-
- | Name |
- Description |
- Type |
- Default |
- Required |
-
-
-
- teleport.address |
- Host/port combination of the teleport auth server |
- string |
- "" |
- yes |
-
-
- teleport.identitySecretName |
- Name of the Kubernetes secret that contains the credentials for the connection |
- string |
- "" |
- yes |
-
-
- teleport.identitySecretPath |
- Key of the field in the secret specified by teleport.identitySecretName |
- string |
- "auth_id" |
- yes |
-
-
-
- discord.token |
- Discord API token |
- string |
- "" |
- yes |
-
-
- discord.tokenFromSecret |
- Kubernetes secret to read the token from instead of discord.token |
- string |
- "" |
- no |
-
-
- discord.tokenSecretPath |
- The path of the token in the secret described by discord.tokenFromSecret |
- string |
- "discordToken" |
- no |
-
-
-
- roleToRecipients |
-
- Mapping of roles to a list of Discord channel IDs.
- Example:
-
-"dev" = ["0987654321", "1234567890"]
-"*" = ["1234567890"]
- |
- map |
- {} |
- yes |
-
-
-
- log.output |
-
- Logger output. Could be "stdout", "stderr" or a file name,
- eg. "/var/lib/teleport/discord.log"
- |
- string |
- "stdout" |
- no |
-
-
- log.severity |
-
- Logger severity. Possible values are "INFO", "ERROR",
- "DEBUG" or "WARN".
- |
- string |
- "INFO" |
- no |
-
-
+See [teleport-plugin-discord Chart Reference](https://goteleport.com/docs/reference/helm-reference/teleport-plugin-discord/) for available Helm Chart configuration.
diff --git a/examples/chart/access/discord/charts/tbot b/examples/chart/access/discord/charts/tbot
new file mode 120000
index 0000000000000..bc5284c76fa10
--- /dev/null
+++ b/examples/chart/access/discord/charts/tbot
@@ -0,0 +1 @@
+../../../tbot
\ No newline at end of file
diff --git a/examples/chart/access/discord/templates/_helpers.tpl b/examples/chart/access/discord/templates/_helpers.tpl
index 7410b7167af27..bbeeb815dc938 100644
--- a/examples/chart/access/discord/templates/_helpers.tpl
+++ b/examples/chart/access/discord/templates/_helpers.tpl
@@ -60,3 +60,22 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
+
+{{/*
+Use tbot-managed identity secret if tbot is enabled
+*/}}
+{{- define "discord.identitySecretName" -}}
+{{- if .Values.teleport.identitySecretName -}}
+{{- .Values.teleport.identitySecretName -}}
+{{- else if .Values.tbot.enabled -}}
+ {{- .Release.Name }}-{{ default .Values.tbot.nameOverride "tbot" }}-out
+{{- end }}
+{{- end -}}
+
+{{- define "discord.identitySecretPath" -}}
+{{- if .Values.tbot.enabled -}}
+identity
+{{- else -}}
+{{- .Values.teleport.identitySecretPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/examples/chart/access/discord/templates/configmap.yaml b/examples/chart/access/discord/templates/configmap.yaml
index 4d953c25b6029..9ce7d1d11b4cb 100644
--- a/examples/chart/access/discord/templates/configmap.yaml
+++ b/examples/chart/access/discord/templates/configmap.yaml
@@ -11,8 +11,8 @@ metadata:
data:
teleport-discord.toml: |
[teleport]
- addr = "{{ .Values.teleport.address }}"
- identity = "/var/lib/teleport/plugins/discord/teleport-identity/{{ .Values.teleport.identitySecretPath }}"
+ addr = {{ coalesce .Values.teleport.address .Values.tbot.teleportProxyAddress .Values.tbot.teleportAuthAddress | quote }}
+ identity = "/var/lib/teleport/plugins/discord/teleport-identity/{{ include "discord.identitySecretPath" . }}"
refresh_identity = true
[discord]
diff --git a/examples/chart/access/discord/templates/deployment.yaml b/examples/chart/access/discord/templates/deployment.yaml
index 674decf24ed43..8f553632c04e0 100644
--- a/examples/chart/access/discord/templates/deployment.yaml
+++ b/examples/chart/access/discord/templates/deployment.yaml
@@ -72,7 +72,7 @@ spec:
defaultMode: 0600
- name: teleport-identity
secret:
- secretName: "{{ .Values.teleport.identitySecretName }}"
+ secretName: {{ include "discord.identitySecretName" . | quote }}
defaultMode: 0600
- name: {{ .Values.secretVolumeName }}
secret:
diff --git a/examples/chart/access/discord/templates/secret.yaml b/examples/chart/access/discord/templates/secret.yaml
index 50bcde7851049..eebfa60ecc2bb 100644
--- a/examples/chart/access/discord/templates/secret.yaml
+++ b/examples/chart/access/discord/templates/secret.yaml
@@ -9,5 +9,5 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
- discordToken: {{ .Values.discord.token | b64enc }}
+ discordToken: {{ .Values.discord.token | b64enc }}
{{- end }}
diff --git a/examples/chart/access/discord/values.yaml b/examples/chart/access/discord/values.yaml
index 788705ae1be4e..b1e79d3a81eaf 100644
--- a/examples/chart/access/discord/values.yaml
+++ b/examples/chart/access/discord/values.yaml
@@ -13,6 +13,8 @@ teleport:
# For example:
# - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080`
# - joining an Auth: `teleport-auth.example.com:3025`
+ # When the address is empty, `tbot.teleportProxyAddress`
+ # or `tbot.teleportAuthAddress` will be used if they are set.
address: ""
# teleport.identitySecretName(string) -- is the name of the Kubernetes secret
# that contains the credentials for the connection to your Teleport cluster.
@@ -90,6 +92,54 @@ log:
# will still go to `stderr` for resilience.
output: stdout
+# tbot -- controls the optional tbot deployment that obtains and renews
+# credentials for the plugin to connect to Teleport.
+# Only default and mandatory values are described here, see the tbot chart reference
+# for the full list of supported values.
+tbot:
+ # tbot.enabled(bool) -- controls if tbot should be deployed with the Discord plugin.
+ enabled: false
+ # tbot.clusterName(string) -- is the name of the Teleport cluster tbot and the Discord plugin will join.
+ # Setting this value is mandatory when tbot is enabled.
+ clusterName: ""
+ # tbot.teleportProxyAddress(string) -- is the teleport Proxy Service address the bot will connect to.
+ # This must contain the port number, usually 443 or 3080 for Proxy Service.
+ # Connecting to the Proxy Service is the most common and recommended way to connect to Teleport.
+ # This is mandatory to connect to Teleport Enterprise (Cloud).
+ #
+ # This setting is mutually exclusive with `teleportAuthAddress`.
+ #
+ # For example:
+ # ```yaml
+ # tbot:
+ # teleportProxyAddress: "test.teleport.sh:443"
+ # ```
+ teleportProxyAddress: ""
+ # tbot.teleportAuthAddress(string) -- is the teleport Auth Service address the bot will connect to.
+ # This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection
+ # should be used when you are deploying the bot in the same Kubernetes cluster than your `teleport-cluster`
+ # Helm release and have direct access to the Auth Service.
+ # Else, you should prefer connecting via the Proxy Service.
+ #
+ # This setting is mutually exclusive with `teleportProxyAddress`.
+ #
+ # For example:
+ # ```yaml
+ # teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025"
+ # ```
+ teleportAuthAddress: ""
+
+ # tbot.joinMethod(string) -- describes how tbot joins the Teleport cluster.
+ # See [the join method reference](../../reference/join-methods.mdx) for a list fo supported values and detailed explanations.
+ joinMethod: "kubernetes"
+ token: ""
+
+ # Don't touch the tbot values below, this will break the chart.
+ # This ensures that tbot.fullname is not shortened if the release name contains "tbot"
+ nameOverride: tbot
+ defaultOutput:
+ enabled: true
+
secretVolumeName: "password-file"
# annotations -- contains annotations to apply to the different Kubernetes
diff --git a/examples/chart/access/email/Chart.yaml b/examples/chart/access/email/Chart.yaml
index dc72ca3c89aa9..d9fcd3f435a2c 100644
--- a/examples/chart/access/email/Chart.yaml
+++ b/examples/chart/access/email/Chart.yaml
@@ -6,3 +6,8 @@ description: A Helm chart for the Teleport Email Plugin
type: application
version: *version
appVersion: *version
+
+dependencies:
+ - name: tbot
+ version: *version
+ condition: tbot.enabled
diff --git a/examples/chart/access/email/README.md b/examples/chart/access/email/README.md
index 5818a9e8b10fc..7c5de4355a9dc 100644
--- a/examples/chart/access/email/README.md
+++ b/examples/chart/access/email/README.md
@@ -8,185 +8,4 @@ See the [Access Requests with Email guide](https://goteleport.com/docs/access-co
## Values
-The following values can be set for the Helm chart:
-
-
-
- | Name |
- Description |
- Type |
- Default |
- Required |
-
-
-
- teleport.address |
- Host/port combination of the teleport auth server |
- string |
- "" |
- yes |
-
-
- teleport.identitySecretName |
- Name of the Kubernetes secret that contains the credentials for the connection |
- string |
- "" |
- yes |
-
-
- teleport.identitySecretPath |
- Key of the field in the secret specified by teleport.identitySecretName |
- string |
- "auth_id" |
- no |
-
-
-
- mailgun.enabled |
-
- Specifies if the Mailgun integration should be enabled. Mutually exclusive with smtp.enabled.
