Teleport server in docker and k8s cluster as agent

[matrixsh1t]

Hi!
I cannot find a comprehensible guide how to set up a teleport and connect k8s agents to it. I need help about that.
What am i missing?

I installed teleport with docker compose to a VM.
docker-compose.yml

services:
teleport:
image: teleport-with-ca
container_name: teleport
hostname: localhost
restart: unless-stopped
ports:
- "3025:3025" # Auth service
- "3080:3080" # Web UI / Proxy
environment:
- TELEPORT_ALLOW_NO_SECOND_FACTOR=true
- SSL_CERT_FILE=/etc/teleport/certs/teleport.crt
- SSL_CERT_DIR=/etc/teleport/certs
volumes:
- /home/user/teleport/config:/etc/teleport
- /home/user/teleport/data:/var/lib/teleport
- /home/user/teleport/certs:/etc/teleport/certs
entrypoint: ["/usr/local/bin/teleport"]
command: ["start", "--config=/etc/teleport/teleport.yaml"]

teleport.yaml
version: v3
teleport:
nodename: teleport-infra.my.kz
data_dir: /var/lib/teleport
join_params:
token_name: ""
method: token
log:
output: stderr
severity: INFO
format:
output: text
ca_pin: ""
diag_addr: ""
auth_service:
enabled: "yes"
listen_addr: 0.0.0.0:3025
proxy_listener_mode: multiplex
ssh_service:
enabled: "no"
proxy_service:
enabled: "yes"
public_addr: teleport-infra.my.kz:3080
web_listen_addr: 0.0.0.0:3080
https_keypairs:
- key_file: /etc/teleport/certs/teleport.key
cert_file: /etc/teleport/certs/teleport.crt
https_keypairs_reload_interval: 0s
acme: {}

Used DNS teleport-infra.my.kz which points to 192.168.176.4 (now, but i tried to use proxy also, more info below)

Created certs signed by corporate CA cert.
Installed CA into an image with teleport.
Dockerfile

FROM debian:bookworm-slim AS builder
COPY ca.crt /usr/local/share/ca-certificates/ca.crt
RUN apt-get update && apt-get install -y ca-certificates && update-ca-certificates

FROM public.ecr.aws/gravitational/teleport-distroless:18.2.4
COPY --from=builder /etc/ssl/certs /etc/ssl/certs

Configured agent in k8s.
agent-cluster-values.yaml

roles: kube,app,discovery
authToken: 2368fb95322a8f846a02e11a106a9925
proxyAddr: 192.168.176.4:3080
kubeClusterName: dev
labels:
teleport.internal/resource-id: 57d305c8-f23b-480d-ba26-e680f7f99f4e

Logs:

