[v16] Make the Slack chart embed tbot

Makefile

@@ -795,20 +795,20 @@ helmunit/installed:
 .PHONY: test-helm
 test-helm: helmunit/installed
 	helm unittest -3 --with-subchart=false examples/chart/teleport-cluster
-	helm unittest -3 examples/chart/teleport-kube-agent
-	helm unittest -3 examples/chart/teleport-cluster/charts/teleport-operator
-	helm unittest -3 examples/chart/access/*
-	helm unittest -3 examples/chart/event-handler
-	helm unittest -3 examples/chart/tbot
+	helm unittest -3 --with-subchart=false examples/chart/teleport-kube-agent
+	helm unittest -3 --with-subchart=false examples/chart/teleport-cluster/charts/teleport-operator
+	helm unittest -3 --with-subchart=false examples/chart/access/*
+	helm unittest -3 --with-subchart=false examples/chart/event-handler
+	helm unittest -3 --with-subchart=false examples/chart/tbot
 
 .PHONY: test-helm-update-snapshots
 test-helm-update-snapshots: helmunit/installed
 	helm unittest -3 -u --with-subchart=false examples/chart/teleport-cluster
-	helm unittest -3 -u examples/chart/teleport-kube-agent
-	helm unittest -3 -u examples/chart/teleport-cluster/charts/teleport-operator
-	helm unittest -3 -u examples/chart/access/*
-	helm unittest -3 -u examples/chart/event-handler
-	helm unittest -3 -u examples/chart/tbot
+	helm unittest -3 -u --with-subchart=false examples/chart/teleport-kube-agent
+	helm unittest -3 -u --with-subchart=false examples/chart/teleport-cluster/charts/teleport-operator
+	helm unittest -3 -u --with-subchart=false examples/chart/access/*
+	helm unittest -3 -u --with-subchart=false examples/chart/event-handler
+	helm unittest -3 -u --with-subchart=false examples/chart/tbot
 
 #
 # Runs all Go tests except integration, called by CI/CD.

docs/pages/includes/helm-reference/zz_generated.access-slack.mdx

@@ -21,6 +21,9 @@ For example:
   - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080`
   - joining an Auth: `teleport-auth.example.com:3025`
 
+When the address is empty, `tbot.teleportProxyAddress`
+or `tbot.teleportAuthAddress` will be used if they are set.
+
 ### `teleport.identitySecretName`
 
 | Type | Default |
@@ -144,6 +147,77 @@ The value can also be set to a file path (such as `/var/log/teleport.log`)
 to write logs to a file. Bear in mind that a few service startup messages
 will still go to `stderr` for resilience.
 
+## `tbot`
+
+`tbot` controls the optional tbot deployment that obtains and renews
+credentials for the plugin to connect to Teleport.
+Only default and mandatory values are described here, see the tbot chart reference
+for the full list of supported values.
+
+### `tbot.enabled`
+
+| Type | Default |
+|------|---------|
+| `bool` | `false` |
+
+`tbot.enabled` controls if tbot should be deployed with the slack plugin.
+
+### `tbot.clusterName`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`tbot.clusterName` is the name of the Teleport cluster tbot and the Slack plugin will join.
+Setting this value is mandatory when tbot is enabled.
+
+### `tbot.teleportProxyAddress`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`tbot.teleportProxyAddress` is the teleport Proxy Service address the bot will connect to.
+This must contain the port number, usually 443 or 3080 for Proxy Service.
+Connecting to the Proxy Service is the most common and recommended way to connect to Teleport.
+This is mandatory to connect to Teleport Enterprise (Cloud).
+
+This setting is mutually exclusive with `teleportAuthAddress`.
+
+For example:
+```yaml
+tbot:
+  teleportProxyAddress: "test.teleport.sh:443"
+```
+
+### `tbot.teleportAuthAddress`
+
+| Type | Default |
+|------|---------|
+| `string` | `""` |
+
+`tbot.teleportAuthAddress` is the teleport Auth Service address the bot will connect to.
+This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection
+should be used when you are deploying the bot in the same Kubernetes cluster than your `teleport-cluster`
+Helm release and have direct access to the Auth Service.
+Else, you should prefer connecting via the Proxy Service.
+
+This setting is mutually exclusive with `teleportProxyAddress`.
+
+For example:
+```yaml
+teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025"
+```
+
+### `tbot.joinMethod`
+
+| Type | Default |
+|------|---------|
+| `string` | `"kubernetes"` |
+
+`tbot.joinMethod` describes how tbot joins the Teleport cluster.
+See [the join method reference](../../reference/join-methods.mdx) for a list fo supported values and detailed explanations.
+
 ## `annotations`
 
