+ metadata:
+ name: RELEASE-NAME-teleport-plugin-datadog-application-key
+ type: Opaque
diff --git a/examples/chart/access/datadog/tests/configmap_test.yaml b/examples/chart/access/datadog/tests/configmap_test.yaml
new file mode 100644
index 0000000000000..8927111f1a32b
--- /dev/null
+++ b/examples/chart/access/datadog/tests/configmap_test.yaml
@@ -0,0 +1,37 @@
+suite: Test configmap
+templates:
+ - configmap.yaml
+tests:
+ - it: should match the snapshot
+ set:
+ teleport:
+ address: teleport.example.com:1234
+ datadog:
+ apiEndpoint: https://api.datadoghq.com
+ apiKey: test-api-key
+ applicationKey: test-application-key
+ fallbackRecipient: admin@example.com
+ severity: SEV-3
+ log:
+ output: /var/log/teleport-datadog.log
+ severity: DEBUG
+ asserts:
+ - matchSnapshot: {}
+
+ - it: should not contain annotations when not defined
+ asserts:
+ - isNull:
+ path: metadata.annotations
+
+ - it: should contain annotations when defined
+ set:
+ annotations:
+ config:
+ keyA: valA
+ keyB: valB
+ asserts:
+ - equal:
+ path: metadata.annotations
+ value:
+ keyA: valA
+ keyB: valB
diff --git a/examples/chart/access/datadog/tests/deployment_test.yaml b/examples/chart/access/datadog/tests/deployment_test.yaml
new file mode 100644
index 0000000000000..8f2cde402536e
--- /dev/null
+++ b/examples/chart/access/datadog/tests/deployment_test.yaml
@@ -0,0 +1,69 @@
+suite: Test deployment
+templates:
+ - deployment.yaml
+tests:
+ - it: should match the snapshot
+ set:
+ image:
+ repository: gcr.io/overridden/repository
+ tag: v98.76.54
+ asserts:
+ - matchSnapshot: {}
+
+ - it: should not contain deployment or pod annotations when not defined
+ asserts:
+ - isNull:
+ path: metadata.annotations
+ - isNull:
+ path: spec.template.metadata.annotations
+
+ - it: should contain deployment annotations when defined
+ set:
+ annotations:
+ deployment:
+ keyA: valA
+ keyB: valB
+ asserts:
+ - equal:
+ path: metadata.annotations
+ value:
+ keyA: valA
+ keyB: valB
+ - isNull:
+ path: spec.template.metadata.annotations
+
+ - it: should contain pod annotations when defined
+ set:
+ annotations:
+ pod:
+ keyA: valA
+ keyB: valB
+ asserts:
+ - equal:
+ path: spec.template.metadata.annotations
+ value:
+ keyA: valA
+ keyB: valB
+ - isNull:
+ path: metadata.annotations
+
+ - it: should contain both annotations when defined
+ set:
+ annotations:
+ deployment:
+ keyA: valA
+ keyB: valB
+ pod:
+ keyA: valA'
+ keyC: valC
+ asserts:
+ - equal:
+ path: metadata.annotations
+ value:
+ keyA: valA
+ keyB: valB
+ - equal:
+ path: spec.template.metadata.annotations
+ value:
+ keyA: valA'
+ keyC: valC
diff --git a/examples/chart/access/datadog/tests/secret_test.yaml b/examples/chart/access/datadog/tests/secret_test.yaml
new file mode 100644
index 0000000000000..bef3533b4eee6
--- /dev/null
+++ b/examples/chart/access/datadog/tests/secret_test.yaml
@@ -0,0 +1,38 @@
+suite: Test secret
+templates:
+ - secret.yaml
+tests:
+ - it: should contain the api and application key
+ set:
+ datadog:
+ apiKey: datadogApiKey
+ applicationKey: datadogApplicationKey
+ asserts:
+ - matchSnapshot: {}
+
+ - it: should not exist when using external secret
+ set:
+ datadog:
+ apiKeyFromSecret: datadog-api-key
+ applicationKeyFromSecret: datadog-application-key
+ asserts:
+ - hasDocuments:
+ count: 0
+
+ - it: should not contain annotations when not defined
+ asserts:
+ - isNull:
+ path: metadata.annotations
+
+ - it: should contain annotations when defined
+ set:
+ annotations:
+ secret:
+ keyA: valA
+ keyB: valB
