From d34354b1c41b37dac7c96f447d0e2df77ae6a936 Mon Sep 17 00:00:00 2001 From: Bernard Kim Date: Mon, 21 Oct 2024 13:00:55 -0700 Subject: [PATCH] [v16] Support datadog plugin helm chart (#47727) * Support datadog helm chart * Support tbot integration * Reduce doc duplication * Remove default email * Typo: Missing = * Minor fixes * Set version to 16.4.3 --- .../zz_generated.access-datadog.mdx | 417 +++++++++++++++++ docs/pages/reference/helm-reference.mdx | 3 + .../teleport-plugin-datadog.mdx | 15 + examples/chart/Makefile | 2 +- examples/chart/access/datadog/.helmignore | 23 + examples/chart/access/datadog/Chart.yaml | 13 + examples/chart/access/datadog/README.md | 11 + examples/chart/access/datadog/charts/tbot | 1 + .../access/datadog/templates/_helpers.tpl | 82 ++++ .../access/datadog/templates/configmap.yaml | 29 ++ .../access/datadog/templates/deployment.yaml | 87 ++++ .../access/datadog/templates/secret.yaml | 28 ++ .../__snapshot__/configmap_test.yaml.snap | 31 ++ .../__snapshot__/deployment_test.yaml.snap | 71 +++ .../tests/__snapshot__/secret_test.yaml.snap | 17 + .../access/datadog/tests/configmap_test.yaml | 37 ++ .../access/datadog/tests/deployment_test.yaml | 69 +++ .../access/datadog/tests/secret_test.yaml | 38 ++ .../chart/access/datadog/values.schema.json | 429 ++++++++++++++++++ examples/chart/access/datadog/values.yaml | 246 ++++++++++ examples/chart/index.html | 14 + integrations/access/datadog/README.md | 2 +- version.mk | 2 +- 23 files changed, 1664 insertions(+), 3 deletions(-) create mode 100644 docs/pages/includes/helm-reference/zz_generated.access-datadog.mdx create mode 100644 docs/pages/reference/helm-reference/teleport-plugin-datadog.mdx create mode 100644 examples/chart/access/datadog/.helmignore create mode 100644 examples/chart/access/datadog/Chart.yaml create mode 100644 examples/chart/access/datadog/README.md create mode 120000 examples/chart/access/datadog/charts/tbot create mode 100644 examples/chart/access/datadog/templates/_helpers.tpl create mode 100644 examples/chart/access/datadog/templates/configmap.yaml create mode 100644 examples/chart/access/datadog/templates/deployment.yaml create mode 100644 examples/chart/access/datadog/templates/secret.yaml create mode 100644 examples/chart/access/datadog/tests/__snapshot__/configmap_test.yaml.snap create mode 100644 examples/chart/access/datadog/tests/__snapshot__/deployment_test.yaml.snap create mode 100644 examples/chart/access/datadog/tests/__snapshot__/secret_test.yaml.snap create mode 100644 examples/chart/access/datadog/tests/configmap_test.yaml create mode 100644 examples/chart/access/datadog/tests/deployment_test.yaml create mode 100644 examples/chart/access/datadog/tests/secret_test.yaml create mode 100644 examples/chart/access/datadog/values.schema.json create mode 100644 examples/chart/access/datadog/values.yaml diff --git a/docs/pages/includes/helm-reference/zz_generated.access-datadog.mdx b/docs/pages/includes/helm-reference/zz_generated.access-datadog.mdx new file mode 100644 index 0000000000000..cc90d24bab68e --- /dev/null +++ b/docs/pages/includes/helm-reference/zz_generated.access-datadog.mdx @@ -0,0 +1,417 @@ + +{/* Generated file. Do not edit.*/} +{/* Generate this file by navigating to examples/chart and running make render-chart-ref*/} +## `teleport` + +`teleport` contains the configuration describing how the plugin connects to +your Teleport cluster. + +### `teleport.address` + +| Type | Default | +|------|---------| +| `string` | `""` | + +`teleport.address` is the address of the Teleport cluster the plugin +connects to. The address must contain both the domain name and the port of +the Teleport cluster. It can be either the address of the auth servers or the +proxy servers. + +For example: + - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080` + - joining an Auth: `teleport-auth.example.com:3025` + +When the address is empty, `tbot.teleportProxyAddress` +or `tbot.teleportAuthAddress` will be used if they are set. + +### `teleport.identitySecretName` + +| Type | Default | +|------|---------| +| `string` | `""` | + +`teleport.identitySecretName` is the name of the Kubernetes secret +that contains the credentials for the connection to your Teleport cluster. + +The secret should be in the following format: + +```yaml +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: teleport-plugin-datadog-identity +data: + auth_id: #... +``` + +Check out the [Access Requests with +Datadog Incident