- In the case of both values are set to true, mailgun.enabled will take precedence.
- |
- boolean |
- false |
- no |
-
-
- mailgun.domain |
- Domain name of the Mailgun instance |
- string |
- "" |
- no |
-
-
- mailgun.privateKey |
- Private key for accessing the Mailgun instance |
- string |
- "" |
- no |
-
-
- mailgun.privateKeyFromSecret |
- Kubernetes secret to read the private key from instead of using mailgun.privateKey |
- string |
- "" |
- no |
-
-
- mailgun.privateKeySecretPath |
- The path of the private key in the secret described by mailgun.privateKeyFromSecret |
- string |
- "mailgunPrivateKey" |
- no |
-
-
-
- smtp.enabled |
-
- Specifies if the MailSMTPgun integration should be enabled. Mutually exclusive with mailgun.enabled.
- In the case of both values are set to true, mailgun.enabled will take precedence.
- |
- boolean |
- false |
- no |
-
-
- smtp.host |
- SMTP host. |
- string |
- "" |
- no |
-
-
- smtp.port |
- Port of the SMTP server. |
- integer |
- 587 |
- no |
-
-
- smtp.username |
- Username to be used with the SMTP server. |
- string |
- "" |
- no |
-
-
- smtp.password |
- Password to be used with the SMTP server. Mutually exclusive with smtp.passwordFile. |
- string |
- "" |
- no |
-
-
- smtp.passwordFromSecret |
- Kubernetes secret to read the SMTP password from instead of using smtp.password |
- string |
- "" |
- no |
-
-
- smtp.passwordSecretPath |
- The path of the SMTP password in the secret described by smtp.passwordFromSecret |
- string |
- "smtpPassword" |
- no |
-
-
- smtp.starttlsPolicy |
- Which policy to use for secure communications: mandatory, opportunistic or disabled. |
- string |
- "mandatory" |
- no |
-
-
-
- delivery.sender |
- Email address to be used in the From field of the emails. |
- string |
- "" |
- yes |
-
-
- delivery.recipients |
- Array of the recipients the plugin should send emails. |
- array |
- [] |
- no |
-
-
-
- roleToRecipients |
-
- Mapping of roles to a list of emails.
- Example:
-
-"dev" = ["developers@example.com", "user@example.com"]
-"*" = ["access-requests"]
- |
- map |
- {} |
- yes |
-
-
-
- log.output |
-
- Logger output. Could be "stdout", "stderr" or a file name,
- eg. "/var/lib/teleport/email.log"
- |
- string |
- "stdout" |
- no |
-
-
- log.severity |
-
- Logger severity. Possible values are "INFO", "ERROR",
- "DEBUG" or "WARN".
- |
- string |
- "INFO" |
- no |
-
-
+See [teleport-plugin-email Chart Reference](https://goteleport.com/docs/reference/helm-reference/teleport-plugin-email/) for available Helm Chart configuration.
diff --git a/examples/chart/access/email/charts/tbot b/examples/chart/access/email/charts/tbot
new file mode 120000
index 0000000000000..bc5284c76fa10
--- /dev/null
+++ b/examples/chart/access/email/charts/tbot
@@ -0,0 +1 @@
+../../../tbot
\ No newline at end of file
diff --git a/examples/chart/access/email/templates/_helpers.tpl b/examples/chart/access/email/templates/_helpers.tpl
index 9742d31eb80c8..f3bc4f88bb515 100644
--- a/examples/chart/access/email/templates/_helpers.tpl
+++ b/examples/chart/access/email/templates/_helpers.tpl
@@ -60,3 +60,22 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
+
+{{/*
+Use tbot-managed identity secret if tbot is enabled
+*/}}
+{{- define "email.identitySecretName" -}}
+{{- if .Values.teleport.identitySecretName -}}
+{{- .Values.teleport.identitySecretName -}}
+{{- else if .Values.tbot.enabled -}}
+ {{- .Release.Name }}-{{ default .Values.tbot.nameOverride "tbot" }}-out
+{{- end }}
+{{- end -}}
+
+{{- define "email.identitySecretPath" -}}
+{{- if .Values.tbot.enabled -}}
+identity
+{{- else -}}
+{{- .Values.teleport.identitySecretPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/examples/chart/access/email/templates/configmap.yaml b/examples/chart/access/email/templates/configmap.yaml
index e62fad3c76731..ce263faa24d12 100644
--- a/examples/chart/access/email/templates/configmap.yaml
+++ b/examples/chart/access/email/templates/configmap.yaml
@@ -11,8 +11,8 @@ metadata:
data:
teleport-email.toml: |
[teleport]
- addr = "{{ .Values.teleport.address }}"
- identity = "/var/lib/teleport/plugins/email/teleport-identity/{{ .Values.teleport.identitySecretPath }}"
+ addr = {{ coalesce .Values.teleport.address .Values.tbot.teleportProxyAddress .Values.tbot.teleportAuthAddress | quote }}
+ identity = "/var/lib/teleport/plugins/email/teleport-identity/{{ include "email.identitySecretPath" . }}"
refresh_identity = true
{{ if .Values.mailgun.enabled -}}
diff --git a/examples/chart/access/email/templates/deployment.yaml b/examples/chart/access/email/templates/deployment.yaml
index 76feb4eab2124..2d224460502a6 100644
--- a/examples/chart/access/email/templates/deployment.yaml
+++ b/examples/chart/access/email/templates/deployment.yaml
@@ -87,7 +87,7 @@ spec:
defaultMode: 0600
- name: teleport-identity
secret:
- secretName: "{{ .Values.teleport.identitySecretName }}"
+ secretName: {{ include "email.identitySecretName" . | quote }}
defaultMode: 0600
{{- if or .Values.smtp.enabled .Values.mailgun.enabled }}
{{- if .Values.smtp.enabled }}
diff --git a/examples/chart/access/email/templates/secret.yaml b/examples/chart/access/email/templates/secret.yaml
index c8c8005e864ab..3bfe9b15a3016 100644
--- a/examples/chart/access/email/templates/secret.yaml
+++ b/examples/chart/access/email/templates/secret.yaml
@@ -1,5 +1,5 @@
{{- if or (and .Values.mailgun.enabled (not .Values.mailgun.privateKeyFromSecret))
- (and .Values.smtp.enabled (not .Values.smtp.passwordFromSecret)) -}}
+ (and .Values.smtp.enabled (not .Values.smtp.passwordFromSecret)) -}}
apiVersion: v1
kind: Secret
type: Opaque
diff --git a/examples/chart/access/email/values.yaml b/examples/chart/access/email/values.yaml
index 41ff64b956bd1..ed89cb086f853 100644
--- a/examples/chart/access/email/values.yaml
+++ b/examples/chart/access/email/values.yaml
@@ -13,6 +13,8 @@ teleport:
# For example:
# - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080`
# - joining an Auth: `teleport-auth.example.com:3025`
+ # When the address is empty, `tbot.teleportProxyAddress`
+ # or `tbot.teleportAuthAddress` will be used if they are set.
address: ""
# teleport.identitySecretName(string) -- is the name of the Kubernetes secret
# that contains the credentials for the connection to your Teleport cluster.
@@ -136,6 +138,54 @@ log:
# will still go to `stderr` for resilience.
output: stdout
+# tbot -- controls the optional tbot deployment that obtains and renews
+# credentials for the plugin to connect to Teleport.
+# Only default and mandatory values are described here, see the tbot chart reference
+# for the full list of supported values.
+tbot:
+ # tbot.enabled(bool) -- controls if tbot should be deployed with the mail plugin.
+ enabled: false
+ # tbot.clusterName(string) -- is the name of the Teleport cluster tbot and the mail plugin will join.
+ # Setting this value is mandatory when tbot is enabled.
+ clusterName: ""
+ # tbot.teleportProxyAddress(string) -- is the teleport Proxy Service address the bot will connect to.
+ # This must contain the port number, usually 443 or 3080 for Proxy Service.
+ # Connecting to the Proxy Service is the most common and recommended way to connect to Teleport.
+ # This is mandatory to connect to Teleport Enterprise (Cloud).