+ asserts:
+ - equal:
+ path: metadata.annotations
+ value:
+ keyA: valA
+ keyB: valB
diff --git a/examples/chart/access/datadog/values.schema.json b/examples/chart/access/datadog/values.schema.json
new file mode 100644
index 0000000000000..ac42f66ff445b
--- /dev/null
+++ b/examples/chart/access/datadog/values.schema.json
@@ -0,0 +1,429 @@
+{
+ "$schema": "http://json-schema.org/draft-07/schema",
+ "$id": "http://example.com/example.json",
+ "default": {},
+ "required": [
+ "image",
+ "imagePullSecrets",
+ "nameOverride",
+ "fullnameOverride",
+ "podAnnotations",
+ "podSecurityContext",
+ "securityContext",
+ "nodeSelector",
+ "tolerations",
+ "affinity",
+ "teleport",
+ "datadog",
+ "log"
+ ],
+ "properties": {
+ "image": {
+ "$id": "#/properties/image",
+ "type": "object",
+ "default": {},
+ "examples": [
+ {
+ "repository": "public.ecr.aws/gravitational/teleport-plugin-datadog",
+ "pullPolicy": "IfNotPresent",
+ "tag": ""
+ }
+ ],
+ "required": [
+ "repository",
+ "pullPolicy",
+ "tag"
+ ],
+ "properties": {
+ "repository": {
+ "$id": "#/properties/image/properties/repository",
+ "type": "string",
+ "default": "public.ecr.aws/gravitational/teleport-plugin-datadog",
+ "examples": [
+ "public.ecr.aws/gravitational/teleport-plugin-datadog"
+ ]
+ },
+ "pullPolicy": {
+ "$id": "#/properties/image/properties/pullPolicy",
+ "type": "string",
+ "default": "IfNotPresent",
+ "examples": [
+ "IfNotPresent"
+ ]
+ },
+ "tag": {
+ "$id": "#/properties/image/properties/tag",
+ "type": "string",
+ "default": ""
+ }
+ },
+ "additionalProperties": true
+ },
+ "imagePullSecrets": {
+ "$id": "#/properties/imagePullSecrets",
+ "type": "array",
+ "default": [],
+ "examples": [
+ [
+ {
+ "name": "image-pull-secrets"
+ }
+ ]
+ ],
+ "additionalItems": true,
+ "items": {
+ "$id": "#/properties/imagePullSecrets/items"
+ }
+ },
+ "nameOverride": {
+ "$id": "#/properties/nameOverride",
+ "type": "string",
+ "default": ""
+ },
+ "fullnameOverride": {
+ "$id": "#/properties/fullnameOverride",
+ "type": "string",
+ "default": ""
+ },
+ "podAnnotations": {
+ "$id": "#/properties/podAnnotations",
+ "type": "object",
+ "additionalProperties": true
+ },
+ "podSecurityContext": {
+ "$id": "#/properties/podSecurityContext",
+ "type": "object",
+ "required": [],
+ "additionalProperties": true
+ },
+ "securityContext": {
+ "$id": "#/properties/securityContext",
+ "type": "object",
+ "properties": {
+ "capabilities": {
+ "$id": "#/properties/securityContext/properties/capabilities",
+ "type": "object",
+ "additionalProperties": true
+ },
+ "readOnlyRootFilesystem": {
+ "$id": "#/properties/securityContext/properties/readOnlyRootFilesystem",
+ "type": "boolean",
+ "default": false,
+ "examples": [
+ true
+ ]
+ },
+ "runAsNonRoot": {
+ "$id": "#/properties/securityContext/properties/runAsNonRoot",
+ "type": "boolean",
+ "default": false,
+ "examples": [
+ true
+ ]
+ },
+ "runAsUser": {
+ "$id": "#/properties/securityContext/properties/runAsUser",
+ "type": "integer",
+ "default": 0,
+ "examples": [
+ 1000
+ ]
+ }
+ },
+ "additionalProperties": true
+ },
+ "resources": {
+ "$id": "#/properties/resources",
+ "type": "object",
+ "default": {},
+ "examples": [
+ {
+ "limits": {
+ "cpu": "100m",
+ "memory": "128Mi"
+ },
+ "requests": {
+ "cpu": "100m",
+ "memory": "128Mi"
+ }
+ }
+ ],
+ "properties": {
+ "limits": {
+ "$id": "#/properties/resources/properties/limits",
+ "type": "object",
+ "default": {},
+ "examples": [
+ {
+ "cpu": "100m",
+ "memory": "128Mi"
+ }
+ ],
+ "required": [
+ "cpu",