Management](../../admin-guides/access-controls/access-request-plugins/datadog-hosted.mdx) guide +for more information about how to acquire these credentials. + +### `teleport.identitySecretPath` + +| Type | Default | +|------|---------| +| `string` | `"auth_id"` | + +`teleport.identitySecretPath` is the key in the Kubernetes secret +specified by `teleport.identitySecretName` that holds the credentials for +the connection to your Teleport cluster. If the secret has the path, +`"auth_id"`, you can omit this field. + +## `datadog` + +`datadog` contains the configuration used by the plugin to authenticate to Datadog. + +You can pass the Datadog keys by setting the chart values or using an existing Kubernetes Secret. + +### `datadog.apiEndpoint` + +| Type | Default | +|------|---------| +| `string` | `"https://api.datadoghq.com"` | + +`datadog.apiEndpoint` specifies which Datadog API site to set API +requests. + +### `datadog.apiKey` + +| Type | Default | +|------|---------| +| `string` | `""` | + +`datadog.apiKey` is the Datadog API key used by the plugin to interact +with Datadog. When set, the Chart creates a Kubernetes Secret for you. + +This value has no effect if `datadog.apiKeyFromSecret` is set. + +### `datadog.apiKeyFromSecret` + +| Type | Default | +|------|---------| +| `string` | `""` | + +`datadog.apiKeyFromSecret` is the name of the Kubernetes Secret +containing the Datadog apiKey. When this value is set, you must create the +Secret before creating the chart release. + +### `datadog.apiKeySecretPath` + +| Type | Default | +|------|---------| +| `string` | `"datadogApiKey"` | + +`datadog.apiKeySecretPath` is the Kubernetes Secret key +containing the Datadog API key. The secret name is set via `datadog.apiKeyFromSecret`. + +### `datadog.applicationKey` + +| Type | Default | +|------|---------| +| `string` | `""` | + +`datadog.applicationKey` is the Datadog Application key used by the plugin to interact +with Datadog. When set, the Chart creates a Kubernetes Secret for you. + +This value has no effect if `datadog.applicationKeyFromSecret` is set. + +### `datadog.applicationKeyFromSecret` + +| Type | Default | +|------|---------| +| `string` | `""` | + +`datadog.applicationKeyFromSecret` is the name of the Kubernetes Secret +containing the Datadog applicationKey. When this value is set, you must create the +Secret before creating the chart release. + +### `datadog.applicationKeySecretPath` + +| Type | Default | +|------|---------| +| `string` | `"datadogApplicationKey"` | + +`datadog.applicationKeySecretPath` is the Kubernetes Secret key +containing the Datadog Application key. The secret name is set via `datadog.applicationKeyFromSecret`. + +### `datadog.fallbackRecipient` + +| Type | Default | +|------|---------| +| `string` | `""` | + +`datadog.fallbackRecipient` specifies the default recipient for +Access Request notifications. The recipient can be a Datadog user email or +a team handle. + +### `datadog.severity` + +| Type | Default | +|------|---------| +| `string` | `"SEV-3"` | + +`datadog.severity` specifies the Datadog incident severity. + +## `log` + +`log` controls the plugin logging. + +### `log.severity` + +| Type | Default | +|------|---------| +| `string` | `"INFO"` | + +`log.severity` is the log level for the Teleport process. +Available log levels are: `DEBUG`, `INFO`, `WARN`, `ERROR`. + +The default is `INFO`, which is recommended in production. +`DEBUG` is useful during first-time setup or to see more detailed logs for debugging. + +### `log.output` + +| Type | Default | +|------|---------| +| `string` | `"stdout"` | + +`log.output` sets the output destination for the Teleport process. +This can be set to any of the built-in values: `stdout`, `stderr`. + +The value can also be set to a file path (such as `/var/log/teleport.log`) +to write logs to a file. Bear in mind that a few service startup messages +will still go to `stderr` for resilience. + +## `tbot` + +`tbot` controls the optional tbot deployment that obtains and renews +credentials for the plugin to connect to Teleport. +Only default and mandatory values are described here, see the tbot chart reference +for the full list of supported values. + +### `tbot.enabled` + +| Type | Default | +|------|---------| +| `bool` | `false` | + +`tbot.enabled` controls if tbot should be deployed with the datadog plugin. + +### `tbot.clusterName` + +| Type | Default | +|------|---------| +| `string` | `""` | + +`tbot.clusterName` is