+ #
+ # This setting is mutually exclusive with `teleportAuthAddress`.
+ #
+ # For example:
+ # ```yaml
+ # tbot:
+ # teleportProxyAddress: "test.teleport.sh:443"
+ # ```
+ teleportProxyAddress: ""
+ # tbot.teleportAuthAddress(string) -- is the teleport Auth Service address the bot will connect to.
+ # This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection
+ # should be used when you are deploying the bot in the same Kubernetes cluster than your `teleport-cluster`
+ # Helm release and have direct access to the Auth Service.
+ # Else, you should prefer connecting via the Proxy Service.
+ #
+ # This setting is mutually exclusive with `teleportProxyAddress`.
+ #
+ # For example:
+ # ```yaml
+ # teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025"
+ # ```
+ teleportAuthAddress: ""
+
+ # tbot.joinMethod(string) -- describes how tbot joins the Teleport cluster.
+ # See [the join method reference](../../reference/join-methods.mdx) for a list fo supported values and detailed explanations.
+ joinMethod: "kubernetes"
+ token: ""
+
+ # Don't touch the tbot values below, this will break the chart.
+ # This ensures that tbot.fullname is not shortened if the release name contains "tbot"
+ nameOverride: tbot
+ defaultOutput:
+ enabled: true
+
secretVolumeName: "password-file"
# annotations -- contains annotations to apply to the different Kubernetes
diff --git a/examples/chart/access/jira/Chart.yaml b/examples/chart/access/jira/Chart.yaml
index ba76aff596128..baaee50e9cfa1 100644
--- a/examples/chart/access/jira/Chart.yaml
+++ b/examples/chart/access/jira/Chart.yaml
@@ -6,3 +6,8 @@ description: A Helm chart for the Teleport Jira Plugin
type: application
version: *version
appVersion: *version
+
+dependencies:
+ - name: tbot
+ version: *version
+ condition: tbot.enabled
diff --git a/examples/chart/access/jira/README.md b/examples/chart/access/jira/README.md
index 9d3227deae322..ff51aba8f7a66 100644
--- a/examples/chart/access/jira/README.md
+++ b/examples/chart/access/jira/README.md
@@ -8,147 +8,4 @@ See the [Access Requests with JIRA guide](https://goteleport.com/docs/access-con
## Values
-The following values can be set for the Helm chart:
-
-
-
- | Name |
- Description |
- Type |
- Default |
- Required |
-
-
-
- chartMode |
-
- When set to "aws", it'll add the proper annotations to the created service
- to ensure the AWS LoadBalancer is set up properly. Additional annotations can be added
- using serviceAnnotations.
- |
- string |
- "" |
- no |
-
-
-
- teleport.address |
- Host/port combination of the teleport auth server |
- string |
- "" |
- yes |
-
-
- teleport.identitySecretName |
- Name of the Kubernetes secret that contains the credentials for the connection |
- string |
- "" |
- yes |
-
-
- teleport.identitySecretPath |
- Key of the field in the secret specified by teleport.identitySecretName |
- string |
- "auth_id" |
- yes |
-
-
-
- jira.url |
- URL of the Jira server |
- string |
- "" |
- yes |
-
-
- jira.username |
- Username of the bot user in Jira to use for creating issues. |
- string |
- "" |
- yes |
-
-
- jira.apiToken |
- API token of the bot user. |
- string |
- "" |
- yes |
-
-
- jira.project |
- Short code of the project in Jira in which issues will be created |
- string |
- "" |
- yes |
-
-
- jira.issueType |
- Type of the issues to be created on access requests (eg. Bug, Task) |
- string |
- "Task" |
- no |
-
-
-
- http.publicAddress |
- The domain name which will be assigned to the service |
- string |
- "" |
- yes |
-
-
- http.tlsFromSecret |
- Name of the Kubernetes secret where the TLS key and certificate will be mounted |
- string |
- "" |
- yes |
-
-
- http.tlsKeySecretPath |
- Path of the TLS key in the secret specified by http.tlsFromSecret |
- string |
- "" |
- no |
-
-
- http.tlsCertSecretPath |
- Path of the TLS certificate in the secret specified by http.tlsFromSecret |
- string |
- "" |
- no |
-
-
-
- http.basicAuth.username |
- Username for the basic authentication. The plugin will require a matching `Authorization` header in case both the username and the password are specified. |
- string |
- "" |
- no |
-
-
- http.basicAuth.password |
- Password for the basic authentication. The plugin will require a matching `Authorization` header in case both the username and the password are specified. |
- string |
- "" |
- no |
-
-
-
- log.output |
-
- Logger output. Could be "stdout", "stderr" or a file name,
- eg. "/var/lib/teleport/jira.log"
- |
- string |
- "stdout" |
-
-
- log.severity |
-
- Logger severity. Possible values are "INFO", "ERROR",
- "DEBUG" or "WARN".
- |
- string |
- "INFO" |
-
-
+See [teleport-plugin-jira Chart Reference](https://goteleport.com/docs/reference/helm-reference/teleport-plugin-jira/) for available Helm Chart configuration.
diff --git a/examples/chart/access/jira/charts/tbot b/examples/chart/access/jira/charts/tbot
new file mode 120000
index 0000000000000..bc5284c76fa10
--- /dev/null
+++ b/examples/chart/access/jira/charts/tbot
@@ -0,0 +1 @@
+../../../tbot
\ No newline at end of file
diff --git a/examples/chart/access/jira/templates/_helpers.tpl b/examples/chart/access/jira/templates/_helpers.tpl
index 689e783e2c03e..c99317db31d6a 100644
--- a/examples/chart/access/jira/templates/_helpers.tpl
+++ b/examples/chart/access/jira/templates/_helpers.tpl
@@ -60,3 +60,22 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
+
+{{/*
+Use tbot-managed identity secret if tbot is enabled
+*/}}
+{{- define "jira.identitySecretName" -}}
+{{- if .Values.teleport.identitySecretName -}}
+{{- .Values.teleport.identitySecretName -}}
+{{- else if .Values.tbot.enabled -}}
+ {{- .Release.Name }}-{{ default .Values.tbot.nameOverride "tbot" }}-out
+{{- end }}
+{{- end -}}
+
+{{- define "jira.identitySecretPath" -}}
+{{- if .Values.tbot.enabled -}}
+identity
+{{- else -}}
+{{- .Values.teleport.identitySecretPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/examples/chart/access/jira/templates/configmap.yaml b/examples/chart/access/jira/templates/configmap.yaml
index e0b3e91e49d3f..95d1c3d842d36 100644
--- a/examples/chart/access/jira/templates/configmap.yaml
+++ b/examples/chart/access/jira/templates/configmap.yaml
@@ -11,8 +11,8 @@ metadata:
data:
teleport-jira.toml: |
[teleport]
- addr = "{{ .Values.teleport.address }}"
- identity = "/var/lib/teleport/plugins/jira/teleport-identity/{{ .Values.teleport.identitySecretPath }}"
+ addr = {{ coalesce .Values.teleport.address .Values.tbot.teleportProxyAddress .Values.tbot.teleportAuthAddress | quote }}
+ identity = "/var/lib/teleport/plugins/jira/teleport-identity/{{ include "jira.identitySecretPath" . }}"
refresh_identity = true
[jira]
diff --git a/examples/chart/access/jira/templates/deployment.yaml b/examples/chart/access/jira/templates/deployment.yaml
index 1e93b7bb7415a..c728f0f1edf95 100644
--- a/examples/chart/access/jira/templates/deployment.yaml
+++ b/examples/chart/access/jira/templates/deployment.yaml
@@ -85,7 +85,7 @@ spec:
defaultMode: 0600
- name: teleport-identity
secret:
- secretName: "{{ .Values.teleport.identityFromSecret }}"
+ secretName: {{ include "jira.identitySecretName" . | quote }}
defaultMode: 0600
- name: {{ .Values.secretVolumeName }}
secret:
diff --git a/examples/chart/access/jira/templates/secret.yaml b/examples/chart/access/jira/templates/secret.yaml
index 6535d8f9b5f72..76365c2e58a78 100644
--- a/examples/chart/access/jira/templates/secret.yaml
+++ b/examples/chart/access/jira/templates/secret.yaml
@@ -8,6 +8,6 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
- jiraApiToken: {{ .Values.jira.apiToken | b64enc }}
+ jiraApiToken: {{ .Values.jira.apiToken | b64enc }}
type: Opaque
{{- end }}
diff --git a/examples/chart/access/jira/values.yaml b/examples/chart/access/jira/values.yaml
index 3c2cfe1620372..2cac75525adf0 100644
--- a/examples/chart/access/jira/values.yaml
+++ b/examples/chart/access/jira/values.yaml
@@ -13,6 +13,8 @@ teleport:
# For example:
# - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080`
# - joining an Auth: `teleport-auth.example.com:3025`
+ # When the address is empty, `tbot.teleportProxyAddress`
+ # or `tbot.teleportAuthAddress` will be used if they are set.
address: ""
# teleport.identityFromSecret(string) -- is the name of the Kubernetes secret
# that contains the credentials for the connection to your Teleport cluster.
@@ -113,6 +115,54 @@ log:
# will still go to `stderr` for resilience.
output: stdout
+# tbot -- controls the optional tbot deployment that obtains and renews
+# credentials for the plugin to connect to Teleport.