2025-12-17T07:07:58.306Z INFO Starting Teleport with a config file version:18.2.4 config_file:/etc/teleport/teleport.yaml common/teleport.go:879
2025-12-17T07:07:58.870Z INFO [PROC:1] Service is creating new listener. pid:7.1 type:diag address:0.0.0.0:3000 service/signals.go:242
2025-12-17T07:07:58.871Z INFO [DIAG:1] Starting diagnostic service. pid:7.1 listen_address:0.0.0.0:3000 service/service.go:3875
2025-12-17T07:07:58.871Z INFO [PROC:1] Service is creating new listener. pid:7.1 type:debug address:/var/lib/teleport/debug.sock service/signals.go:242
2025-12-17T07:07:58.933Z INFO [PROC:1] Joining the cluster with a secure token. pid:7.1 service/connect.go:532
2025-12-17T07:07:58.934Z INFO Attempting registration. method:via proxy server join/join.go:388
2025-12-17T07:07:58.956Z ERRO [PROC:1] Failed to establish connection to cluster. pid:7.1 identity:Instance error:[
ERROR REPORT:
Original Error: trace.aggregate pinging proxy to determine signature algorithm suite
Get "https://192.168.176.4:3080/webapi/find": tls: failed to verify certificate: x509: certificate signed by unknown authority
Stack Trace:
github.com/gravitational/teleport/lib/auth/join/join.go:398 github.com/gravitational/teleport/lib/auth/join.Register
github.com/gravitational/teleport/lib/service/connect.go:578 github.com/gravitational/teleport/lib/service.(*TeleportProcess).joinWithHostUUID
github.com/gravitational/teleport/lib/service/connect.go:524 github.com/gravitational/teleport/lib/service.(*TeleportProcess).join
github.com/gravitational/teleport/lib/service/connect.go:466 github.com/gravitational/teleport/lib/service.(*TeleportProcess).firstTimeConnectIdentityRemote
github.com/gravitational/teleport/lib/service/connect.go:437 github.com/gravitational/teleport/lib/service.(*TeleportProcess).firstTimeConnectIdentity
github.com/gravitational/teleport/lib/service/connect.go:378 github.com/gravitational/teleport/lib/service.(*TeleportProcess).firstTimeConnect
github.com/gravitational/teleport/lib/service/connect.go:220 github.com/gravitational/teleport/lib/service.(*TeleportProcess).connect
github.com/gravitational/teleport/lib/service/connect.go:193 github.com/gravitational/teleport/lib/service.(*TeleportProcess).connectToAuthService
github.com/gravitational/teleport/lib/service/connect.go:87 github.com/gravitational/teleport/lib/service.(*TeleportProcess).reconnectToAuthService
github.com/gravitational/teleport/lib/service/service.go:3515 github.com/gravitational/teleport/lib/service.(*TeleportProcess).RegisterWithAuthServer.func1
github.com/gravitational/teleport/lib/service/supervisor.go:605 github.com/gravitational/teleport/lib/service.(*LocalService).Serve
github.com/gravitational/teleport/lib/service/supervisor.go:328 github.com/gravitational/teleport/lib/service.(*LocalSupervisor).serve.func1
runtime/asm_amd64.s:1700 runtime.goexit
User Message: pinging proxy to determine signature algorithm suite
Get "https://192.168.176.4:3080/webapi/find": tls: failed to verify certificate: x509: certificate signed by unknown authority] service/connect.go:102
2025-12-17T07:08:05.728Z INFO [PROC:1] Joining the cluster with a secure token. pid:7.1 service/connect.go:532
2025-12-17T07:08:05.728Z INFO Attempting registration. method:via proxy server join/join.go:388
2025-12-17T07:08:05.736Z ERRO [PROC:1] Failed to establish connection to cluster. pid:7.1 identity:Instance error:[
ERROR REPORT:
Original Error: trace.aggregate pinging proxy to determine signature algorithm suite
Get "https://192.168.176.4:3080/webapi/find": tls: failed to verify certificate: x509: certificate signed by unknown authority
Stack Trace:
github.com/gravitational/teleport/lib/auth/join/join.go:398 github.com/gravitational/teleport/lib/auth/join.Register
github.com/gravitational/teleport/lib/service/connect.go:578 github.com/gravitational/teleport/lib/service.(*TeleportProcess).joinWithHostUUID
github.com/gravitational/teleport/lib/service/connect.go:524 github.com/gravitational/teleport/lib/service.(*TeleportProcess).join
github.com/gravitational/teleport/lib/service/connect.go:466 github.com/gravitational/teleport/lib/service.(*TeleportProcess).firstTimeConnectIdentityRemote
github.com/gravitational/teleport/lib/service/connect.go:437 github.com/gravitational/teleport/lib/service.(*TeleportProcess).firstTimeConnectIdentity
github.com/gravitational/teleport/lib/service/connect.go:378 github.com/gravitational/teleport/lib/service.(*TeleportProcess).firstTimeConnect
github.com/gravitational/teleport/lib/service/connect.go:220 github.com/gravitational/teleport/lib/service.(*TeleportProcess).connect
github.com/gravitational/teleport/lib/service/connect.go:193 github.com/gravitational/teleport/lib/service.(*TeleportProcess).connectToAuthService
github.com/gravitational/teleport/lib/service/connect.go:87 github.com/gravitational/teleport/lib/service.(*TeleportProcess).reconnectToAuthService
github.com/gravitational/teleport/lib/service/service.go:3515 github.com/gravitational/teleport/lib/service.(*TeleportProcess).RegisterWithAuthServer.func1
github.com/gravitational/teleport/lib/service/supervisor.go:605 github.com/gravitational/teleport/lib/service.(*LocalService).Serve
github.com/gravitational/teleport/lib/service/supervisor.go:328 github.com/gravitational/teleport/lib/service.(*LocalSupervisor).serve.func1
runtime/asm_amd64.s:1700 runtime.goexit
User Message: pinging proxy to determine signature algorithm suite
Get "https://192.168.176.4:3080/webapi/find": tls: failed to verify certificate: x509: certificate signed by unknown authority] service/connect.go:102
2025-12-17T07:27:28.873Z WARN [UPLOAD:1] The Instance connector is still not available, process-wide services will not function pid:7.1 service/service.go:3549
2025-12-17T07:27:28.882Z WARN [PROC:1] The Instance connector is still not available, process-wide services will not function pid:7.1 service/service.go:3549
2025-12-17T07:27:28.940Z WARN [PROC:1] The Instance connector is still not available, process-wide services will not function pid:7.1 service/service.go:3549
2025-12-17T07:27:28.947Z WARN [PROC:1] The Instance connector is still not available, process-wide services will not function pid:7.1 service/service.go:3549
2025-12-17T07:27:58.874Z WARN [UPLOAD:1] The Instance connector is still not available, process-wide services will not function pid:7.1 service/service.go:3549
2025-12-17T07:27:58.881Z WARN [PROC:1] The Instance connector is still not available, process-wide services will not function pid:7.1 service/service.go:3549
2025-12-17T07:27:58.940Z WARN [PROC:1] The Instance connector is still not available, process-wide services will not function pid:7.1 service/service.go:3549
2025-12-17T07:27:58.948Z WARN [PROC:1] The Instance connector is still not available, process-wide services will not function pid:7.1 service/service.go:3549
2025-12-17T07:28:13.948Z INFO [PROC:1] Joining the cluster with a secure token. pid:7.1 service/connect.go:532

I also tried to use insecure_skip_verify: yes to proxy_service section of teleport.yaml. It did not work either.

