Teleport Connect: Virtual 2024
Nov 6
Virtual
Register Today
Teleport logoTry For Free
Fork me on GitHub

Teleport

teleport-plugin-slack Chart Reference

The teleport-plugin-slack Helm chart is used to configure the Slack Teleport plugin, which allows users to receive Access Requests via channels or direct messages in Slack.

You can browse the source on GitHub.

This reference details available values for the teleport-plugin-slack chart.

Warning

Backing up production instances, environments, and/or settings before making permanent modifications is encouraged as a best practice. Doing so allows you to roll back to an existing state if needed.

teleport

teleport contains the configuration describing how the plugin connects to your Teleport cluster.

teleport.address

TypeDefault
string""

teleport.address is the address of the Teleport cluster the plugin connects to. The address must contain both the domain name and the port of the Teleport cluster. It can be either the address of the auth servers or the proxy servers.

For example:

  • joining a Proxy: teleport.example.com:443 or teleport.example.com:3080
  • joining an Auth: teleport-auth.example.com:3025

When the address is empty, tbot.teleportProxyAddress or tbot.teleportAuthAddress will be used if they are set.

teleport.identitySecretName

TypeDefault
string""

teleport.identitySecretName is the name of the Kubernetes secret that contains the credentials for the connection to your Teleport cluster.

The secret should be in the following format:

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: teleport-plugin-slack-identity
data:
  auth_id: #...

Check out the Access Requests with Slack guide for more information about how to acquire these credentials.

teleport.identitySecretPath

TypeDefault
string"auth_id"

teleport.identitySecretPath is the key in the Kubernetes secret specified by teleport.identitySecretName that holds the credentials for the connection to your Teleport cluster. If the secret has the path, "auth_id", you can omit this field.

slack

slack contains the configuration used by the plugin to authenticate to Slack.

You can pass the Slack token:

  • via the chart Values by setting slack.token
  • via an existing Kubernetes Secret by setting slack.tokenFromSecret

slack.token

TypeDefault
string""

slack.token is the Slack token used by the plugin to interact with Slack. When set, the Chart creates a Kubernetes Secret for you.

This value has no effect if slack.tokenFromSecret is set.

slack.tokenFromSecret

TypeDefault
string""

slack.tokenFromSecret is the name of the Kubernetes Secret containing the Slack token. When this value is set, you must create the Secret before creating the chart release.

slack.tokenSecretPath

TypeDefault
string"slackToken"

slack.tokenSecretPath is the Kubernetes Secret key containing the Slack token. The secret name is set via slack.tokenFromSecret.

roleToRecipients

TypeDefault
object{}

roleToRecipients is mapping the requested role name to a list of recipients the plugin will notify. It must contain a mapping for * in case no matching roles are found.

Example value:

roleToRecipients:
 "*": "admin-slack-channel"
 dev:
   - "dev-slack-channel"
   - "admin-slack-channel"
 dba: "[email protected]"

log

log controls the plugin logging.

log.severity

TypeDefault
string"INFO"

log.severity is the log level for the Teleport process. Available log levels are: DEBUG, INFO, WARN, ERROR.

The default is INFO, which is recommended in production. DEBUG is useful during first-time setup or to see more detailed logs for debugging.

log.output

TypeDefault
string"stdout"

log.output sets the output destination for the Teleport process. This can be set to any of the built-in values: stdout, stderr.

The value can also be set to a file path (such as /var/log/teleport.log) to write logs to a file. Bear in mind that a few service startup messages will still go to stderr for resilience.

tbot

tbot controls the optional tbot deployment that obtains and renews credentials for the plugin to connect to Teleport. Only default and mandatory values are described here, see the tbot chart reference for the full list of supported values.

tbot.enabled

TypeDefault
boolfalse

tbot.enabled controls if tbot should be deployed with the slack plugin.

tbot.clusterName

TypeDefault
string""

tbot.clusterName is the name of the Teleport cluster tbot and the Slack plugin will join. Setting this value is mandatory when tbot is enabled.

tbot.teleportProxyAddress

TypeDefault
string""

tbot.teleportProxyAddress is the teleport Proxy Service address the bot will connect to. This must contain the port number, usually 443 or 3080 for Proxy Service. Connecting to the Proxy Service is the most common and recommended way to connect to Teleport. This is mandatory to connect to Teleport Enterprise (Cloud).