+# Only default and mandatory values are described here, see the tbot chart reference
+# for the full list of supported values.
+tbot:
+ # tbot.enabled(bool) -- controls if tbot should be deployed with the Jira plugin.
+ enabled: false
+ # tbot.clusterName(string) -- is the name of the Teleport cluster tbot and the Jira plugin will join.
+ # Setting this value is mandatory when tbot is enabled.
+ clusterName: ""
+ # tbot.teleportProxyAddress(string) -- is the teleport Proxy Service address the bot will connect to.
+ # This must contain the port number, usually 443 or 3080 for Proxy Service.
+ # Connecting to the Proxy Service is the most common and recommended way to connect to Teleport.
+ # This is mandatory to connect to Teleport Enterprise (Cloud).
+ #
+ # This setting is mutually exclusive with `teleportAuthAddress`.
+ #
+ # For example:
+ # ```yaml
+ # tbot:
+ # teleportProxyAddress: "test.teleport.sh:443"
+ # ```
+ teleportProxyAddress: ""
+ # tbot.teleportAuthAddress(string) -- is the teleport Auth Service address the bot will connect to.
+ # This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection
+ # should be used when you are deploying the bot in the same Kubernetes cluster than your `teleport-cluster`
+ # Helm release and have direct access to the Auth Service.
+ # Else, you should prefer connecting via the Proxy Service.
+ #
+ # This setting is mutually exclusive with `teleportProxyAddress`.
+ #
+ # For example:
+ # ```yaml
+ # teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025"
+ # ```
+ teleportAuthAddress: ""
+
+ # tbot.joinMethod(string) -- describes how tbot joins the Teleport cluster.
+ # See [the join method reference](../../reference/join-methods.mdx) for a list fo supported values and detailed explanations.
+ joinMethod: "kubernetes"
+ token: ""
+
+ # Don't touch the tbot values below, this will break the chart.
+ # This ensures that tbot.fullname is not shortened if the release name contains "tbot"
+ nameOverride: tbot
+ defaultOutput:
+ enabled: true
+
secretVolumeName: "password-file"
tlsSecretVolumeName: "tls"
diff --git a/examples/chart/access/mattermost/Chart.yaml b/examples/chart/access/mattermost/Chart.yaml
index 0816ae9315fdd..212d35bcd23dc 100644
--- a/examples/chart/access/mattermost/Chart.yaml
+++ b/examples/chart/access/mattermost/Chart.yaml
@@ -6,3 +6,8 @@ description: A Helm chart for the Teleport Mattermost Plugin
type: application
version: *version
appVersion: *version
+
+dependencies:
+ - name: tbot
+ version: *version
+ condition: tbot.enabled
diff --git a/examples/chart/access/mattermost/README.md b/examples/chart/access/mattermost/README.md
index f18c02893fe19..ea22342b9d4e8 100644
--- a/examples/chart/access/mattermost/README.md
+++ b/examples/chart/access/mattermost/README.md
@@ -6,95 +6,6 @@ This chart sets up and configures a Deployment for the Access Request Mattermost
See the [Access Requests with Mattermost guide](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-mattermost/).
-## Settings
+## Values
-The following values can be set for the Helm chart:
-
-
-
- | Name |
- Description |
- Type |
- Default |
- Required |
-
-
-
- teleport.address |
- Host/port combination of the teleport auth server |
- string |
- "" |
- yes |
-
-
- teleport.identitySecretName |
- Name of the Kubernetes secret that contains the credentials for the connection |
- string |
- "" |
- yes |
-
-
- teleport.identitySecretPath |
- Key of the field in the secret specified by teleport.identitySecretName |
- string |
- "auth_id" |
- yes |
-
-
-
- mattermost.url |
- URL of the Mattermost server |
- string |
- "" |
- yes |
-
-
- mattermost.token |
- Token to be used to authenticate with Mattermost |
- string |
- "" |
- yes |
-
-
- mattermost.tokenFromSecret |
- Kubernetes secret to read the token from instead of mattermost.token |
- string |
- "" |
- no |
-
-
- mattermost.tokenSecretPath |
- The path of the token in the secret described by mattermost.tokenFromSecret |
- string |
- "mattermostToken" |
- no |
-
-
- mattermost.recipients |
- Array of the recipients the plugin should send access requests to. |
- array |
- [] |
- yes |
-
-
-
- log.output |
-
- Logger output. Could be "stdout", "stderr" or a file name,
- eg. "/var/lib/teleport/mattermost.log"
- |
- string |
- "stdout" |
- no |
-
-
- log.severity |
-
- Logger severity. Possible values are "INFO", "ERROR",
- "DEBUG" or "WARN".
- |
- string |
- "INFO" |
- no |
-
-
+See [teleport-plugin-mattermost Chart Reference](https://goteleport.com/docs/reference/helm-reference/teleport-plugin-mattermost/) for available Helm Chart configuration.
diff --git a/examples/chart/access/mattermost/charts/tbot b/examples/chart/access/mattermost/charts/tbot
new file mode 120000
index 0000000000000..bc5284c76fa10
--- /dev/null
+++ b/examples/chart/access/mattermost/charts/tbot
@@ -0,0 +1 @@
+../../../tbot
\ No newline at end of file
diff --git a/examples/chart/access/mattermost/templates/_helpers.tpl b/examples/chart/access/mattermost/templates/_helpers.tpl
index dca7e6f2b2a9a..abfdce0aff71d 100644
--- a/examples/chart/access/mattermost/templates/_helpers.tpl
+++ b/examples/chart/access/mattermost/templates/_helpers.tpl
@@ -60,3 +60,22 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
+
+{{/*
+Use tbot-managed identity secret if tbot is enabled
+*/}}
+{{- define "mattermost.identitySecretName" -}}
+{{- if .Values.teleport.identitySecretName -}}
+{{- .Values.teleport.identitySecretName -}}
+{{- else if .Values.tbot.enabled -}}
+ {{- .Release.Name }}-{{ default .Values.tbot.nameOverride "tbot" }}-out
+{{- end }}
+{{- end -}}
+
+{{- define "mattermost.identitySecretPath" -}}
+{{- if .Values.tbot.enabled -}}
+identity
+{{- else -}}
+{{- .Values.teleport.identitySecretPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/examples/chart/access/mattermost/templates/configmap.yaml b/examples/chart/access/mattermost/templates/configmap.yaml
index b370d2eb0bab9..95ea14e9ad839 100644
--- a/examples/chart/access/mattermost/templates/configmap.yaml
+++ b/examples/chart/access/mattermost/templates/configmap.yaml
@@ -11,8 +11,8 @@ metadata:
data:
teleport-mattermost.toml: |
[teleport]
- addr = "{{ .Values.teleport.address }}"
- identity = "/var/lib/teleport/plugins/mattermost/teleport-identity/{{ .Values.teleport.identitySecretPath }}"
+ addr = {{ coalesce .Values.teleport.address .Values.tbot.teleportProxyAddress .Values.tbot.teleportAuthAddress | quote }}
+ identity = "/var/lib/teleport/plugins/mattermost/teleport-identity/{{ include "mattermost.identitySecretPath" . }}"
refresh_identity = true
[mattermost]
diff --git a/examples/chart/access/mattermost/templates/deployment.yaml b/examples/chart/access/mattermost/templates/deployment.yaml
index edc91c06c333a..6dce2ee92b8ef 100644
--- a/examples/chart/access/mattermost/templates/deployment.yaml
+++ b/examples/chart/access/mattermost/templates/deployment.yaml
@@ -76,7 +76,7 @@ spec:
defaultMode: 0600
- name: teleport-identity
secret:
- secretName: "{{ .Values.teleport.identitySecretName }}"
+ secretName: {{ include "mattermost.identitySecretName" . | quote }}
defaultMode: 0600
- name: {{ .Values.secretVolumeName }}
secret:
diff --git a/examples/chart/access/mattermost/values.schema.json b/examples/chart/access/mattermost/values.schema.json
index 15a8cc8974fdd..3c738e240eac3 100644
--- a/examples/chart/access/mattermost/values.schema.json
+++ b/examples/chart/access/mattermost/values.schema.json
@@ -328,9 +328,9 @@
"tokenSecretPath": {
"$id": "#/properties/mattermost/properties/tokenSecretPath",
"type": "string",
- "default": "pagerdutyApiKey",
+ "default": "mattermostToken",
"examples": [
- "pagerdutyApiKey"
+ "mattermostToken"
]
},
"recipients": {
diff --git a/examples/chart/access/mattermost/values.yaml b/examples/chart/access/mattermost/values.yaml
index 288b4a1257f46..dd58ae1ca47e0 100644
--- a/examples/chart/access/mattermost/values.yaml
+++ b/examples/chart/access/mattermost/values.yaml
@@ -13,6 +13,8 @@ teleport:
# For example:
# - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080`
# - joining an Auth: `teleport-auth.example.com:3025`
+ # When the address is empty, `tbot.teleportProxyAddress`
+ # or `tbot.teleportAuthAddress` will be used if they are set.
address: ""
# teleport.identitySecretName(string) -- is the name of the Kubernetes secret
# that contains the credentials for the connection to your Teleport cluster.
@@ -80,6 +82,54 @@ log:
# will still go to `stderr` for resilience.
output: stdout
+# tbot -- controls the optional tbot deployment that obtains and renews
+# credentials for the plugin to connect to Teleport.