+ "memory"
+ ],
+ "properties": {
+ "cpu": {
+ "$id": "#/properties/resources/properties/limits/properties/cpu",
+ "type": "string",
+ "default": "",
+ "examples": [
+ "100m"
+ ]
+ },
+ "memory": {
+ "$id": "#/properties/resources/properties/limits/properties/memory",
+ "type": "string",
+ "default": "",
+ "examples": [
+ "128Mi"
+ ]
+ }
+ },
+ "additionalProperties": true
+ },
+ "requests": {
+ "$id": "#/properties/resources/properties/requests",
+ "type": "object",
+ "default": {},
+ "examples": [
+ {
+ "cpu": "100m",
+ "memory": "128Mi"
+ }
+ ],
+ "required": [
+ "cpu",
+ "memory"
+ ],
+ "properties": {
+ "cpu": {
+ "$id": "#/properties/resources/properties/requests/properties/cpu",
+ "type": "string",
+ "default": "",
+ "examples": [
+ "100m"
+ ]
+ },
+ "memory": {
+ "$id": "#/properties/resources/properties/requests/properties/memory",
+ "type": "string",
+ "default": "",
+ "examples": [
+ "128Mi"
+ ]
+ }
+ },
+ "additionalProperties": true
+ }
+ },
+ "additionalProperties": true
+ },
+ "nodeSelector": {
+ "$id": "#/properties/nodeSelector",
+ "type": "object",
+ "default": {},
+ "additionalProperties": true
+ },
+ "tolerations": {
+ "$id": "#/properties/tolerations",
+ "type": "array",
+ "default": [],
+ "additionalItems": true,
+ "items": {
+ "$id": "#/properties/tolerations/items"
+ }
+ },
+ "affinity": {
+ "$id": "#/properties/affinity",
+ "type": "object",
+ "default": {},
+ "additionalProperties": true
+ },
+ "teleport": {
+ "$id": "#/properties/teleport",
+ "type": "object",
+ "default": {},
+ "examples": [
+ {
+ "address": "auth.example.com:3025",
+ "identitySecretName": "teleport-plugin-datadog-auth-id",
+ "identitySecretPath": "auth_id"
+ }
+ ],
+ "required": [
+ "address",
+ "identitySecretName",
+ "identitySecretPath"
+ ],
+ "properties": {
+ "address": {
+ "$id": "#/properties/teleport/properties/address",
+ "type": "string",
+ "default": "",
+ "examples": [
+ "auth.example.com:3025"
+ ]
+ },
+ "identitySecretName": {
+ "$id": "#/properties/teleport/properties/identitySecretName",
+ "type": "string",
+ "default": ""
+ },
+ "identitySecretPath": {
+ "$id": "#/properties/teleport/properties/identitySecretPath",
+ "type": "string",
+ "default": "auth_id",
+ "examples": [
+ "auth_id"
+ ]
+ }
+ },
+ "additionalProperties": true
+ },
+ "datadog": {
+ "$id": "#/properties/datadog",
+ "type": "object",
+ "default": {},
+ "examples": [
+ {
+ "apiEndpoint": "https://api.datadoghq.com",
+ "apiKey": "example-api-key",
+ "applicationKey": "example-application-key",
+ "severity": "SEV-3",
+ "fallbackRecipient": "admin@example.com"
+ }
+ ],
+ "required": [
+ "apiEndpoint",
+ "apiKey",
+ "applicationKey",
+ "fallbackRecipient"
+ ],
+ "properties": {
+ "apiEndpoint": {
+ "$id": "#/properties/datadog/properties/apiEndpoint",
+ "type": "string",
+ "default": "https://api.datadoghq.com",
+ "examples": [
+ "https://api.datadoghq.com",
+ "https://api.us3.datadoghq.com",
+ "https://api.us5.datadoghq.com",
+ "https://api.datadoghq.eu",
+ "https://api.ap1.datadoghq.com"
+ ]
+ },
+ "apiKey": {
+ "$id": "#/properties/datadog/properties/apiKey",
+ "type": "string",
+ "default": "",
+ "examples": [
+ "example-api-key"
+ ]
+ },
+ "apiKeyFromSecret": {
+ "$id": "#/properties/datadog/properties/apiKeyFromSecret",
+ "type": "string",
+ "default": "",
+ "examples": [
+ "my-datadog-secret"
+ ]
+ },
+ "apiKeySecretPath": {
+ "$id": "#/properties/datadog/properties/apiKeySecretPath",
+ "type": "string",
+ "default": "datadogApiKey",
+ "examples": [
+ "apikey"
