Teleport
Teleport is Lumie's operator access plane. The repo manages it as two ArgoCD applications in the same namespace: the teleport cluster itself and teleport-agent, which registers browser apps behind the Teleport proxy.
Responsibility
- Terminate operator access at
lumie-infra.comand the wildcard subdomains backed by the same certificate. - Store Teleport cluster state in PostgreSQL instead of local disk.
- Publish browser apps such as Coder, Headlamp, OpenClaw, Umami, Vault, and Grafana.
- Expose Kubernetes and app access roles through Teleport custom resources.
Source paths
| Path | Role |
|---|---|
lumie-infra/security/teleport/argocd.yaml | Two ArgoCD Application objects: teleport and teleport-agent |
lumie-infra/security/teleport/helm-values.yaml | Teleport cluster settings, auth storage, TLS, and HA proxy settings |
lumie-infra/security/teleport/kustomization.yaml | Helm chart entry plus NodePort patch |
lumie-infra/security/teleport/agent/helm-values.yaml | App registrations and rewrite rules |
lumie-infra/security/teleport/agent/kustomization.yaml | Init-container patch that substitutes secret-backed rewrite headers |
lumie-infra/security/teleport/manifests/certificate.yaml | Wildcard certificate request for lumie-infra.com |
lumie-infra/security/teleport/manifests/provision-token.yaml | Kubernetes join token for the app agent |
lumie-infra/security/teleport/manifests/role-admin.yaml | Teleport role kube-admin with full Kubernetes and app labels |
lumie-infra/security/teleport/manifests/vault-static-secret.yaml | Vault secret for Teleport's PostgreSQL credentials |
lumie-infra/security/teleport/manifests/teleport-agent-credentials-vss.yaml | Vault secret for Zot basic auth rewrite |
Ownership boundaries
security/teleport/**owns the Teleport cluster and app agent only.- Audit-event export is a separate application under
applications/teleport-event-handler/**; it is not part of the Teleport cluster overlay even though it shares theteleportnamespace. - App workloads such as Coder and OpenClaw do not define their own public ingress; Teleport owns that access contract from the security slice.
Public surface and contracts
| Surface | Contract |
|---|---|
| Cluster name | lumie-infra.com |
| Public addresses | lumie-infra.com:443 and teleport.teleport.svc.cluster.local:443 |
| Service type | NodePort patched to 30443 on port 443 |
| TLS | teleport-tls secret from cert-manager, covering apex and wildcard names |
| Storage backend | PostgreSQL database teleport on shared infra-db |
| Join method | Kubernetes in_cluster via provision token teleport-agent |
The kube agent connects to teleport.teleport.svc.cluster.local:443 with insecureSkipProxyTLSVerify: true, because it joins through the internal service rather than the public certificate name.
Runtime flow
App access contract
The app agent registers internal services as Teleport apps, including:
coderatcoder.lumie-infra.comopenclawheadlampumamivaultgrafanaargocdkeycloakrabbitmqgiteatiltcode
Some apps require request rewriting. Two important examples are checked in explicitly:
coderrewrites theHostheader tocoder.lumie-infra.comso same-origin and WebSocket checks pass.openclawinjects the gateway bearer token and rewritesOrigin.
Because Teleport does not expand environment variables in rewrite.headers, the agent overlay patches the StatefulSet with an init container that pre-processes the config before startup.
Failure behavior and operational risks
- Wildcard certificate failure breaks the whole access plane, not just a single app.
- A bad
infra-db-credentialssecret prevents auth-state reads and writes, which affects login and certificate-backed session flow. - If the agent's init-container substitution fails, Zot and OpenClaw can register but still be unusable because the required auth headers were never rendered.
- The repo defines the
kube-adminrole, but role assignment to users is outside the checked-in contract here. - The NodePort
30443is part of the desired state; any load balancer or DNS layer in front of it must stay aligned with that patch.
Observability
kubectl logson the Teleport cluster and agent workloads are the primary operational signal.- The separate
teleport-event-handlerapplication exports audit events; if audit-event forwarding is broken, debug it there rather than in this overlay. - Service readiness, certificate status, and ArgoCD app health cover the standing control-plane contract.
Verification
kubectl get applications.argoproj.io -n argocd teleport teleport-agent
kubectl get deploy -n teleport -l app.kubernetes.io/instance=teleport
kubectl get statefulset teleport-agent -n teleport
kubectl get svc teleport -n teleport
kubectl get secret,certificate teleport-tls -n teleport
kubectl get teleportprovisiontokens.resources.teleport.dev teleport-agent -n teleport
kubectl get teleportrolev7.resources.teleport.dev kube-admin -n teleport
kubectl logs -n teleport -l app.kubernetes.io/instance=teleport --all-containers --tail=200
kubectl logs -n teleport statefulset/teleport-agent --all-containers --tail=200
Success signals:
- Both Argo CD applications,
teleportandteleport-agent, areHealthyandSynced. - The
teleportservice isNodePortwith node port30443, matching the Kustomize patch and Terraform NLB contract. - Certificate
teleport-tlsis ready, and the backing secret exists. - TeleportProvisionToken
teleport-agentand TeleportRoleV7kube-adminare present in namespaceteleport. - The Teleport cluster logs do not show PostgreSQL storage connection failures, and the
teleport-agentStatefulSet logs do not show config-substitution or app-registration errors.