+# Only default and mandatory values are described here, see the tbot chart reference
+# for the full list of supported values.
+tbot:
+ # tbot.enabled(bool) -- controls if tbot should be deployed with the Mattermost plugin.
+ enabled: false
+ # tbot.clusterName(string) -- is the name of the Teleport cluster tbot and the Mattermost plugin will join.
+ # Setting this value is mandatory when tbot is enabled.
+ clusterName: ""
+ # tbot.teleportProxyAddress(string) -- is the teleport Proxy Service address the bot will connect to.
+ # This must contain the port number, usually 443 or 3080 for Proxy Service.
+ # Connecting to the Proxy Service is the most common and recommended way to connect to Teleport.
+ # This is mandatory to connect to Teleport Enterprise (Cloud).
+ #
+ # This setting is mutually exclusive with `teleportAuthAddress`.
+ #
+ # For example:
+ # ```yaml
+ # tbot:
+ # teleportProxyAddress: "test.teleport.sh:443"
+ # ```
+ teleportProxyAddress: ""
+ # tbot.teleportAuthAddress(string) -- is the teleport Auth Service address the bot will connect to.
+ # This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection
+ # should be used when you are deploying the bot in the same Kubernetes cluster than your `teleport-cluster`
+ # Helm release and have direct access to the Auth Service.
+ # Else, you should prefer connecting via the Proxy Service.
+ #
+ # This setting is mutually exclusive with `teleportProxyAddress`.
+ #
+ # For example:
+ # ```yaml
+ # teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025"
+ # ```
+ teleportAuthAddress: ""
+
+ # tbot.joinMethod(string) -- describes how tbot joins the Teleport cluster.
+ # See [the join method reference](../../reference/join-methods.mdx) for a list fo supported values and detailed explanations.
+ joinMethod: "kubernetes"
+ token: ""
+
+ # Don't touch the tbot values below, this will break the chart.
+ # This ensures that tbot.fullname is not shortened if the release name contains "tbot"
+ nameOverride: tbot
+ defaultOutput:
+ enabled: true
+
secretVolumeName: "password-file"
# annotations -- contains annotations to apply to the different Kubernetes
diff --git a/examples/chart/access/msteams/Chart.yaml b/examples/chart/access/msteams/Chart.yaml
index 81b92605f8ec4..e6e8828e046c7 100644
--- a/examples/chart/access/msteams/Chart.yaml
+++ b/examples/chart/access/msteams/Chart.yaml
@@ -6,3 +6,8 @@ description: A Helm chart for the Teleport MsTeams Plugin
type: application
version: *version
appVersion: *version
+
+dependencies:
+ - name: tbot
+ version: *version
+ condition: tbot.enabled
diff --git a/examples/chart/access/msteams/README.md b/examples/chart/access/msteams/README.md
index a427a6fdf5f3d..92ed523298f83 100644
--- a/examples/chart/access/msteams/README.md
+++ b/examples/chart/access/msteams/README.md
@@ -4,4 +4,8 @@ This chart sets up and configures a Deployment for the Access Request MsTeams pl
## Installation
-See the [Access Requests with Microsoft Teams guide](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-msteams/).
\ No newline at end of file
+See the [Access Requests with Microsoft Teams guide](https://goteleport.com/docs/access-controls/access-request-plugins/ssh-approval-msteams/).
+
+## Values
+
+See [teleport-plugin-msteams Chart Reference](https://goteleport.com/docs/reference/helm-reference/teleport-plugin-msteams/) for available Helm Chart configuration.
diff --git a/examples/chart/access/msteams/charts/tbot b/examples/chart/access/msteams/charts/tbot
new file mode 120000
index 0000000000000..bc5284c76fa10
--- /dev/null
+++ b/examples/chart/access/msteams/charts/tbot
@@ -0,0 +1 @@
+../../../tbot
\ No newline at end of file
diff --git a/examples/chart/access/msteams/templates/_helpers.tpl b/examples/chart/access/msteams/templates/_helpers.tpl
index 788a5556d6580..3d4468cb4e49c 100644
--- a/examples/chart/access/msteams/templates/_helpers.tpl
+++ b/examples/chart/access/msteams/templates/_helpers.tpl
@@ -60,3 +60,22 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
+
+{{/*
+Use tbot-managed identity secret if tbot is enabled
+*/}}
+{{- define "msteams.identitySecretName" -}}
+{{- if .Values.teleport.identitySecretName -}}
+{{- .Values.teleport.identitySecretName -}}
+{{- else if .Values.tbot.enabled -}}
+ {{- .Release.Name }}-{{ default .Values.tbot.nameOverride "tbot" }}-out
+{{- end }}
+{{- end -}}
+
+{{- define "msteams.identitySecretPath" -}}
+{{- if .Values.tbot.enabled -}}
+identity
+{{- else -}}
+{{- .Values.teleport.identitySecretPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/examples/chart/access/msteams/templates/configmap.yaml b/examples/chart/access/msteams/templates/configmap.yaml
index 26066caad4ca6..e54bc5e686189 100644
--- a/examples/chart/access/msteams/templates/configmap.yaml
+++ b/examples/chart/access/msteams/templates/configmap.yaml
@@ -13,8 +13,8 @@ data:
preload = true
[teleport]
- addr = "{{ .Values.teleport.address }}"
- identity = "/var/lib/teleport/plugins/msteams/teleport-identity/{{ .Values.teleport.identitySecretPath }}"
+ addr = {{ coalesce .Values.teleport.address .Values.tbot.teleportProxyAddress .Values.tbot.teleportAuthAddress | quote }}
+ identity = "/var/lib/teleport/plugins/msteams/teleport-identity/{{ include "msteams.identitySecretPath" . }}"
refresh_identity = true
[msapi]
diff --git a/examples/chart/access/msteams/templates/deployment.yaml b/examples/chart/access/msteams/templates/deployment.yaml
index bdb302a8a3dae..c1f6bd3d75092 100644
--- a/examples/chart/access/msteams/templates/deployment.yaml
+++ b/examples/chart/access/msteams/templates/deployment.yaml
@@ -72,7 +72,7 @@ spec:
defaultMode: 0600
- name: teleport-identity
secret:
- secretName: "{{ .Values.teleport.identitySecretName }}"
+ secretName: {{ include "msteams.identitySecretName" . | quote }}
defaultMode: 0600
- name: {{ .Values.secretVolumeName }}
secret:
diff --git a/examples/chart/access/msteams/values.yaml b/examples/chart/access/msteams/values.yaml
index 6b7105758bbf9..74a18c07f5bf5 100644
--- a/examples/chart/access/msteams/values.yaml
+++ b/examples/chart/access/msteams/values.yaml
@@ -13,6 +13,8 @@ teleport:
# For example:
# - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080`
# - joining an Auth: `teleport-auth.example.com:3025`
+ # When the address is empty, `tbot.teleportProxyAddress`
+ # or `tbot.teleportAuthAddress` will be used if they are set.
address: ""
# teleport.identitySecretName(string) -- is the name of the Kubernetes secret
# that contains the credentials for the connection to your Teleport cluster.
@@ -104,6 +106,54 @@ log:
# will still go to `stderr` for resilience.
output: stdout
+# tbot -- controls the optional tbot deployment that obtains and renews
+# credentials for the plugin to connect to Teleport.
+# Only default and mandatory values are described here, see the tbot chart reference
+# for the full list of supported values.
+tbot:
+ # tbot.enabled(bool) -- controls if tbot should be deployed with the MS Teams plugin.
+ enabled: false
+ # tbot.clusterName(string) -- is the name of the Teleport cluster tbot and the MS Teams plugin will join.
+ # Setting this value is mandatory when tbot is enabled.
+ clusterName: ""
+ # tbot.teleportProxyAddress(string) -- is the teleport Proxy Service address the bot will connect to.