+ ]
+ },
+ "applicationKey": {
+ "$id": "#/properties/datadog/properties/applicationKey",
+ "type": "string",
+ "default": "",
+ "examples": [
+ "example-application-key"
+ ]
+ },
+ "applicationKeyFromSecret": {
+ "$id": "#/properties/datadog/properties/applicationKeyFromSecret",
+ "type": "string",
+ "default": "",
+ "examples": [
+ "my-datadog-secret"
+ ]
+ },
+ "applicationKeySecretPath": {
+ "$id": "#/properties/datadog/properties/applicationKeySecretPath",
+ "type": "string",
+ "default": "datadogApplicationKey",
+ "examples": [
+ "applicationkey"
+ ]
+ },
+ "fallbackRecipient": {
+ "$id": "#/properties/datadog/properties/fallbackRecipient",
+ "type": "string",
+ "default": "",
+ "examples": [
+ "admin@example.com",
+ "datadog-team-handle"
+ ]
+ },
+ "severity": {
+ "$id": "#/properties/datadog/properties/severity",
+ "type": "string",
+ "default": "SEV-3",
+ "examples": [
+ "SEV-3"
+ ]
+ }
+ },
+ "additionalProperties": true
+ },
+ "log": {
+ "$id": "#/properties/log",
+ "type": "object",
+ "default": {},
+ "examples": [
+ {
+ "output": "stdout",
+ "severity": "INFO"
+ }
+ ],
+ "required": [
+ "output",
+ "severity"
+ ],
+ "properties": {
+ "output": {
+ "$id": "#/properties/log/properties/output",
+ "type": "string",
+ "default": "stdout",
+ "examples": [
+ "stdout"
+ ]
+ },
+ "severity": {
+ "$id": "#/properties/log/properties/severity",
+ "type": "string",
+ "default": "INFO",
+ "examples": [
+ "INFO"
+ ]
+ }
+ },
+ "additionalProperties": true
+ },
+ "secretVolumeName": {
+ "$id": "#/properties/secretVolumeName",
+ "type": "string",
+ "default": "password-file",
+ "examples": [
+ "my-secret-volume"
+ ]
+ }
+ },
+ "additionalProperties": true
+}
diff --git a/examples/chart/access/datadog/values.yaml b/examples/chart/access/datadog/values.yaml
new file mode 100644
index 0000000000000..9c92af3397917
--- /dev/null
+++ b/examples/chart/access/datadog/values.yaml
@@ -0,0 +1,246 @@
+#
+# Plugin specific options
+#
+
+# teleport -- contains the configuration describing how the plugin connects to
+# your Teleport cluster.
+teleport:
+ # teleport.address(string) -- is the address of the Teleport cluster the plugin
+ # connects to. The address must contain both the domain name and the port of
+ # the Teleport cluster. It can be either the address of the auth servers or the
+ # proxy servers.
+ #
+ # For example:
+ # - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080`
+ # - joining an Auth: `teleport-auth.example.com:3025`
+ #
+ # When the address is empty, `tbot.teleportProxyAddress`
+ # or `tbot.teleportAuthAddress` will be used if they are set.
+ address: ""
+ # teleport.identitySecretName(string) -- is the name of the Kubernetes secret
+ # that contains the credentials for the connection to your Teleport cluster.
+ #
+ # The secret should be in the following format:
+ #
+ # ```yaml
+ # apiVersion: v1
+ # kind: Secret
+ # type: Opaque
+ # metadata:
+ # name: teleport-plugin-datadog-identity
+ # data:
+ # auth_id: #...
+ # ```
+ #
+ # Check out the [Access Requests with
+ # Datadog Incident Management](../../admin-guides/access-controls/access-request-plugins/datadog-hosted.mdx) guide
+ # for more information about how to acquire these credentials.
+ identitySecretName: ""
+ # teleport.identitySecretPath(string) -- is the key in the Kubernetes secret
+ # specified by `teleport.identitySecretName` that holds the credentials for
+ # the connection to your Teleport cluster. If the secret has the path,
+ # `"auth_id"`, you can omit this field.