Tried to set VM with teleport behind reverse proxy (Nginx), but found out that agent connection cannot break thru a regular Nginx (config for https).
Scheme:
DNS:http://teleport-infra.my.kz -> nginx -> https://192.168.176.4:3080

Do i need a separate proxy for teleport in this case?

[stevenGravy]

Is there a specific reason you are setting to the IP instead of the DNS in the k8s agent? The dns would be expected to be used.

[webvictim]

Agent connections can work behind layer 7 proxies like nginx - there's a guide here on the config you'd need for that: #26445

If your certificate for the proxy is internally signed (and not publicly trusted) then you'd want to provide the public key of the CA via the tls.existingCASecretName Helm value, so that the agent knows to trust it.

To use an IP address rather than a DNS name for connection, you'd also require that the TLS certificate you generate and provide to your Teleport proxy has the correct IP SAN added to it.

[matrixsh1t]

I managed to connect my k8s cluster agent to teleport finally. Thank you guys for the advises.

Used corporate CA cert to create certs for teleport. Added this CA to teleport docker image.
Used DNS: teleport-infra.my.kz pointing to 192.168.176.4 (VM with teleport in docker)

Now the config is like that:
docker-compose.yml
services:
teleport:
image: teleport-with-ca
container_name: teleport
hostname: teleport-infra.my.kz
restart: unless-stopped
ports:
- "3025:3025" # Auth service
- "3080:3080" # Proxy / Web UI
environment:
- TELEPORT_ALLOW_NO_SECOND_FACTOR=true
- SSL_CERT_FILE=/etc/teleport/certs/ca.crt
volumes:
- /home/user/teleport/config:/etc/teleport
- /home/user/teleport/data:/var/lib/teleport
- /home/user/teleport/certs:/etc/teleport/certs
entrypoint: ["/usr/local/bin/teleport"]
command: ["start", "--config=/etc/teleport/teleport.yaml"]

teleport.yaml
version: v3
teleport:
nodename: teleport-infra.my.kz
data_dir: /var/lib/teleport
log:
output: stderr
severity: INFO
format:
output: text
diag_addr: ""
auth_service:
enabled: "yes"
listen_addr: 0.0.0.0:3025
proxy_listener_mode: multiplex
cluster_name: teleport-infra.my.kz
ssh_service:
enabled: "no"
proxy_service:
enabled: "yes"
public_addr: teleport-infra.my.kz:3080
web_listen_addr: 0.0.0.0:3080
https_keypairs:
- key_file: /etc/teleport/certs/teleport.key
cert_file: /etc/teleport/certs/teleport.crt
acme: {}

agent.yaml
roles: kube,app,discovery
authToken: e26d6c83b6ae061hfhfs89a106f8697ad27
proxyAddr: teleport-infra.my.kz:3080
kubeClusterName: dev
labels:
teleport.internal/resource-id: 54d68ddb-a0bf-4c4f-966b-126b9be5f0b9
tls:
existingCASecretName: teleport-proxy-ca

and created secret with CA cert
kubectl -n teleport create secret generic teleport-proxy-ca --from-file=ca.crt=ca.pem

The cluster is connected now. So I added role and a user to teleport.
kind: role
version: v7
metadata:
name: kube-readonly
spec:
allow:
kubernetes_labels:
"": ""
kubernetes_groups:
- view
kubernetes_users:
- teleport-readonly

docker exec -i teleport tctl create -f - < kube-readonly.yaml
docker exec -i teleport tctl users add dev1 --roles=kube-readonly
User "dev1" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:
https://teleport-infra.my.kz:3080/web/invite/cc05e9519f8bed253d7513ff67cfea92
Then I went to GUI and created a password for the user (from mac).

When i try to login from my mac (client) I get this:
tsh login --proxy=teleport-infra.my.kz:3080 --auth=local --user=dev1 teleport-infra.my.kz
ERROR: Get "https://teleport-infra.my.kz:3080/webapi/ping/local": tls: failed to verify certificate: x509: “teleport-infra.my.kz” certificate is not standards compliant

tsh login --proxy=teleport-infra.my.kz:3080 --user=dev1 teleport-my.my.kz
ERROR: Get "https://teleport-infra.my.kz:3080/webapi/ping": tls: failed to verify certificate: x509: “teleport-infra.my.kz” certificate is not standards compliant

tsh login --proxy=teleport-infra.my.kz:3080 --auth=local --user=dev1 teleport-infra.my.kz --insecure works, but I think this is not production variant.

Where do i need to set the cert for tsh?

[webvictim]

Usually the certificate is not standards compliant error can mean one or more of the things on this list:

• its validity period is too long (more than 825 days on older versions of MacOS, or 398 days on newer versions)
• it doesn't have a DNS SAN (Subject Alternative Name) set which matches your proxy's URL
• it uses a weak hash/key algorithm like SHA-1 or RSA 1024
• it has incorrect EKU (Extended Key Usage) values - Server Authentication should be all that's needed