+ # This must contain the port number, usually 443 or 3080 for Proxy Service.
+ # Connecting to the Proxy Service is the most common and recommended way to connect to Teleport.
+ # This is mandatory to connect to Teleport Enterprise (Cloud).
+ #
+ # This setting is mutually exclusive with `teleportAuthAddress`.
+ #
+ # For example:
+ # ```yaml
+ # tbot:
+ # teleportProxyAddress: "test.teleport.sh:443"
+ # ```
+ teleportProxyAddress: ""
+ # tbot.teleportAuthAddress(string) -- is the teleport Auth Service address the bot will connect to.
+ # This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection
+ # should be used when you are deploying the bot in the same Kubernetes cluster than your `teleport-cluster`
+ # Helm release and have direct access to the Auth Service.
+ # Else, you should prefer connecting via the Proxy Service.
+ #
+ # This setting is mutually exclusive with `teleportProxyAddress`.
+ #
+ # For example:
+ # ```yaml
+ # teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025"
+ # ```
+ teleportAuthAddress: ""
+
+ # tbot.joinMethod(string) -- describes how tbot joins the Teleport cluster.
+ # See [the join method reference](../../reference/join-methods.mdx) for a list fo supported values and detailed explanations.
+ joinMethod: "kubernetes"
+ token: ""
+
+ # Don't touch the tbot values below, this will break the chart.
+ # This ensures that tbot.fullname is not shortened if the release name contains "tbot"
+ nameOverride: tbot
+ defaultOutput:
+ enabled: true
+
secretVolumeName: "password-file"
# annotations -- contains annotations to apply to the different Kubernetes
diff --git a/examples/chart/access/pagerduty/Chart.yaml b/examples/chart/access/pagerduty/Chart.yaml
index f4bc9bda44fac..cc51e689520d4 100644
--- a/examples/chart/access/pagerduty/Chart.yaml
+++ b/examples/chart/access/pagerduty/Chart.yaml
@@ -6,3 +6,8 @@ description: A Helm chart for the Teleport Pagerduty Plugin
type: application
version: *version
appVersion: *version
+
+dependencies:
+ - name: tbot
+ version: *version
+ condition: tbot.enabled
diff --git a/examples/chart/access/pagerduty/README.md b/examples/chart/access/pagerduty/README.md
index a02ad36e429b2..043a26b29156e 100644
--- a/examples/chart/access/pagerduty/README.md
+++ b/examples/chart/access/pagerduty/README.md
@@ -8,86 +8,4 @@ See the [Access Requests with PagerDuty guide](https://goteleport.com/docs/acces
## Values
-The following values can be set for the Helm chart:
-
-
-
- | Name |
- Description |
- Type |
- Default |
- Required |
-
-
-
- teleport.address |
- Host/port combination of the teleport auth server |
- string |
- "" |
- yes |
-
-
- teleport.identitySecretName |
- Name of the Kubernetes secret that contains the credentials for the connection |
- string |
- "" |
- yes |
-
-
- teleport.identitySecretPath |
- Key of the field in the secret specified by teleport.identitySecretName |
- string |
- "auth_id" |
- yes |
-
-
-
- pagerduty.apiKey |
- PagerDuty API Key |
- string |
- |
- yes |
-
-
- pagerduty.apiKeyFromSecret |
- Kubernetes secret to read the api key from instead of pagerduty.apiKey |
- string |
- "" |
- no |
-
-
- pagerduty.apiKeySecretPath |
- The path of the api key in the secret described by pagerduty.apiKeyFromSecret |
- string |
- "pagerdutyApiKey" |
- no |
-
-
- pagerduty.userEmail |
- PagerDuty bot user email |
- string |
- "" |
- yes |
-
-
-
- log.output |
-
- Logger output. Could be "stdout", "stderr" or a file name,
- eg. "/var/lib/teleport/pagerduty.log"
- |
- string |
- "stdout" |
- no |
-
-
- log.severity |
-
- Logger severity. Possible values are "INFO", "ERROR",
- "DEBUG" or "WARN".
- |
- string |
- "INFO" |
- no |
-
-
+See [teleport-plugin-pagerduty Chart Reference](https://goteleport.com/docs/reference/helm-reference/teleport-plugin-pagerduty/) for available Helm Chart configuration.
diff --git a/examples/chart/access/pagerduty/charts/tbot b/examples/chart/access/pagerduty/charts/tbot
new file mode 120000
index 0000000000000..bc5284c76fa10
--- /dev/null
+++ b/examples/chart/access/pagerduty/charts/tbot
@@ -0,0 +1 @@
+../../../tbot
\ No newline at end of file
diff --git a/examples/chart/access/pagerduty/templates/_helpers.tpl b/examples/chart/access/pagerduty/templates/_helpers.tpl
index ee4d235b04488..51a653e5c9efb 100644
--- a/examples/chart/access/pagerduty/templates/_helpers.tpl
+++ b/examples/chart/access/pagerduty/templates/_helpers.tpl
@@ -60,3 +60,22 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
+
+{{/*
+Use tbot-managed identity secret if tbot is enabled
+*/}}
+{{- define "pagerduty.identitySecretName" -}}
+{{- if .Values.teleport.identitySecretName -}}
+{{- .Values.teleport.identitySecretName -}}
+{{- else if .Values.tbot.enabled -}}
+ {{- .Release.Name }}-{{ default .Values.tbot.nameOverride "tbot" }}-out
+{{- end }}
+{{- end -}}
+
+{{- define "pagerduty.identitySecretPath" -}}
+{{- if .Values.tbot.enabled -}}
+identity
+{{- else -}}
+{{- .Values.teleport.identitySecretPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/examples/chart/access/pagerduty/templates/configmap.yaml b/examples/chart/access/pagerduty/templates/configmap.yaml
index 03139e6e1058d..44d2808ac1334 100644
--- a/examples/chart/access/pagerduty/templates/configmap.yaml
+++ b/examples/chart/access/pagerduty/templates/configmap.yaml
@@ -11,8 +11,8 @@ metadata:
data:
teleport-pagerduty.toml: |
[teleport]
- addr = "{{ .Values.teleport.address }}"
- identity = "/var/lib/teleport/plugins/pagerduty/teleport-identity/{{ .Values.teleport.identitySecretPath }}"
+ addr = {{ coalesce .Values.teleport.address .Values.tbot.teleportProxyAddress .Values.tbot.teleportAuthAddress | quote }}
+ identity = "/var/lib/teleport/plugins/pagerduty/teleport-identity/{{ include "pagerduty.identitySecretPath" . }}"
refresh_identity = true
[pagerduty]
diff --git a/examples/chart/access/pagerduty/templates/deployment.yaml b/examples/chart/access/pagerduty/templates/deployment.yaml
index 6990b9262a7ec..dbe5e2a6820a5 100644
--- a/examples/chart/access/pagerduty/templates/deployment.yaml
+++ b/examples/chart/access/pagerduty/templates/deployment.yaml
@@ -76,7 +76,7 @@ spec:
defaultMode: 0600
- name: teleport-identity
secret:
- secretName: "{{ .Values.teleport.identitySecretName }}"
+ secretName: {{ include "pagerduty.identitySecretName" . | quote }}
defaultMode: 0600
- name: {{ .Values.secretVolumeName }}
secret:
diff --git a/examples/chart/access/pagerduty/values.yaml b/examples/chart/access/pagerduty/values.yaml
index 3f3d8a5d5cb0d..0cf832dba9941 100644
--- a/examples/chart/access/pagerduty/values.yaml
+++ b/examples/chart/access/pagerduty/values.yaml
@@ -13,6 +13,9 @@ teleport:
# For example:
# - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080`
# - joining an Auth: `teleport-auth.example.com:3025`
+ #
+ # When the address is empty, `tbot.teleportProxyAddress`
+ # or `tbot.teleportAuthAddress` will be used if they are set.
address: ""
# teleport.identitySecretName(string) -- is the name of the Kubernetes secret
# that contains the credentials for the connection to your Teleport cluster.
@@ -76,6 +79,54 @@ log:
# will still go to `stderr` for resilience.
output: stdout
+# tbot -- controls the optional tbot deployment that obtains and renews
+# credentials for the plugin to connect to Teleport.
+# Only default and mandatory values are described here, see the tbot chart reference
+# for the full list of supported values.
+tbot:
+ # tbot.enabled(bool) -- controls if tbot should be deployed with the PagerDuty plugin.
+ enabled: false
+ # tbot.clusterName(string) -- is the name of the Teleport cluster tbot and the PagerDuty plugin will join.
+ # Setting this value is mandatory when tbot is enabled.
+ clusterName: ""
+ # tbot.teleportProxyAddress(string) -- is the teleport Proxy Service address the bot will connect to.
+ # This must contain the port number, usually 443 or 3080 for Proxy Service.
