Teleport Kubernetes Operator supports Bot resource

[tuladhar]

What would you like Teleport to do?

Ability to add Bot resource using Teleport Kubernetes Operator, currently, it's only available via tctl:

tctl bots add my-bot --token my-bot-token --roles my-bot-role

What problem does this solve?

• Automates addings bot through Teleport Kubernetes Operator.

If a workaround exists, please include it.

tctl bots add my-bot --token my-bot-token --roles my-bot-role

[strideynet]

Likely dependent on #33808

[TeleLos]

Zendesk 9890 c-cv expressed that they try to manage all their Teleport roles via the Kubernetes operator. Adding this feature would be beneficial to their work flow.

[yair-segal]

We would also like to use this feature. Currently this is done manually with the tctl command, post Teleport k8s/helm deployment .

[MattiasAng]

Any update on this one? Having to workaround this with tctl commands is quite cumbersome in terms of scaling.

[bfeuillet]

Hey there,
On my side i'm using FluxCD to automate the deployment of kubernetes resources (helm & co) on my k8s clusters.
I recently deployed the teleport-operator to have role, users, tokens and co as code (yaml).

But like users in this thread, I'm obliged to use tctl one shoot manual command to create bot, would it be possible to create the teleport CRD for bot so the teleport-operator handle the deployment automatically ? (in a GitOps way)

Thanks!

[strideynet]

Just an update - this ticket still remains blocked on a problem with an upstream dependency we use to build the Teleport Kubernetes Operator - kubernetes/kubernetes#124154

[kachi-app]

I tried concat the yaml, and failed

# tbot-operator.yaml
kind: bot
version: v1
metadata:
  # name is a unique identifier for the bot in the cluster.
  name: tbot-operator
spec:
  # roles is a list of roles that the bot should be able to generate credentials
  # for.
  roles:
    - editor
    - mongodb-admin
    - operator

# Kustomize 
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: common

configMapGenerator:
  - name: tbot-operator-cm
    options:
      disableNameSuffixHash: true
    files:
      - tbot-operator.yaml=tbot-operator.yaml


# Teleport Cluster YAML
    ## Add tbot-operator for auto generate role
    extraVolumes:
      # Generated from ./configs/bots/kustomization.yaml
      - name: "tbot-operator-cm"
        configMap:
          name: "tbot-operator-cm"
      - name: "apply-on-startup"
        emptyDir: {}

    extraVolumeMounts:
      - name: tbot-operator-cm
        mountPath: /tbot
      - name: apply-on-startup
        mountPath: /opt/teleport

    initContainers:
      - name: "combine-tbot-operator"
        image: "alpine"
        command: [ "/bin/sh", "-c" ]
        args:
          - |
            echo "========================"
            echo "Show tbot-operator.yaml"
            echo "========================"
            cat /tbot/tbot-operator.yaml
            echo "========================"
            echo "Show apply-on-startup.yaml"
            echo "========================"
            cat /etc/teleport/apply-on-startup.yaml
            echo "================================================================================================"
            echo "Concat /tbot/tbot-operator.yaml to /etc/teleport/apply-on-startup.yaml"
            echo "================================================================================================"
            cat /tbot/tbot-operator.yaml /etc/teleport/apply-on-startup.yaml > /opt/teleport/apply-on-startup.yaml
            echo "========================"
            echo "After Merge"
            echo "========================"
            cat /opt/teleport/apply-on-startup.yaml
    extraArgs:
      - "--apply-on-startup=/opt/teleport/apply-on-startup.yaml"

[kachi-app]

Updates Workaround

apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: teleport-cluster
spec:
  releaseName: teleport-cluster
  chart:
    spec:
      chart: teleport-cluster
      sourceRef:
        kind: HelmRepository
        name: teleport
      version: "17.0.2"
  interval: 10m
# Patch the ClusterRole to allow patching the configmaps
  postRenderers:
    - kustomize:
        patches:
          - target:
              version: v1
              kind: ClusterRole
              name: teleport-cluster
            patch: |
              - op: add
                path: /rules/0
                value: { "apiGroups": [""], "resources": ["configmaps"], "resourceNames": ["teleport-cluster-auth"], "verbs": ["patch", "get", "update"] }

  values:
    ## Add tbot-operator for auto generate role
    extraVolumes:
      # Generated from ./configs/bots/kustomization.yaml
      - name: "tbot-operator-cm"
        configMap:
          name: "tbot-operator-cm"
      - name: "apply-on-startup"
        emptyDir: {}

    extraVolumeMounts:
      - name: tbot-operator-cm
        mountPath: /tbot
      - name: apply-on-startup
        mountPath: /opt/teleport

    initContainers:
      - name: "patch-tbot-operator"
        image: "bitnami/kubectl:latest"
        command: [ "/bin/sh", "-c" ]
        securityContext:
          runAsUser: 0 # Root user
          runAsGroup: 0
          allowPrivilegeEscalation: true
        env:
          - name: TELEPORT_APP_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
        command: [ "/bin/sh", "-c" ]
        args:
          - |
            if [ "$TELEPORT_APP_NAME" != "teleport-cluster-auth" ]; then
              echo "TELEPORT_APP_NAME is not equal to 'teleport-cluster-auth'. Exiting with status 0."
              exit 0
            fi
            echo "========================"
            echo "Show tbot-operator.yaml"
            echo "========================"
            cat /tbot/tbot-operator.yaml
            echo "========================"
            echo "Show apply-on-startup.yaml"
            echo "========================"
            cat /etc/teleport/apply-on-startup.yaml
            echo "========================"
            echo "Concat and Generate YAML"
            echo "========================"
            cat <<EOF > /opt/teleport/output.yaml
            data:
              apply-on-startup.yaml: |
            $(cat /etc/teleport/apply-on-startup.yaml | sed 's/^/    /')
                ---
            $(cat /tbot/tbot-operator.yaml | sed 's/^/    /')
            EOF
            
            apt-get update -y
            apt-get install yamllint -y
            
            cat <<EOF > /opt/teleport/.yamllint
            extends: default
            rules:
              document-start: disable  # Disable warnings for missing '---'
              line-length:
                max: 120               # Increase the maximum line length to 120 characters
                level: warning         # Change level to warning
            EOF
            
            yamllint --version
            cat /opt/teleport/.yamllint
            yamllint -c /opt/teleport/.yamllint /opt/teleport/output.yaml
            cat /opt/teleport/output.yaml
            
            cat /etc/os-release
            kubectl patch configmap teleport-cluster-auth -p "$(cat /opt/teleport/output.yaml)" --type=strategic -o yaml

Results:

teleport-cluster-auth configmap

    ---
    kind: token
    version: v2
    metadata:
      name: "teleport-operator"
    spec:
      roles: [Bot]
      join_method: kubernetes
      bot_name: operator
      kubernetes:
        allow:
          - service_account: "teleport:teleport-cluster-operator"
    ---
    kind: bot
    version: v1
    metadata:
      # name is a unique identifier for the bot in the cluster.
      name: tbot-operator
    spec:
      # roles is a list of roles that the bot should be able to generate credentials
      # for.
      roles:
        - editor
        - mongodb-admin
        - operator

Notes:

• After few minutes, the configmap will rollback to previous state without tbot-operator. However the bot is still there