tbot env variable configurations

[taraspos]

Summary

Add following env variable configurations for the tbot cli:

• TBOT_DEBUG - enable debug mode
• TBOT_CONFIG_PATH - provide location to the tbot config via env variable
• TBOT_CONFIG - (hidden) provide base64 encoded tbot config, similarly like teleport does

  • teleport/tool/teleport/common/teleport.go

    Lines 153 to 155 in 39a5fa3

    	start.Flag("config-string",
    	"Base64 encoded configuration string").Hidden().Envar(defaults.ConfigEnvar).
    	StringVar(&ccf.ConfigString)

• Add start as default CMD in tbot-distroless image

As result tbot tunnels can be created by running like:

docker run -it --rm -e TBOT_CONFIG=<base64 encoded> public.ecr.aws/gravitational/teleport-distroless:17

Context

This will allow us to use tbot-distroless docker image as Bitbucket Pipeline Service Container/Gitlab Services to start local tunnels as background process and use it in CI/CD steps.

• Provide GHA Service Container-compatible tbot proxy image #52231

---

changelog: Allow to provide tbot configurations via environment variables. Update tbot-distroless image to run start command by default.

[taraspos]

After reading documentation and taking a closer look, it seems like we don't really need proxy command.

Having TBOT_CONFIG=<value> tbot start is enough.

Seems like all we need is to provide default CMD start here and then it would be possible to use tbot-distroless image as it is:

• teleport/build.assets/charts/Dockerfile-tbot-distroless

  Line 21 in 3d50f12

  ENTRYPOINT ["/usr/local/bin/tbot"]

[taraspos]

This is not a breaking change as specifying CMD here just sets the default command.
Which will be overwritten by customers who use it in kubernetes, etc:

• https://goteleport.com/docs/enroll-resources/machine-id/deployment/kubernetes/#step-45-create-a-tbot-deployment

     containers:
        - name: tbot
          image: public.ecr.aws/gravitational/tbot-distroless:17.2.7
          args:
            - start
            - -c
            - /config/tbot.yaml

[taraspos]

Same with the helm chart:

• teleport/examples/chart/tbot/templates/deployment.yaml

  Lines 50 to 57 in 3d50f12

  	containers:
  	- name: tbot
  	image: {{ .Values.image }}:{{ template "tbot.version" . }}
  	imagePullPolicy: {{ .Values.imagePullPolicy }}
  	args:
  	- start
  	- -c
  	- /config/tbot.yaml

[timothyb89]

Even if it is a breaking change I'm in favor of making it anyway to unblock this - it's been annoying for a while. It may still interfere with some default behavior expectations so many it's worth mentioning in the changelog note? Heh, looks like you already did!

[timothyb89]

I was going to ask if the new tbot start <service> was insufficient but I guess GHA services can't accept CLI args at all, yikes 🤯

[timothyb89]

Even if it is a breaking change I'm in favor of making it anyway to unblock this - it's been annoying for a while. It may still interfere with some default behavior expectations so many it's worth mentioning in the changelog note? Heh, looks like you already did!

[strideynet]

Thank you!

[github-actions]

Amplify deployment status

Branch	Commit	Job ID	Status	Preview	Updated (UTC)
taras/tbot-env-configurations	0f88e4c	3	✅SUCCEED	taras-tbot-env-configurations	2025-02-20 12:43:00

[public-teleport-github-review-bot]

@taraspos See the table below for backport results.

Branch	Result
branch/v17	Create PR