+ # Connecting to the Proxy Service is the most common and recommended way to connect to Teleport.
+ # This is mandatory to connect to Teleport Enterprise (Cloud).
+ #
+ # This setting is mutually exclusive with `teleportAuthAddress`.
+ #
+ # For example:
+ # ```yaml
+ # tbot:
+ # teleportProxyAddress: "test.teleport.sh:443"
+ # ```
+ teleportProxyAddress: ""
+ # tbot.teleportAuthAddress(string) -- is the teleport Auth Service address the bot will connect to.
+ # This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection
+ # should be used when you are deploying the bot in the same Kubernetes cluster than your `teleport-cluster`
+ # Helm release and have direct access to the Auth Service.
+ # Else, you should prefer connecting via the Proxy Service.
+ #
+ # This setting is mutually exclusive with `teleportProxyAddress`.
+ #
+ # For example:
+ # ```yaml
+ # teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025"
+ # ```
+ teleportAuthAddress: ""
+
+ # tbot.joinMethod(string) -- describes how tbot joins the Teleport cluster.
+ # See [the join method reference](../../reference/join-methods.mdx) for a list fo supported values and detailed explanations.
+ joinMethod: "kubernetes"
+ token: ""
+
+ # Don't touch the tbot values below, this will break the chart.
+ # This ensures that tbot.fullname is not shortened if the release name contains "tbot"
+ nameOverride: tbot
+ defaultOutput:
+ enabled: true
+
secretVolumeName: "password-file"
# annotations -- contains annotations to apply to the different Kubernetes
diff --git a/examples/chart/access/slack/README.md b/examples/chart/access/slack/README.md
index 634f3c23d60d4..ffad800e06e6d 100644
--- a/examples/chart/access/slack/README.md
+++ b/examples/chart/access/slack/README.md
@@ -8,130 +8,4 @@ See the [Access Requests with Slack guide](https://goteleport.com/docs/access-co
## Values
-The following values can be set for the Helm chart:
-
-
-
- | Name |
- Description |
- Type |
- Default |
- Required |
-
-
-
- teleport.address |
- Host/port combination of the teleport auth server |
- string |
- "" |
- yes |
-
-
- teleport.identitySecretName |
- Name of the Kubernetes secret that contains the credentials for the connection |
- string |
- "" |
- yes |
-
-
- teleport.identitySecretPath |
- Key of the field in the secret specified by teleport.identitySecretName |
- string |
- "auth_id" |
- yes |
-
-
-
- slack.token |
- Slack API token |
- string |
- "" |
- yes |
-
-
- slack.tokenFromSecret |
- Kubernetes secret to read the token from instead of slack.token |
- string |
- "" |
- no |
-
-
- slack.tokenSecretPath |
- The path of the token in the secret described by slack.tokenFromSecret |
- string |
- "slackToken" |
- no |
-
-
-
- roleToRecipients |
-
- Mapping of roles to a list of channels and Slack emails.
- Example:
-
-"dev" = ["dev-access-requests", "user@example.com"]
-"*" = ["access-requests"]
- |
- map |
- {} |
- yes |
-
-
-
- log.output |
-
- Logger output. Could be "stdout", "stderr" or a file name,
- eg. "/var/lib/teleport/slack.log"
- |
- string |
- "stdout" |
- no |
-
-
- log.severity |
-
- Logger severity. Possible values are "INFO", "ERROR",
- "DEBUG" or "WARN".
- |
- string |
- "INFO" |
- no |
-
-
-
- annotations.config |
-
- Annotations to add to the configmap.
- |
- map |
- {} |
- no |
-
-
- annotations.deployment |
-
- Annotations to add to the deployment.
- |
- map |
- {} |
- no |
-
-
- annotations.pod |
-
- Annotations to add to every pod created by the deployment.
- |
- map |
- {} |
- no |
-
-
- annotations.secret |
-
- Annotations to add to the secret.
- |
- map |
- {} |
- no |
-
-
+See [teleport-plugin-slack Chart Reference](https://goteleport.com/docs/reference/helm-reference/teleport-plugin-slack/) for available Helm Chart configuration.
diff --git a/examples/chart/access/slack/templates/_helpers.tpl b/examples/chart/access/slack/templates/_helpers.tpl
index b592fb8a4c466..0b152b53b92a5 100644
--- a/examples/chart/access/slack/templates/_helpers.tpl
+++ b/examples/chart/access/slack/templates/_helpers.tpl
@@ -61,6 +61,9 @@ Create the name of the service account to use
{{- end }}
{{- end }}
+{{/*
+Use tbot-managed identity secret if tbot is enabled
+*/}}
{{- define "slack.identitySecretName" -}}
{{- if .Values.teleport.identitySecretName -}}
{{- .Values.teleport.identitySecretName -}}
@@ -76,7 +79,3 @@ identity
{{- .Values.teleport.identitySecretPath -}}
{{- end -}}
{{- end -}}
-
-{{- define "slack.teleportAddress" -}}
-
-{{- end -}}
diff --git a/examples/chart/access/slack/templates/secret.yaml b/examples/chart/access/slack/templates/secret.yaml
index c21021a0e40ce..72402da0c3fda 100644
--- a/examples/chart/access/slack/templates/secret.yaml
+++ b/examples/chart/access/slack/templates/secret.yaml
@@ -9,5 +9,5 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
- slackToken: {{ .Values.slack.token | b64enc }}
+ slackToken: {{ .Values.slack.token | b64enc }}
{{- end }}
diff --git a/examples/chart/event-handler/Chart.yaml b/examples/chart/event-handler/Chart.yaml
index b5d0082f60589..142d66cc5355a 100644
--- a/examples/chart/event-handler/Chart.yaml
+++ b/examples/chart/event-handler/Chart.yaml
@@ -6,3 +6,8 @@ description: A Helm chart for Teleport Event Handler Plugin
type: application
version: *version
appVersion: *version
+
+dependencies:
+ - name: tbot
+ version: *version
+ condition: tbot.enabled
diff --git a/examples/chart/event-handler/README.md b/examples/chart/event-handler/README.md
index 07a6d885197f8..53c97163d9767 100644
--- a/examples/chart/event-handler/README.md
+++ b/examples/chart/event-handler/README.md
@@ -6,147 +6,6 @@ This chart sets up and configures a Deployment for the Event Handler plugin.
See the [Export Events with FluentD Guide](https://goteleport.com/docs/management/export-audit-events/fluentd/).
-## Settings
+## Values
-The following values can be set for the Helm chart:
-
-
-
- | Name |
- Description |
- Type |
- Default |
- Required |
-
-
-
- teleport.address |
- hostname and HTTPS port of your Teleport Proxy Service
-or Teleport Enterprise Cloud account (e.g., `teleport.example.com:443` or
-`mytenant.teleport.sh:443`) |
- string |
- "" |
- yes |
-
-
- teleport.identitySecretName |
- Name of the Kubernetes secret that contains the credentials for the connection |
- string |
- "" |
- yes |
-
-
- teleport.identitySecretPath |
- Key of the field in the secret specified by teleport.identitySecretName |
- string |
- "auth_id" |
- no |
-
-
-
- eventHandler.storagePath |
- Path to the directory where event-handler's state is stored |
- string |
- "/var/lib/teleport/plugins/event-handler/storage" |
- no |
-
-
- eventHandler.timeout |
- Maximum time to wait for incoming events before sending them to fluentd. |
- string |
- "10s" |
- no |
-
-
- eventHandler.batch |
- Maximum number of events fetched from Teleport in one request |
- string |
- 20 |
- no |
-
-
-
- fluentd.url |
- URL of fluentd where the event logs will be sent to. |
- string |
- "" |
- yes |
-
-
- fluentd.sessionUrl |
- URL of fluentd where the session logs will be sent to. |
- string |
- "" |
- yes |
-
-
- fluentd.secretName |
-
- Name of the secret where credentials for the connection is stored.
- It must contain the client's private key, certificate and fluentd's
- CA certificate. See the default paths below.
- |
- string |
- "" |
- yes |
-
-
- fluentd.caPath |
- Path of the CA certificate in the secret described by fluentd.secretName. |
- string |
- "ca.crt" |
-
-
- fluentd.certPath |
- Path of the client's certificate in the secret described by fluentd.secretName. |
- string |
- "client.crt" |
- no |
-
-
- fluentd.keyPath |
- Path of the client private key in the secret described by fluentd.secretName. |
- string |
- "client.key" |
- no |
-
-
-
- persistentVolumeClaim.enabled |
-
- Instructs the Helm chart to include a PersistentVolumeClaim for the storage. This storage
- will be mounted to the path specified by eventHandler.storagePath.
