Access Graph (TAG) Setup in Self-Hosted Kubernetes with TLS

[pnrao1983]

Run Teleport Identity Security with Access Graph on Self-Hosted Clusters with Helm

✅ Successfully deployed Access Graph (TAG) using a self-hosted Postgres backend, TLS-secured endpoints, and Teleport integration via Helm.

Here is the official public doc: https://goteleport.com/docs/identity-security/access-graph/self-hosted-helm/

---

📦 Directory Layout

access_graphs/
├── cert_gen.sh
├── certs/
│   ├── ca.crt
│   ├── ca.key
│   ├── cert.crt
│   ├── cert.key
├── postgres.yaml
├── tag-values.yaml

---

🛠️ Certificate Generation (cert_gen.sh)

#!/usr/bin/env bash
set -e
mkdir -p ./certs

cd ./certs
Create Root CA
openssl genrsa -aes256 -out ca.key 4096

openssl req -x509 -new -key ca.key -sha256 -days 3652 -out ca.crt -subj '/CN=root'
Create Server Certificate
openssl req -new -out cert.csr -newkey rsa:4096 -nodes -keyout cert.key -subj '/CN=Access Graph'

openssl x509 -req -in cert.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cert.crt -days 3652 -sha256 

-extfile <(printf 'extendedKeyUsage = serverAuth, clientAuth\nsubjectAltName = DNS:teleport-access-graph.teleport-access-graph.svc.cluster.local')
echo "Certificates issued successfully"

Here is the postgres.yaml and tag.yaml files

cat postgres.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pgdata
  namespace: teleport-access-graph
spec:
  storageClassName: gp2
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: postgres
  namespace: teleport-access-graph
spec:
  replicas: 1
  selector:
    matchLabels:
      app: accessgraph-postgres
  template:
    metadata:
      labels:
        app: accessgraph-postgres
    spec:
      nodeSelector:
        topology.kubernetes.io/zone: us-west-1a   # restrict to us-west-1a
      containers:
        - name: postgres
          image: postgres:15.0
          ports:
            - containerPort: 5432
          env:
            - name: POSTGRES_USER
              value: postgres
            - name: POSTGRES_PASSWORD
              value: my_password
            - name: PGDATA
              value: /var/lib/postgresql/data/pgdata
          volumeMounts:
            - name: pgdata
              mountPath: /var/lib/postgresql/data
              subPath: pgdata
            - name: init-sql
              mountPath: /docker-entrypoint-initdb.d/init.sql
              subPath: init.sql
      volumes:
        - name: pgdata
          persistentVolumeClaim:
            claimName: pgdata
        - name: init-sql
          configMap:
            name: accessgraph-init
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: accessgraph-init
  namespace: teleport-access-graph
data:
  init.sql: |
    CREATE USER access_graph_user WITH PASSWORD 'my_password';
    CREATE DATABASE access_graph_db OWNER access_graph_user;
---
apiVersion: v1
kind: Service
metadata:
  name: accessgraph-postgres
  namespace: teleport-access-graph
spec:
  selector:
    app: accessgraph-postgres
  ports:
    - port: 5432
      targetPort: 5432

---

📋 Postgres Deployment (postgres.yaml)

Includes:

• PersistentVolumeClaim with gp2

• Postgres Deployment with init.sql from ConfigMap

• Internal ClusterIP Service

Ensure:

• EKS Node IAM role has ec2:CreateVolume

• Use subPath: pgdata in volumeMounts to avoid initdb directory conflict

---

🔐 Kubernetes Secrets

# Postgres URI Secret
kubectl -n teleport-access-graph create secret generic teleport-access-graph-postgres \
  --from-literal uri="postgres://access_graph_user:my_password@accessgraph-postgres.teleport-access-graph.svc.cluster.local:5432/access_graph_db?sslmode=require"
TLS Cert Secret
kubectl -n teleport-access-graph create secret tls teleport-access-graph-tls 