the name of the Teleport cluster tbot and the Datadog plugin will join. +Setting this value is mandatory when tbot is enabled. + +### `tbot.teleportProxyAddress` + +| Type | Default | +|------|---------| +| `string` | `""` | + +`tbot.teleportProxyAddress` is the teleport Proxy Service address the bot will connect to. +This must contain the port number, usually 443 or 3080 for Proxy Service. +Connecting to the Proxy Service is the most common and recommended way to connect to Teleport. +This is mandatory to connect to Teleport Enterprise (Cloud). + +This setting is mutually exclusive with `teleportAuthAddress`. + +For example: +```yaml +tbot: + teleportProxyAddress: "test.teleport.sh:443" +``` + +### `tbot.teleportAuthAddress` + +| Type | Default | +|------|---------| +| `string` | `""` | + +`tbot.teleportAuthAddress` is the teleport Auth Service address the bot will connect to. +This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection +should be used when you are deploying the bot in the same Kubernetes cluster than your `teleport-cluster` +Helm release and have direct access to the Auth Service. +Else, you should prefer connecting via the Proxy Service. + +This setting is mutually exclusive with `teleportProxyAddress`. + +For example: +```yaml +teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025" +``` + +### `tbot.joinMethod` + +| Type | Default | +|------|---------| +| `string` | `"kubernetes"` | + +`tbot.joinMethod` describes how tbot joins the Teleport cluster. +See [the join method reference](../../reference/join-methods.mdx) for a list fo supported values and detailed explanations. + +## `annotations` + +`annotations` contains annotations to apply to the different Kubernetes +objects created by the chart. See [the Kubernetes annotation +documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) +for more details. + +### `annotations.config` + +| Type | Default | +|------|---------| +| `object` | `{}` | + +`annotations.config` contains the Kubernetes annotations +put on the `ConfigMap` resource created by the chart. + +### `annotations.deployment` + +| Type | Default | +|------|---------| +| `object` | `{}` | + +`annotations.deployment` contains the Kubernetes annotations +put on the `Deployment` or `StatefulSet` resource created by the chart. + +### `annotations.pod` + +| Type | Default | +|------|---------| +| `object` | `{}` | + +`annotations.pod` contains the Kubernetes annotations +put on the `Pod` resources created by the chart. + +### `annotations.secret` + +| Type | Default | +|------|---------| +| `object` | `{}` | + +`annotations.secret` contains the Kubernetes annotations +put on the `Secret` resource created by the chart. +This has no effect when `joinTokenSecret.create` is `false`. + +## `image` + +`image` sets the container image used for plugin pods created by the chart. + +You can override this to use your own plugin image rather than a Teleport-published image. + +### `image.repository` + +| Type | Default | +|------|---------| +| `string` | `"public.ecr.aws/gravitational/teleport-plugin-datadog"` | + +`image.repository` is the image repository. + +### `image.pullPolicy` + +| Type | Default | +|------|---------| +| `string` | `"IfNotPresent"` | + +`image.pullPolicy` is the [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy). + +### `image.tag` + +| Type | Default | +|------|---------| +| `string` | `""` | + +`image.tag` Overrides the image tag whose default is the chart appVersion. + +Normally, the version of the Teleport plugin matches the +version of the chart. If you install chart version 15.0.0, you'll use +the plugin version 15.0.0. Upgrading the plugin is done by upgrading the chart. + + +`image.tag` is intended for development and custom tags. This MUST NOT be +used to control the plugin version in a typical deployment. This +chart is designed to run a specific plugin version. You will face +compatibility issues trying to run a different version with it. + +If you want to run the Teleport plugin version `X.Y.Z`, you should use +`helm install --version X.Y.Z` instead. + + +## `imagePullSecrets` + +| Type | Default | +|------|---------| +| `list` | `[]` | + +`imagePullSecrets` is a list of secrets containing authorization tokens +which can be optionally used to access a private Docker registry. + +See the [Kubernetes reference](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod) for more details. + +## `podSecurityContext` + +| Type | Default | +|------|---------| +| `object` | `{}` | + +`podSecurityContext` sets the pod security context for any pods created by the chart. +See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +for more details. + +To unset the security context, set it to `null` or `~`. + +## `securityContext` + +| Type | Default | +|------|---------| +| `object` | `{}` | + +`securityContext` sets the container security context for any pods created by the chart. +See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) +for more details. + +To unset the security context, set it to `null` or `~`. + +## `resources` + +| Type | Default | +|------|---------| +| `object` | `{}` | + +`resources` sets the resource requests/limits for any pods created by the chart. +See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) +for more details. + +## `nodeSelector` + +| Type | Default | +|------|---------| +| `object` | `{}` | + +`nodeSelector` sets the node selector for any pods created by the chart. +See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) +for more details. + +## `tolerations` + +| Type | Default | +|------|---------| +| `list` | `[]` | + +`tolerations` sets the tolerations for any pods created by the chart. +See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) +for more details. + +## `affinity` + +| Type | Default | +|------|---------| +| `object` | `{}` | + +`affinity` sets the affinities for any pods created by the chart. +See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) +for more details. diff --git a/docs/pages/reference/helm-reference.mdx b/docs/pages/reference/helm-reference.mdx index 8a7a939304c7d..daac382c8ba6d 100644 --- a/docs/pages/reference/helm-reference.mdx +++ b/docs/pages/reference/helm-reference.mdx @@ -39,3 +39,6 @@ layout: tocless-doc - [teleport-plugin-slack](./helm-reference/teleport-plugin-slack.mdx): Deploy the Teleport Slack Plugin, which allows notifying Slack users and channels when Access Requests are made. +- [teleport-plugin-datadog](./helm-reference/teleport-plugin-datadog.mdx): Deploy + the Teleport Datadog Incident Management Plugin, which allows Access Requests + to be managed as Datadog incidents. \ No newline at end of file diff --git a/docs/pages/reference/helm-reference/teleport-plugin-datadog.mdx b/docs/pages/reference/helm-reference/teleport-plugin-datadog.mdx new file mode 100644 index 0000000000000..6afc4634da03a --- /dev/null +++ b/docs/pages/reference/helm-reference/teleport-plugin-datadog.mdx @@ -0,0 +1,15 @@ +--- +title: teleport-plugin-datadog Chart Reference +description: Values that can be set using the teleport-plugin-datadog Helm chart +--- + +The `teleport-plugin-datadog` Helm chart runs the Datadog Teleport plugin, which +allows users to receive and manage Access Requests as Datadog incidents. + +You can [browse the source on GitHub](https://github.com/gravitational/teleport/tree/v(=teleport.version=)/examples/chart/access/datadog). + +This reference details available values for the `teleport-plugin-datadog` chart. + +(!docs/pages/includes/backup-warning.mdx!) + +(!docs/pages/includes/helm-reference/zz_generated.access-datadog.mdx!) diff --git a/examples/chart/Makefile b/examples/chart/Makefile index e48ee95f70a1c..017864ae573b5 100644 --- a/examples/chart/Makefile +++ b/examples/chart/Makefile @@ -1,7 +1,7 @@ # TODO(hugoShaka): uncomment the additional targets as we start sync-ing # the reference and the values.yaml -access = discord email jira mattermost msteams pagerduty slack +access = discord email jira mattermost msteams pagerduty slack datadog check_access = $(addprefix check-chart-ref-access-,$(access)) render_access = $(addprefix render-chart-ref-access-,$(access)) diff --git a/examples/chart/access/datadog/.helmignore b/examples/chart/access/datadog/.helmignore new file mode 100644 index 0000000000000..0e8a0eb36f4ca --- /dev/null +++ b/examples/chart/access/datadog/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/examples/chart/access/datadog/Chart.yaml b/examples/chart/access/datadog/Chart.yaml new file mode 100644 index 0000000000000..91a197f6e006f --- /dev/null +++ b/examples/chart/access/datadog/Chart.yaml @@ -0,0 +1,13 @@ +.version: &version "16.4.3" + +apiVersion: v2 +name: teleport-plugin-datadog +description: A Helm chart for the Teleport Datadog Incident Management Plugin +type: application +version: *version +appVersion: *version + +dependencies: + - name: tbot + version: *version + condition: tbot.enabled diff --git a/examples/chart/access/datadog/README.md b/examples/chart/access/datadog/README.md new file mode 100644 index 0000000000000..5a88a98868994 --- /dev/null +++ b/examples/chart/access/datadog/README.md @@ -0,0 +1,11 @@ +# Teleport Access Request Datadog Incident Management Plugin + +This chart sets up and configures a Deployment for the Access Request Datadog Incident Management plugin. + +## Installation + +See the [Access Requests with Datadog Incident Management guide](https://goteleport.com/docs/access-controls/access-request-plugins/datadog-hosted/). + +## Values + +See [teleport-plugin-datadog Chart Reference](https://goteleport.com/docs/reference/helm-reference/teleport-plugin-datadog/) for available Helm Chart configuration. diff --git a/examples/chart/access/datadog/charts/tbot b/examples/chart/access/datadog/charts/tbot new file mode 120000 index 0000000000000..bc5284c76fa10 --- /dev/null +++ b/examples/chart/access/datadog/charts/tbot @@ -0,0 +1 @@ +../../../tbot \ No newline at end of file diff --git a/examples/chart/access/datadog/templates/_helpers.tpl b/examples/chart/access/datadog/templates/_helpers.tpl new file mode 100644 index 0000000000000..86e3fb5b1f677 --- /dev/null +++ b/examples/chart/access/datadog/templates/_helpers.tpl @@ -0,0 +1,82 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "datadog.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "datadog.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "datadog.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "datadog.labels" -}} +helm.sh/chart: {{ include "datadog.chart" . }} +{{ include "datadog.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "datadog.selectorLabels" -}} +app.kubernetes.io/name: {{ include "datadog.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "datadog.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "datadog.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{- define "datadog.identitySecretName" -}} +{{- if .Values.teleport.identitySecretName -}} +{{- .Values.teleport.identitySecretName -}} +{{- else if .Values.tbot.enabled -}} + {{- .Release.Name }}-{{ default .Values.tbot.nameOverride "tbot" }}-out +{{- end }} +{{- end -}} + +{{- define "datadog.identitySecretPath" -}} +{{- if .Values.tbot.enabled -}} +identity +{{- else -}} +{{- .Values.teleport.identitySecretPath -}} +{{- end -}} +{{- end -}} + +{{- define "datadog.teleportAddress" -}} + +{{- end -}} diff --git a/examples/chart/access/datadog/templates/configmap.yaml b/examples/chart/access/datadog/templates/configmap.yaml new file mode 100644 index 0000000000000..418c1db7d4903 --- /dev/null +++ b/examples/chart/access/datadog/templates/configmap.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "datadog.fullname" . }} + {{- with .Values.annotations.config }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "datadog.labels" . | nindent 4 }} +data: + teleport-datadog.toml: | + [teleport] + addr = {{ coalesce .Values.teleport.address .Values.tbot.teleportProxyAddress .Values.tbot.teleportAuthAddress | quote }} + identity = "/var/lib/teleport/plugins/datadog/teleport-identity/{{ include "datadog.identitySecretPath" . }}" + refresh_identity = true + + [datadog] + api_endpoint = "{{ .Values.datadog.apiEndpoint }}" + api_key = "/var/lib/teleport/plugins/datadog/datadog-api-key" + application_key = "/var/lib/teleport/plugins/datadog/datadog-application-key" + severity = "{{ .Values.datadog.severity }}" + + [role_to_recipients] + "*" = ["{{ .Values.datadog.fallbackRecipient }}"] + + [log] + output = "{{ .Values.log.output }}" + severity = "{{ .Values.log.severity }}" diff --git a/examples/chart/access/datadog/templates/deployment.yaml b/examples/chart/access/datadog/templates/deployment.yaml new file mode 100644 index 0000000000000..75550b87b2ca8 --- /dev/null +++ b/examples/chart/access/datadog/templates/deployment.yaml @@ -0,0 +1,87 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "datadog.fullname" . }} + {{- with .Values.annotations.deployment }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "datadog.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "datadog.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with coalesce .Values.annotations.pod .