- |
- boolean |
- false |
- no |
-
-
- persistentVolumeClaim.size |
- Sets the size of the created PersistentVolumeClaim. Don't forget to append the proper suffix! |
- string |
- "1Gi" |
- no |
-
-
- persistentVolumeClaim.storageClassName |
-
- Sets the storage class name of the created PersistentVolumeClaim. Kubernetes will use the default
- one when omitted.
- |
- string |
- "" |
- no |
-
-
- persistentVolumeClaim.existingClaim |
-
- Specifies an already existing PersistentVolumeClaim which should be mounted to the path specified
- by eventHandler.storagePath. persistentVolumeClaim.enabled must be set to false for this
- option to take precedence. Ignored when persistentVolumeClaim.enabled is true.
- |
- string |
- "" |
- no |
-
-
+See [teleport-plugin-event-handler Chart Reference](https://goteleport.com/docs/reference/helm-reference/teleport-plugin-event-handler/) for available Helm Chart configuration.
diff --git a/examples/chart/event-handler/charts/tbot b/examples/chart/event-handler/charts/tbot
new file mode 120000
index 0000000000000..fe8e1716bedfb
--- /dev/null
+++ b/examples/chart/event-handler/charts/tbot
@@ -0,0 +1 @@
+../../tbot
\ No newline at end of file
diff --git a/examples/chart/event-handler/templates/_helpers.tpl b/examples/chart/event-handler/templates/_helpers.tpl
index 450f1572d9973..7574e35903823 100644
--- a/examples/chart/event-handler/templates/_helpers.tpl
+++ b/examples/chart/event-handler/templates/_helpers.tpl
@@ -60,3 +60,22 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
+
+{{/*
+Use tbot-managed identity secret if tbot is enabled
+*/}}
+{{- define "event-handler.identitySecretName" -}}
+{{- if .Values.teleport.identitySecretName -}}
+{{- .Values.teleport.identitySecretName -}}
+{{- else if .Values.tbot.enabled -}}
+ {{- .Release.Name }}-{{ default .Values.tbot.nameOverride "tbot" }}-out
+{{- end }}
+{{- end -}}
+
+{{- define "event-handler.identitySecretPath" -}}
+{{- if .Values.tbot.enabled -}}
+identity
+{{- else -}}
+{{- .Values.teleport.identitySecretPath -}}
+{{- end -}}
+{{- end -}}
diff --git a/examples/chart/event-handler/templates/configmap.yaml b/examples/chart/event-handler/templates/configmap.yaml
index 4729c749b7e29..f2602c579eeaa 100644
--- a/examples/chart/event-handler/templates/configmap.yaml
+++ b/examples/chart/event-handler/templates/configmap.yaml
@@ -22,8 +22,8 @@ data:
{{- end }}
[teleport]
- addr = "{{ .Values.teleport.address }}"
- identity = "/var/lib/teleport/plugins/event-handler/teleport-identity/{{ .Values.teleport.identitySecretPath }}"
+ addr = {{ coalesce .Values.teleport.address .Values.tbot.teleportProxyAddress .Values.tbot.teleportAuthAddress | quote }}
+ identity = "/var/lib/teleport/plugins/event-handler/teleport-identity/{{ include "event-handler.identitySecretPath" . }}"
refresh.enabled = true
[forward.fluentd]
diff --git a/examples/chart/event-handler/templates/deployment.yaml b/examples/chart/event-handler/templates/deployment.yaml
index 368b0015ab7a1..4707d17cfd1f1 100644
--- a/examples/chart/event-handler/templates/deployment.yaml
+++ b/examples/chart/event-handler/templates/deployment.yaml
@@ -67,11 +67,11 @@ spec:
- name: certificate
mountPath: /var/lib/teleport/plugins/event-handler/client.key
subPath: {{ .Values.fluentd.certificate.keyPath }}
- {{- if .Values.tls.existingCASecretName }}
+ {{- if .Values.tls.existingCASecretName }}
- mountPath: /etc/teleport-tls-ca
name: "teleport-tls-ca"
readOnly: true
- {{- end }}
+ {{- end }}
{{- if or .Values.persistentVolumeClaim.enabled .Values.persistentVolumeClaim.existingClaim }}
- name: "{{ .Values.persistentVolumeClaim.volumeName }}"
mountPath: "{{ .Values.eventHandler.storagePath }}"
@@ -98,7 +98,7 @@ spec:
defaultMode: 0600
- name: teleport-identity
secret:
- secretName: "{{ .Values.teleport.identitySecretName }}"
+ secretName: {{ include "event-handler.identitySecretName" . | quote }}
defaultMode: 0600
- name: certificate
secret:
diff --git a/examples/chart/event-handler/values.yaml b/examples/chart/event-handler/values.yaml
index ac5a7dc0586c0..a5d5f0e0f1266 100644
--- a/examples/chart/event-handler/values.yaml
+++ b/examples/chart/event-handler/values.yaml
@@ -6,8 +6,43 @@
# Plugin specific options
#
teleport:
+ # When the address is empty, `tbot.teleportProxyAddress`
+ # or `tbot.teleportAuthAddress` will be used if they are set.
+ # teleport.address(string) -- is the address of the Teleport cluster the plugin
+ # connects to. The address must contain both the domain name and the port of
+ # the Teleport cluster. It can be either the address of the auth servers or the
+ # proxy servers.
+ #
+ # For example:
+ # - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080`
+ # - joining an Auth: `teleport-auth.example.com:3025`
+ #
+ # When the address is empty, `tbot.teleportProxyAddress`
+ # or `tbot.teleportAuthAddress` will be used if they are set.
address: ""
+ # teleport.identitySecretName(string) -- is the name of the Kubernetes secret
+ # that contains the credentials for the connection to your Teleport cluster.
+ #
+ # The secret should be in the following format:
+ #
+ # ```yaml
+ # apiVersion: v1
+ # kind: Secret
+ # type: Opaque
+ # metadata:
+ # name: teleport-plugin-event-handeler-identity
+ # data:
+ # auth_id: #...
+ # ```
+ #
+ # Check out the [Export Events with Fluentd]
+ # (../../zero-trust-access/export-audit-events/fluentd.mdx) guide
+ # for more information about how to acquire these credentials.
identitySecretName: ""
+ # teleport.identitySecretPath(string) -- is the key in the Kubernetes secret
+ # specified by `teleport.identitySecretName` that holds the credentials for
+ # the connection to your Teleport cluster. If the secret has the path,
+ # `"auth_id"`, you can omit this field.
identitySecretPath: "auth_id"
eventHandler:
@@ -29,8 +64,6 @@ eventHandler:
# Optional setting for session types to skip
# skipSessionTypes: ["TYPE1"]
-
-
fluentd:
url: ""
sessionUrl: ""
@@ -40,6 +73,54 @@ fluentd:
certPath: "client.crt"
keyPath: "client.key"
+# tbot -- controls the optional tbot deployment that obtains and renews
+# credentials for the plugin to connect to Teleport.
+# Only default and mandatory values are described here, see the tbot chart reference
+# for the full list of supported values.
+tbot:
+ # tbot.enabled(bool) -- controls if tbot should be deployed with the event handler plugin.
+ enabled: false
+ # tbot.clusterName(string) -- is the name of the Teleport cluster tbot and the event handler plugin will join.
+ # Setting this value is mandatory when tbot is enabled.
+ clusterName: ""
+ # tbot.teleportProxyAddress(string) -- is the teleport Proxy Service address the bot will connect to.
+ # This must contain the port number, usually 443 or 3080 for Proxy Service.
+ # Connecting to the Proxy Service is the most common and recommended way to connect to Teleport.
+ # This is mandatory to connect to Teleport Enterprise (Cloud).
+ #
+ # This setting is mutually exclusive with `teleportAuthAddress`.
+ #
+ # For example:
+ # ```yaml
+ # tbot:
+ # teleportProxyAddress: "test.teleport.sh:443"
+ # ```
+ teleportProxyAddress: ""
+ # tbot.teleportAuthAddress(string) -- is the teleport Auth Service address the bot will connect to.
+ # This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection
+ # should be used when you are deploying the bot in the same Kubernetes cluster than your `teleport-cluster`
+ # Helm release and have direct access to the Auth Service.
+ # Else, you should prefer connecting via the Proxy Service.
+ #
+ # This setting is mutually exclusive with `teleportProxyAddress`.
+ #
+ # For example:
+ # ```yaml
+ # teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025"
+ # ```
+ teleportAuthAddress: ""
+
+ # tbot.joinMethod(string) -- describes how tbot joins the Teleport cluster.
+ # See [the join method reference](../../reference/join-methods.mdx) for a list fo supported values and detailed explanations.
+ joinMethod: "kubernetes"
+ token: ""
+
+ # Don't touch the tbot values below, this will break the chart.
+ # This ensures that tbot.fullname is not shortened if the release name contains "tbot"
+ nameOverride: tbot
+ defaultOutput:
+ enabled: true
+
persistentVolumeClaim:
enabled: false
size: 1Gi