--cert=./certs/cert.crt --key=./certs/cert.key

---

🧩 tag-values.yaml for Access Graph

postgres:
  secretName: "teleport-access-graph-postgres"
tls:

existingSecretName: "teleport-access-graph-tls"
clusterHostCAs:

|

-----BEGIN CERTIFICATE-----

MIIC...your-host-CA-cert...==

-----END CERTIFICATE-----

---

🚀 Deploy Access Graph

helm upgrade --install teleport-access-graph teleport/access-graph \
  -n teleport-access-graph -f tag-values.yaml

Here is the output for PostGres DB pod and tag service for access-graph:

kubectl get all -n teleport-access-graph
NAME                                         READY   STATUS    RESTARTS   AGE
pod/postgres-858c485fd8-d4hj9                1/1     Running   0          37m
pod/teleport-access-graph-55f5bb8587-2rb87   1/1     Running   0          27m
pod/teleport-access-graph-55f5bb8587-6tjdb   1/1     Running   0          27m

NAME                            TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
service/accessgraph-postgres    ClusterIP   1X2.20.1X3.58   <none>        5432/TCP   51m
service/teleport-access-graph   ClusterIP   1X2.20.1X2.27   <none>        443/TCP    27m

NAME                                    READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/postgres                1/1     1            1           51m
deployment.apps/teleport-access-graph   2/2     2            2           27m

NAME                                               DESIRED   CURRENT   READY   AGE
replicaset.apps/postgres-5f95f7565                 0         0         0       51m
replicaset.apps/postgres-858c485fd8                1         1         1       37m
replicaset.apps/teleport-access-graph-55f5bb8587   2         2         2       27m

---

🔧 Teleport Cluster Integration (aws-values.yaml)

chartMode: aws
clusterName: teleport.example.com
proxyListenerMode: multiplex
aws:
  region: "us-west-1"
  backendTable: "teleport-backend"
  auditLogTable: "teleport-audit"
  sessionRecordingBucket: "s3-teleport"
authentication:
  type: local
service:
  type: ClusterIP
serviceAccount:
  create: true
  name: "teleport-role"
highAvailability:
  replicaCount: 2  # This controls auth pod replicas
proxy:
  highAvailability:
    replicaCount: 2  # This controls proxy pod replicas
enterprise: true
ingress:
  enabled: true
  spec:
    ingressClassName: alb
annotations:
  ingress:
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/backend-protocol: HTTPS
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=120
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTPS
    alb.ingress.kubernetes.io/success-codes: 200,301,302
    alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:us-west-1:123456789:certificate/f986d2b4-a5be-4fcf-a3fc-95d04e124d0c"
podSecurityPolicy:
  enabled: false
auth:
  teleportConfig:
    teleport:
      diag_addr: 0.0.0.0:3000
    auth_service:
      enabled: true
    kubernetes_service:  #I have set this to false to not show as duplicate in the `tsh kube ls` output
      enabled: false
    # Add a section for configuring the Access Graph connection.
    access_graph:
      enabled: true
      endpoint: teleport-access-graph.teleport-access-graph.svc.cluster.local:443
      # Omit the `ca` key if your Teleport cluster already trusts the issuing CA.
      ca: /var/run/access-graph/ca.pem
# Provide the Access Graph CA to the Teleport Auth Service as a volume.
# Omit all of the below if your Teleport cluster already trusts the issuing CA.
extraVolumes:
  - name: tag-ca
    configMap:
      name: teleport-access-graph-ca
extraVolumeMounts:
  - name: tag-ca
    mountPath: /var/run/access-graph

Add teleport-access-graph-ca ConfigMap with contents of ca.crt

---

✅ Final Teleport Helm Upgrade

helm upgrade -n teleport -f aws-values.yaml nara-kluster teleport/teleport-cluster --version 17.5.2

---

🖼️ Screenshots of successful db connection, access Graph started log from the auth pod, and we can see the identity Security Icon in the WebUI

---

🧪 Troubleshooting

Error	Fix
ec2:CreateVolume Unauthorized	Add IAM permission to Node role
initdb: directory exists	Use subPath in volumeMounts
no deployed releases	Double-check Helm release name
WaitForFirstConsumer	Ensure Pod is scheduled to use the PVC

---

🏁 Conclusion

With these steps, Access Graph is securely deployed, integrated with Teleport, and TLS protected with IAM-backed persistent storage.

Let us know if you'd like a README.md copy or to publish this to GitHub Discussions!