+ identitySecretPath: "auth_id"
+
+# datadog -- contains the configuration used by the plugin to authenticate to Datadog.
+#
+# You can pass the Datadog keys by setting the chart values or using an existing Kubernetes Secret.
+datadog:
+ # datadog.apiEndpoint(string) -- specifies which Datadog API site to set API
+ # requests.
+ apiEndpoint: "https://api.datadoghq.com"
+ # datadog.apiKey(string) -- is the Datadog API key used by the plugin to interact
+ # with Datadog. When set, the Chart creates a Kubernetes Secret for you.
+ #
+ # This value has no effect if `datadog.apiKeyFromSecret` is set.
+ apiKey: ""
+ # datadog.apiKeyFromSecret(string) -- is the name of the Kubernetes Secret
+ # containing the Datadog apiKey. When this value is set, you must create the
+ # Secret before creating the chart release.
+ apiKeyFromSecret: ""
+ # datadog.apiKeySecretPath(string) -- is the Kubernetes Secret key
+ # containing the Datadog API key. The secret name is set via `datadog.apiKeyFromSecret`.
+ apiKeySecretPath: "datadogApiKey"
+ # datadog.applicationKey(string) -- is the Datadog Application key used by the plugin to interact
+ # with Datadog. When set, the Chart creates a Kubernetes Secret for you.
+ #
+ # This value has no effect if `datadog.applicationKeyFromSecret` is set.
+ applicationKey: ""
+ # datadog.applicationKeyFromSecret(string) -- is the name of the Kubernetes Secret
+ # containing the Datadog applicationKey. When this value is set, you must create the
+ # Secret before creating the chart release.
+ applicationKeyFromSecret: ""
+ # datadog.applicationKeySecretPath(string) -- is the Kubernetes Secret key
+ # containing the Datadog Application key. The secret name is set via `datadog.applicationKeyFromSecret`.
+ applicationKeySecretPath: "datadogApplicationKey"
+ # datadog.fallbackRecipient(string) -- specifies the default recipient for
+ # Access Request notifications. The recipient can be a Datadog user email or
+ # a team handle.
+ fallbackRecipient: ""
+ # datadog.severity(string) -- specifies the Datadog incident severity.
+ severity: "SEV-3"
+
+# log -- controls the plugin logging.
+log:
+ # log.severity(string) -- is the log level for the Teleport process.
+ # Available log levels are: `DEBUG`, `INFO`, `WARN`, `ERROR`.
+ #
+ # The default is `INFO`, which is recommended in production.
+ # `DEBUG` is useful during first-time setup or to see more detailed logs for debugging.
+ severity: INFO
+ # log.output(string) -- sets the output destination for the Teleport process.
+ # This can be set to any of the built-in values: `stdout`, `stderr`.
+ #
+ # The value can also be set to a file path (such as `/var/log/teleport.log`)
+ # to write logs to a file. Bear in mind that a few service startup messages
+ # will still go to `stderr` for resilience.
+ output: stdout
+
+# tbot -- controls the optional tbot deployment that obtains and renews
+# credentials for the plugin to connect to Teleport.
+# Only default and mandatory values are described here, see the tbot chart reference
+# for the full list of supported values.
+tbot:
+ # tbot.enabled(bool) -- controls if tbot should be deployed with the datadog plugin.
+ enabled: false
+ # tbot.clusterName(string) -- is the name of the Teleport cluster tbot and the Datadog plugin will join.
+ # Setting this value is mandatory when tbot is enabled.
+ clusterName: ""
+ # tbot.teleportProxyAddress(string) -- is the teleport Proxy Service address the bot will connect to.
+ # This must contain the port number, usually 443 or 3080 for Proxy Service.
+ # Connecting to the Proxy Service is the most common and recommended way to connect to Teleport.
+ # This is mandatory to connect to Teleport Enterprise (Cloud).
+ #
+ # This setting is mutually exclusive with `teleportAuthAddress`.
+ #
+ # For example:
+ # ```yaml
+ # tbot:
+ # teleportProxyAddress: "test.teleport.sh:443"
+ # ```
+ teleportProxyAddress: ""
+ # tbot.teleportAuthAddress(string) -- is the teleport Auth Service address the bot will connect to.
+ # This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection
+ # should be used when you are deploying the bot in the same Kubernetes cluster than your `teleport-cluster`
+ # Helm release and have direct access to the Auth Service.
