Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tbot helm chart does not create role and rolebinding #51181

Open
maximumG opened this issue Jan 17, 2025 · 0 comments
Open

tbot helm chart does not create role and rolebinding #51181

maximumG opened this issue Jan 17, 2025 · 0 comments
Labels
bug helm machine-id

Comments

@maximumG
Copy link

Expected behavior:

We are deploying a tbot agent using the official helm with the following values to avoid the serviceAccount creation.

  clusterName: "teleport.example.com"
  teleportProxyAddress: "teleport.example.com:443"
  joinMethod: gcp
  token: teleport.example.com
  serviceAccount:
    create: false # the SA is already created by some other chart that enables GCP workloadIdentity
    name: "teleport.example.com"

Even if the serviceAccount.create is set to false we would expect that the Role and RoleBinding objects are still created by the chart. I believe the SA creation switch should not be linked to the Role and RoleBinding creation.

Current behavior:

If we set serviceAccount.create: false in the tbot chart, the Role and RoleBinding are not created. Thus the SA cannot update Kubernetes Secrets.

Bug details:

Teleport version:

16.4.3

Recreation steps

Use the following helm values in a file named myvalues.yaml

  clusterName: "teleport.example.com"
  teleportProxyAddress: "teleport.example.com:443"
  joinMethod: gcp
  token: teleport.example.com
  serviceAccount:
    create: false # the SA is already created by some other chart that enables GCP workloadIdentity
    name: "teleport-bot"

Install the helm chart using the following command

helm install tbot teleport/tbot --version 116.4.3 --values myvalues.yaml

if the GCP authentication is successful again Teleport, tbot will complain that its missing permission to update K8S secret.

Debug logs

ERROR: secrets "teleport-example-tbot" is forbidden: User "system:serviceaccount:teleport-example:teleport-bot" cannot get resource "secrets" in API group "" in the namespace "teleport-example
@maximumG maximumG added the bug label Jan 17, 2025
maximumG added a commit to maximumG/teleport that referenced this issue Jan 27, 2025
@maximumG
feat(tbot): K8S Role creation is optional
4c187af 
Fixes gravitational#51181.

K8S `Role` & `RoleBinding` are created by default. Their creation does not depends on the `ServiceAccount` creation anymore.
@maximumG maximumG mentioned this issue Jan 27, 2025
Open
maximumG added a commit to maximumG/teleport that referenced this issue Jan 27, 2025
@maximumG
feat(tbot): K8S Role creation is optional
236c0c8 
Fixes gravitational#51181.

K8S `Role` & `RoleBinding` are created by default. Their creation does not depends on the `ServiceAccount` creation anymore.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug helm machine-id
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maximumG @zmb3