Advanced Configuration

Advanced configuration options for power users and enterprise deployments.

Custom Domains

Use your own domain for environment endpoints.

Setup

1. Go to Settings → Domains
2. Add your custom domain (e.g., labs.yourcompany.com)
3. Add the DNS records shown
4. Verify domain ownership

DNS Configuration

Add these records to your DNS:

Type    Name                    Value
CNAME   labs                    env.teabar.dev
TXT     _teabar.labs            verify=abc123xyz

Using Custom Domains

Once verified, environments use your domain:

# Default
https://gitlab.my-training.env.teabar.dev

# Custom domain
https://gitlab.my-training.labs.yourcompany.com

Network Configuration

Default Network Settings

By default, environments use:

• CIDR: 10.0.0.0/16
• Public IPs enabled
• Firewall rules for common ports

Custom Network CIDR

Override in your blueprint:

spec:
  network:
    cidr: 172.16.0.0/16
    public: true

Private Networking

For environments without public IPs:

spec:
  network:
    public: false
    vpn:
      enabled: true
      type: wireguard

Access via VPN:

# Download VPN config
teactl env vpn my-env --output wireguard.conf

# Connect with WireGuard
wg-quick up ./wireguard.conf

Firewall Rules

Custom firewall rules:

spec:
  network:
    firewall:
      ingress:
        - port: 443
          protocol: tcp
          sources: ['0.0.0.0/0']
        - port: 22
          protocol: tcp
          sources: ['10.0.0.0/8'] # Internal only

Webhooks

Receive notifications about environment events.

Setup

1. Go to Settings → Webhooks
2. Add a webhook URL
3. Select events to receive
4. Save and test

Events

Payload Format

{
	"event": "env.ready",
	"timestamp": "2024-01-15T10:30:00Z",
	"organization": "my-org",
	"environment": {
		"name": "march-training",
		"blueprint": "cicd-training",
		"status": "running"
	},
	"metadata": {
		"components": ["gitlab", "runners"],
		"participants": 20
	}
}

Webhook Security

Verify webhook signatures:

import hmac
import hashlib

def verify_signature(payload, signature, secret):
    expected = hmac.new(
        secret.encode(),
        payload.encode(),
        hashlib.sha256
    ).hexdigest()
    return hmac.compare_digest(f"sha256={expected}", signature)

The signature is in the X-Teabar-Signature header.

Cost Limits

Set spending limits to prevent unexpected charges.

Organization Limits

teactl org set-limit --monthly 500 --alert-at 400

Per-Environment Limits

In blueprint:

spec:
  limits:
    cost: 50 # Max $50 per session
    duration: 12h # Max 12 hours

Alerts

Configure alerts in Settings → Billing → Alerts:

• Email when 80% of limit reached
• Slack notification at 90%
• Auto-destroy at 100%

Proxy Configuration

For environments behind corporate proxies.

CLI Proxy

export HTTP_PROXY="http://proxy.company.com:8080"
export HTTPS_PROXY="http://proxy.company.com:8080"
export NO_PROXY="localhost,127.0.0.1,.company.com"

teactl env create ...

Blueprint Proxy

For environments that need proxy access:

spec:
  proxy:
    http: http://proxy.company.com:8080
    https: http://proxy.company.com:8080
    no_proxy:
      - localhost
      - .internal

Secrets Management

Teabar integrates with OpenBao (open-source Vault fork) for secure secret management.

Secret Types

Generated Secrets

Teabar generates secure secrets using crypto/rand:

# In blueprint
spec:
  resources:
    secrets:
      - name: db-password
        type: generated
        spec:
          length: 24           # Minimum 24 characters
          charset: alphanumeric
          # Generated with 128+ bits of entropy

External Secret Providers

Connect to external secret stores:

# Organization settings
secrets:
  providers:
    - name: vault
      type: hashicorp-vault
      config:
        address: https://vault.internal:8200
        auth:
          method: kubernetes
          role: teabar
          
    - name: aws
      type: aws-secrets-manager
      config:
        region: us-east-1

Using External Secrets

Reference external secrets in blueprints:

spec:
  resources:
    secrets:
      - name: api-key
        type: external
        spec:
          provider: vault
          path: secret/data/api-keys/stripe
          key: api_key

Key Rotation

Automatic rotation for generated secrets:

secrets:
  rotation:
    enabled: true
    interval: 30d
    notifyBefore: 7d

Audit Logging

Teabar maintains tamper-evident audit logs with cryptographic signing for compliance and security.

Enable Audit Logs

1. Go to Settings → Security → Audit
2. Enable audit logging
3. Configure retention period

Log Format

{
	"id": "01HQ8ABCDEF123456789",
	"timestamp": "2024-01-15T10:30:00Z",
	"actor": {
		"type": "user",
		"id": "user-123",
		"email": "[email protected]",
		"ip_address": "203.0.113.1"
	},
	"action": {
		"type": "environment.create",
		"category": "resource_management",
		"result": "success"
	},
	"resource": {
		"type": "environment",
		"id": "env_abc123",
		"name": "march-training"
	},
	"signature": {
		"algorithm": "Ed25519",
		"key_id": "audit-key-2024-03",
		"valid": true
	}
}

Tamper-Evidence

Audit logs use a hash chain structure:

• Each entry includes hash of previous entry
• Each entry is cryptographically signed
• Chain breaks are detectable

Verify Log Integrity

# Verify audit log chain
teactl audit verify --since 30d

# Output shows verification status
# Chain integrity: ✓ Valid
# Signatures: ✓ All valid

Export Logs

# Export with signed manifest
teactl audit export --start 2024-01-01 --end 2024-01-31 --output audit.json --include-manifest

# Export for SIEM integration
teactl audit export --format cef --since 24h  # Common Event Format

Self-Hosted Deployments

For on-premises or air-gapped deployments, see our self-hosting guide.

Requirements

• Kubernetes 1.25+
• PostgreSQL 14+
• Redis 7+
• 4+ CPU cores, 8GB+ RAM

Quick Start

helm repo add teabar https://charts.teabar.dev
helm install teabar teabar/teabar 
  --namespace teabar 
  --create-namespace 
  --values values.yaml