 `annotations` contains annotations to apply to the different Kubernetes

examples/chart/.gitignore

@@ -0,0 +1 @@
+**.tgz

examples/chart/access/slack/Chart.yaml

@@ -6,3 +6,8 @@ description: A Helm chart for the Teleport Slack Plugin
 type: application
 version: *version
 appVersion: *version
+
+dependencies:
+  - name: tbot
+    version: *version
+    condition: tbot.enabled

examples/chart/access/slack/charts/tbot

@@ -0,0 +1 @@
+../../../tbot/

examples/chart/access/slack/templates/_helpers.tpl

@@ -60,3 +60,23 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{- define "slack.identitySecretName" -}}
+{{- if .Values.teleport.identitySecretName -}}
+{{- .Values.teleport.identitySecretName -}}
+{{- else if .Values.tbot.enabled -}}
+  {{- .Release.Name }}-{{ default .Values.tbot.nameOverride "tbot" }}-out
+{{- end }}
+{{- end -}}
+
+{{- define "slack.identitySecretPath" -}}
+{{- if .Values.tbot.enabled -}}
+identity
+{{- else -}}
+{{- .Values.teleport.identitySecretPath -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "slack.teleportAddress" -}}
+
+{{- end -}}

examples/chart/access/slack/templates/configmap.yaml

@@ -11,8 +11,8 @@ metadata:
 data:
   teleport-slack.toml: |
     [teleport]
-    addr = "{{ .Values.teleport.address }}"
-    identity = "/var/lib/teleport/plugins/slack/teleport-identity/{{ .Values.teleport.identitySecretPath }}"
+    addr = {{ coalesce .Values.teleport.address .Values.tbot.teleportProxyAddress .Values.tbot.teleportAuthAddress | quote }}
+    identity = "/var/lib/teleport/plugins/slack/teleport-identity/{{ include "slack.identitySecretPath" . }}"
     refresh_identity = true
 
     [slack]

examples/chart/access/slack/templates/deployment.yaml

@@ -72,7 +72,7 @@ spec:
             defaultMode: 0600
         - name: teleport-identity
           secret:
-            secretName: "{{ .Values.teleport.identitySecretName }}"
+            secretName: {{ include "slack.identitySecretName" . | quote }}
             defaultMode: 0600
         - name: {{ .Values.secretVolumeName }}
           secret:

examples/chart/access/slack/values.yaml

@@ -13,6 +13,9 @@ teleport:
   # For example:
   #   - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080`
   #   - joining an Auth: `teleport-auth.example.com:3025`
+  #
+  # When the address is empty, `tbot.teleportProxyAddress`
+  # or `tbot.teleportAuthAddress` will be used if they are set.
   address: ""
   # teleport.identitySecretName(string) -- is the name of the Kubernetes secret
   # that contains the credentials for the connection to your Teleport cluster.
@@ -89,6 +92,54 @@ log:
   # will still go to `stderr` for resilience.
   output: stdout
 
+# tbot -- controls the optional tbot deployment that obtains and renews
+# credentials for the plugin to connect to Teleport.
+# Only default and mandatory values are described here, see the tbot chart reference
+# for the full list of supported values.
+tbot:
+  # tbot.enabled(bool) -- controls if tbot should be deployed with the slack plugin.
+  enabled: false
+  # tbot.clusterName(string) -- is the name of the Teleport cluster tbot and the Slack plugin will join.
+  # Setting this value is mandatory when tbot is enabled.
+  clusterName: ""
+  # tbot.teleportProxyAddress(string) -- is the teleport Proxy Service address the bot will connect to.
+  # This must contain the port number, usually 443 or 3080 for Proxy Service.
+  # Connecting to the Proxy Service is the most common and recommended way to connect to Teleport.
+  # This is mandatory to connect to Teleport Enterprise (Cloud).
+  #
+  # This setting is mutually exclusive with `teleportAuthAddress`.
+  #
+  # For example:
+  # ```yaml
+  # tbot:
+  #   teleportProxyAddress: "test.teleport.sh:443"
+  # ```
+  teleportProxyAddress: ""
+  # tbot.teleportAuthAddress(string) -- is the teleport Auth Service address the bot will connect to.
+  # This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection
+  # should be used when you are deploying the bot in the same Kubernetes cluster than your `teleport-cluster`
+  # Helm release and have direct access to the Auth Service.
+  # Else, you should prefer connecting via the Proxy Service.
+  #
+  # This setting is mutually exclusive with `teleportProxyAddress`.
+  #
+  # For example:
+  # ```yaml
+  # teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025"
+  # ```
+  teleportAuthAddress: ""
+
+  # tbot.joinMethod(string) -- describes how tbot joins the Teleport cluster.
+  # See [the join method reference](../../reference/join-methods.mdx) for a list fo supported values and detailed explanations.
+  joinMethod: "kubernetes"
+  token: ""
+
+  # Don't touch the tbot values below, this will break the chart.
+  # This ensures that tbot.fullname is not shortened if the release name contains "tbot"
+  nameOverride: tbot
+  defaultOutput:
+    enabled: true
+
 secretVolumeName: "password-file"
 
 # annotations -- contains annotations to apply to the different Kubernetes