+ # Else, you should prefer connecting via the Proxy Service.
+ #
+ # This setting is mutually exclusive with `teleportProxyAddress`.
+ #
+ # For example:
+ # ```yaml
+ # teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025"
+ # ```
+ teleportAuthAddress: ""
+
+ # tbot.joinMethod(string) -- describes how tbot joins the Teleport cluster.
+ # See [the join method reference](../../reference/join-methods.mdx) for a list fo supported values and detailed explanations.
+ joinMethod: "kubernetes"
+ token: ""
+
+ # Don't touch the tbot values below, this will break the chart.
+ # This ensures that tbot.fullname is not shortened if the release name contains "tbot"
+ nameOverride: tbot
+ defaultOutput:
+ enabled: true
+
+secretVolumeName: "password-file"
+
+# annotations -- contains annotations to apply to the different Kubernetes
+# objects created by the chart. See [the Kubernetes annotation
+# documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
+# for more details.
+annotations:
+ # annotations.config(object) -- contains the Kubernetes annotations
+ # put on the `ConfigMap` resource created by the chart.
+ config: {}
+ # annotations.deployment(object) -- contains the Kubernetes annotations
+ # put on the `Deployment` or `StatefulSet` resource created by the chart.
+ deployment: {}
+ # annotations.pod(object) -- contains the Kubernetes annotations
+ # put on the `Pod` resources created by the chart.
+ pod: {}
+ # annotations.secret(object) -- contains the Kubernetes annotations
+ # put on the `Secret` resource created by the chart.
+ # This has no effect when `joinTokenSecret.create` is `false`.
+ secret: {}
+
+#
+# Deployment
+#
+# image -- sets the container image used for plugin pods created by the chart.
+#
+# You can override this to use your own plugin image rather than a Teleport-published image.
+image:
+ # image.repository(string) -- is the image repository.
+ repository: public.ecr.aws/gravitational/teleport-plugin-datadog
+ # image.pullPolicy(string) -- is the [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy).
+ pullPolicy: IfNotPresent
+ # image.tag(string) -- Overrides the image tag whose default is the chart appVersion.
+ #
+ # Normally, the version of the Teleport plugin matches the
+ # version of the chart. If you install chart version 15.0.0, you'll use
+ # the plugin version 15.0.0. Upgrading the plugin is done by upgrading the chart.
+ #
+ #
+ # `image.tag` is intended for development and custom tags. This MUST NOT be
+ # used to control the plugin version in a typical deployment. This
+ # chart is designed to run a specific plugin version. You will face
+ # compatibility issues trying to run a different version with it.
+ #
+ # If you want to run the Teleport plugin version `X.Y.Z`, you should use
+ # `helm install --version X.Y.Z` instead.
+ #
+ tag: ""
+
+# imagePullSecrets(list) -- is a list of secrets containing authorization tokens
+# which can be optionally used to access a private Docker registry.
+#
+# See the [Kubernetes reference](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod) for more details.
+imagePullSecrets: []
+
+nameOverride: ""
+fullnameOverride: ""
+
+# Deprecated way to set pod annotations. `annotations.pod` should be preferred.
+podAnnotations: {}
+
+# podSecurityContext(object) -- sets the pod security context for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod)
+# for more details.
+#
+# To unset the security context, set it to `null` or `~`.
+podSecurityContext: {}
+
+# securityContext(object) -- sets the container security context for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)
+# for more details.
+#
+# To unset the security context, set it to `null` or `~`.
+securityContext: {}
+ # capabilities:
+ # drop:
+ # - ALL
+ # readOnlyRootFilesystem: true
+ # runAsNonRoot: true
+ # runAsUser: 1000
+
+# resources(object) -- sets the resource requests/limits for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/)
+# for more details.
+resources: {}
+
+# nodeSelector(object) -- sets the node selector for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector)
+# for more details.
+nodeSelector: {}
+
+# tolerations(list) -- sets the tolerations for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/)
+# for more details.
+tolerations: []
+
+# affinity(object) -- sets the affinities for any pods created by the chart.
+# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity)
+# for more details.
+affinity: {}
diff --git a/examples/chart/index.html b/examples/chart/index.html
index 39b8d7b9522c4..8f48ba224c0af 100644
--- a/examples/chart/index.html
+++ b/examples/chart/index.html
@@ -55,6 +55,20 @@