This setting is mutually exclusive with teleportAuthAddress.

For example:

tbot:
  teleportProxyAddress: "test.teleport.sh:443"

tbot.teleportAuthAddress

TypeDefault
string""

tbot.teleportAuthAddress is the teleport Auth Service address the bot will connect to. This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection should be used when you are deploying the bot in the same Kubernetes cluster than your teleport-cluster Helm release and have direct access to the Auth Service. Else, you should prefer connecting via the Proxy Service.

This setting is mutually exclusive with teleportProxyAddress.

For example:

teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025"

tbot.joinMethod

TypeDefault
string"kubernetes"

tbot.joinMethod describes how tbot joins the Teleport cluster. See the join method reference for a list fo supported values and detailed explanations.

annotations

annotations contains annotations to apply to the different Kubernetes objects created by the chart. See the Kubernetes annotation documentation for more details.

annotations.config

TypeDefault
object{}

annotations.config contains the Kubernetes annotations put on the ConfigMap resource created by the chart.

annotations.deployment

TypeDefault
object{}

annotations.deployment contains the Kubernetes annotations put on the Deployment or StatefulSet resource created by the chart.

annotations.pod

TypeDefault
object{}

annotations.pod contains the Kubernetes annotations put on the Pod resources created by the chart.

annotations.secret

TypeDefault
object{}

annotations.secret contains the Kubernetes annotations put on the Secret resource created by the chart. This has no effect when joinTokenSecret.create is false.

image

image sets the container image used for plugin pods created by the chart.

You can override this to use your own plugin image rather than a Teleport-published image.

image.repository

TypeDefault
string"public.ecr.aws/gravitational/teleport-plugin-slack"

image.repository is the image repository.

image.pullPolicy

TypeDefault
string"IfNotPresent"

image.pullPolicy is the Kubernetes image pull policy.

image.tag

TypeDefault
string""

image.tag Overrides the image tag whose default is the chart appVersion.

Normally, the version of the Teleport plugin matches the version of the chart. If you install chart version 15.0.0, you'll use the plugin version 15.0.0. Upgrading the plugin is done by upgrading the chart.

Warning

image.tag is intended for development and custom tags. This MUST NOT be used to control the plugin version in a typical deployment. This chart is designed to run a specific plugin version. You will face compatibility issues trying to run a different version with it.

If you want to run the Teleport plugin version X.Y.Z, you should use helm install --version X.Y.Z instead.

imagePullSecrets

TypeDefault
list[]

imagePullSecrets is a list of secrets containing authorization tokens which can be optionally used to access a private Docker registry.

See the Kubernetes reference for more details.

podSecurityContext

TypeDefault
object{}

podSecurityContext sets the pod security context for any pods created by the chart. See the Kubernetes documentation for more details.

To unset the security context, set it to null or ~.

securityContext

TypeDefault
object{}

securityContext sets the container security context for any pods created by the chart. See the Kubernetes documentation for more details.

To unset the security context, set it to null or ~.

resources

TypeDefault
object{}

resources sets the resource requests/limits for any pods created by the chart. See the Kubernetes documentation for more details.

nodeSelector

TypeDefault
object{}

nodeSelector sets the node selector for any pods created by the chart. See the Kubernetes documentation for more details.

tolerations

TypeDefault
list[]

tolerations sets the tolerations for any pods created by the chart. See the Kubernetes documentation for more details.

affinity

TypeDefault
object{}

affinity sets the affinities for any pods created by the chart. See the Kubernetes documentation for more details.