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "datadog.labels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - /usr/local/bin/teleport-plugin + - start + - "--config" + - "/etc/teleport-datadog.toml" + env: + - name: "TELEPORT_PLUGIN_FAIL_FAST" + value: "true" + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - name: config + mountPath: /etc/teleport-datadog.toml + subPath: teleport-datadog.toml + - name: teleport-identity + mountPath: /var/lib/teleport/plugins/datadog/teleport-identity + - name: {{ .Values.secretVolumeName }}-api-key + mountPath: /var/lib/teleport/plugins/datadog/datadog-api-key + subPath: {{ .Values.datadog.apiKeySecretPath }} + - name: {{ .Values.secretVolumeName }}-application-key + mountPath: /var/lib/teleport/plugins/datadog/datadog-application-key + subPath: {{ .Values.datadog.applicationKeySecretPath }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ include "datadog.fullname" . }} + defaultMode: 0600 + - name: teleport-identity + secret: + secretName: {{ include "datadog.identitySecretName" . | quote }} + defaultMode: 0600 + - name: {{ .Values.secretVolumeName }}-api-key + secret: + secretName: "{{ coalesce .Values.datadog.apiKeyFromSecret (printf "%s-api-key" (include "datadog.fullname" .)) }}" + defaultMode: 0600 + - name: {{ .Values.secretVolumeName }}-application-key + secret: + secretName: "{{ coalesce .Values.datadog.applicationKeyFromSecret (printf "%s-application-key" (include "datadog.fullname" .)) }}" + defaultMode: 0600 diff --git a/examples/chart/access/datadog/templates/secret.yaml b/examples/chart/access/datadog/templates/secret.yaml new file mode 100644 index 0000000000000..60a50e58d6052 --- /dev/null +++ b/examples/chart/access/datadog/templates/secret.yaml @@ -0,0 +1,28 @@ +{{- if not .Values.datadog.apiKeyFromSecret}} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ include "datadog.fullname" . }}-api-key + {{- with .Values.annotations.secret }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +data: + datadogApiKey: {{ .Values.datadog.apiKey | b64enc }} +{{- end }} + +{{- if not .Values.datadog.applicationKeyFromSecret}} +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ include "datadog.fullname" . }}-application-key + {{- with .Values.annotations.secret }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +data: + datadogApplicationKey: {{ .Values.datadog.applicationKey | b64enc }} +{{- end }} diff --git a/examples/chart/access/datadog/tests/__snapshot__/configmap_test.yaml.snap b/examples/chart/access/datadog/tests/__snapshot__/configmap_test.yaml.snap new file mode 100644 index 0000000000000..884d6dc81aea1 --- /dev/null +++ b/examples/chart/access/datadog/tests/__snapshot__/configmap_test.yaml.snap @@ -0,0 +1,31 @@ +should match the snapshot: + 1: | + apiVersion: v1 + data: + teleport-datadog.toml: | + [teleport] + addr = "teleport.example.com:1234" + identity = "/var/lib/teleport/plugins/datadog/teleport-identity/auth_id" + refresh_identity = true + + [datadog] + api_endpoint = "https://api.datadoghq.com" + api_key = "/var/lib/teleport/plugins/datadog/datadog-api-key" + application_key = "/var/lib/teleport/plugins/datadog/datadog-application-key" + severity = "SEV-3" + + [role_to_recipients] + "*" = ["admin@example.com"] + + [log] + output = "/var/log/teleport-datadog.log" + severity = "DEBUG" + kind: ConfigMap + metadata: + labels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: teleport-plugin-datadog + app.kubernetes.io/version: 16.4.3 + helm.sh/chart: teleport-plugin-datadog-16.4.3 + name: RELEASE-NAME-teleport-plugin-datadog diff --git a/examples/chart/access/datadog/tests/__snapshot__/deployment_test.yaml.snap b/examples/chart/access/datadog/tests/__snapshot__/deployment_test.yaml.snap new file mode 100644 index 0000000000000..6208e834ed127 --- /dev/null +++ b/examples/chart/access/datadog/tests/__snapshot__/deployment_test.yaml.snap @@ -0,0 +1,71 @@ +should match the snapshot: + 1: | + apiVersion: apps/v1 + kind: Deployment + metadata: + labels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: teleport-plugin-datadog + app.kubernetes.io/version: 16.4.3 + helm.sh/chart: teleport-plugin-datadog-16.4.3 + name: RELEASE-NAME-teleport-plugin-datadog + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/name: teleport-plugin-datadog + template: + metadata: + labels: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: teleport-plugin-datadog + app.kubernetes.io/version: 16.4.3 + helm.sh/chart: teleport-plugin-datadog-16.4.3 + spec: + containers: + - command: + - /usr/local/bin/teleport-plugin + - start + - --config + - /etc/teleport-datadog.toml + env: + - name: TELEPORT_PLUGIN_FAIL_FAST + value: "true" + image: gcr.io/overridden/repository:v98.76.54 + imagePullPolicy: IfNotPresent + name: teleport-plugin-datadog + resources: {} + securityContext: {} + volumeMounts: + - mountPath: /etc/teleport-datadog.toml + name: config + subPath: teleport-datadog.toml + - mountPath: /var/lib/teleport/plugins/datadog/teleport-identity + name: teleport-identity + - mountPath: /var/lib/teleport/plugins/datadog/datadog-api-key + name: password-file-api-key + subPath: datadogApiKey + - mountPath: /var/lib/teleport/plugins/datadog/datadog-application-key + name: password-file-application-key + subPath: datadogApplicationKey + securityContext: {} + volumes: + - configMap: + defaultMode: 384 + name: RELEASE-NAME-teleport-plugin-datadog + name: config + - name: teleport-identity + secret: + defaultMode: 384 + secretName: "" + - name: password-file-api-key + secret: + defaultMode: 384 + secretName: RELEASE-NAME-teleport-plugin-datadog-api-key + - name: password-file-application-key + secret: + defaultMode: 384 + secretName: RELEASE-NAME-teleport-plugin-datadog-application-key diff --git a/examples/chart/access/datadog/tests/__snapshot__/secret_test.yaml.snap b/examples/chart/access/datadog/tests/__snapshot__/secret_test.yaml.snap new file mode 100644 index 0000000000000..fc9ff6af65c5e --- /dev/null +++ b/examples/chart/access/datadog/tests/__snapshot__/secret_test.yaml.snap @@ -0,0 +1,17 @@ +should contain the api and application key: + 1: | + apiVersion: v1 + data: + datadogApiKey: ZGF0YWRvZ0FwaUtleQ== + kind: Secret + metadata: + name: RELEASE-NAME-teleport-plugin-datadog-api-key + type: Opaque + 2: | + apiVersion: v1 + data: + datadogApplicationKey: ZGF0YWRvZ0FwcGxpY2F0aW9uS2V5 + kind: Secret + metadata: + name: RELEASE-NAME-teleport-plugin-datadog-application-key + type: Opaque diff --git a/examples/chart/access/datadog/tests/configmap_test.yaml b/examples/chart/access/datadog/tests/configmap_test.yaml new file mode 100644 index 0000000000000..8927111f1a32b --- /dev/null +++ b/examples/chart/access/datadog/tests/configmap_test.yaml @@ -0,0 +1,37 @@ +suite: Test configmap +templates: + - configmap.yaml +tests: + - it: should match the snapshot + set: + teleport: + address: teleport.example.com:1234 + datadog: + apiEndpoint: https://api.datadoghq.com + apiKey: test-api-key + applicationKey: test-application-key + fallbackRecipient: admin@example.com + severity: SEV-3 + log: + output: /var/log/teleport-datadog.log + severity: DEBUG + asserts: + - matchSnapshot: {} + + - it: should not contain annotations when not defined + asserts: + - isNull: + path: metadata.annotations + + - it: should contain annotations when defined + set: + annotations: + config: + keyA: valA + keyB: valB + asserts: + - equal: + path: metadata.annotations + value: + keyA: valA + keyB: valB diff --git a/examples/chart/access/datadog/tests/deployment_test.yaml b/examples/chart/access/datadog/tests/deployment_test.yaml new file mode 100644 index 0000000000000..8f2cde402536e --- /dev/null +++ b/examples/chart/access/datadog/tests/deployment_test.yaml @@ -0,0 +1,69 @@ +suite: Test deployment +templates: + - deployment.yaml +tests: + - it: should match the snapshot + set: + image: + repository: gcr.io/overridden/repository + tag: v98.76.54 + asserts: + - matchSnapshot: {} + + - it: should not contain deployment or pod annotations when not defined + asserts: + - isNull: + path: metadata.annotations + - isNull: + path: spec.template.metadata.annotations + + - it: should contain deployment annotations when defined + set: + annotations: + deployment: + keyA: valA + keyB: valB + asserts: + - equal: + path: metadata.annotations + value: + keyA: valA + keyB: valB + - isNull: + path: spec.template.metadata.annotations + + - it: should contain pod annotations when defined + set: + annotations: + pod: + keyA: valA + keyB: valB + asserts: + - equal: + path: spec.template.metadata.annotations + value: + keyA: valA + keyB: valB + - isNull: + path: metadata.annotations + + - it: should contain both annotations when defined + set: + annotations: + deployment: + keyA: valA + keyB: valB + pod: + keyA: valA' + keyC: valC + asserts: + - equal: + path: metadata.annotations + value: + keyA: valA + keyB: valB + - equal: + path: spec.template.metadata.annotations + value: + keyA: valA' + keyC: valC diff --git a/examples/chart/access/datadog/tests/secret_test.yaml b/examples/chart/access/datadog/tests/secret_test.yaml new file mode 100644 index 0000000000000..bef3533b4eee6 --- /dev/null +++ b/examples/chart/access/datadog/tests/secret_test.yaml @@ -0,0 +1,38 @@ +suite: Test secret +templates: + - secret.yaml +tests: + - it: should contain the api and application key + set: + datadog: + apiKey: datadogApiKey + applicationKey: datadogApplicationKey + asserts: + - matchSnapshot: {} + + - it: should not exist when using external secret + set: + datadog: + apiKeyFromSecret: datadog-api-key + applicationKeyFromSecret: datadog-application-key + asserts: + - hasDocuments: + count: 0 + + - it: should not contain annotations when not defined + asserts: + - isNull: + path: metadata.annotations + + - it: should contain annotations when defined + set: + annotations: + secret: + keyA: valA + keyB: valB + asserts: + - equal: + path: metadata.annotations + value: + keyA: valA + keyB: valB diff --git a/examples/chart/access/datadog/values.schema.json b/examples/chart/access/datadog/values.schema.json new file mode 100644 index 0000000000000..ac42f66ff445b --- /dev/null +++ b/examples/chart/access/datadog/values.schema.json @@ -0,0 +1,429 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema", + "$id": "http://example.com/example.json", + "default": {}, + "required": [ + "image", + "imagePullSecrets", + "nameOverride", + "fullnameOverride", + "podAnnotations", + "podSecurityContext", + "securityContext", + "nodeSelector", + "tolerations", + "affinity", + "teleport", + "datadog", + "log" + ], + "properties": { + "image": { + "$id": "#/properties/image", + "type": "object", + "default": {}, + "examples": [ + { + "repository": "public.ecr.aws/gravitational/teleport-plugin-datadog", + "pullPolicy": "IfNotPresent", + "tag": "" + } + ], + "required": [ + "repository", + "pullPolicy", + "tag" + ], + "properties": { + "repository": { + "$id": "#/properties/image/properties/repository", + "type": "string", + "default": "public.ecr.aws/gravitational/teleport-plugin-datadog", + "examples": [ + "public.ecr.aws/gravitational/teleport-plugin-datadog" + ] + }, + "pullPolicy": { + "$id": "#/properties/image/properties/pullPolicy", + "type": "string", + "default": "IfNotPresent", + "examples": [ + "IfNotPresent" + ] + }, + "tag": { + "$id": "#/properties/image/properties/tag", + "type": "string", + "default": "" + } + }, + "additionalProperties": true + }, + "imagePullSecrets": { + "$id": "#/properties/imagePullSecrets", + "type": "array", + "default": [], + "examples": [ + [ + { + "name": "image-pull-secrets" + } + ] + ], + "additionalItems": true, + "items": { + "$id": "#/properties/imagePullSecrets/items" + } + }, + "nameOverride": { + "$id": "#/properties/nameOverride", + "type": "string", + "default": "" + }, + "fullnameOverride": { + "$id": "#/properties/fullnameOverride", + "type": "string", + "default": "" + }, + "podAnnotations": { + "$id": "#/properties/podAnnotations", + "type": "object", + "additionalProperties": true + }, + "podSecurityContext": { + "$id": "#/properties/podSecurityContext", + "type": "object", + "required": [], + "additionalProperties": true + }, + "securityContext": { + "$id": "#/properties/securityContext", + "type": "object", + "properties": { + "capabilities": { + "$id": "#/properties/securityContext/properties/capabilities", + "type": "object", + "additionalProperties": true + }, + "readOnlyRootFilesystem": { + "$id": "#/properties/securityContext/properties/readOnlyRootFilesystem", + "type": "boolean", + "default": false, + "examples": [ + true + ] + }, + "runAsNonRoot": { + "$id": "#/properties/securityContext/properties/runAsNonRoot", + "type": "boolean", + "default": false, + "examples": [ + true + ] + }, + "runAsUser": { + "$id": "#/properties/securityContext/properties/runAsUser", + "type": "integer", + "default": 0, + "examples": [ + 1000 + ] + } + }, + "additionalProperties": true + }, + "resources": { + "$id": "#/properties/resources", + "type": "object", + "default": {}, + "examples": [ + { + "limits": { + "cpu": "100m", + "memory": "128Mi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + } + ], + "properties": { + "limits": { + "$id": "#/properties/resources/properties/limits", + "type": "object", + "default": {}, + "examples": [ + { + "cpu": "100m", + "memory": "128Mi" + } + ], + "required": [ + "cpu", + "memory" + ], + "properties": { + "cpu": { + "$id": "#/properties/resources/properties/limits/properties/cpu", + "type": "string", + "default": "", + "examples": [ + "100m" + ] + }, + "memory": { + "$id": "#/properties/resources/properties/limits/properties/memory", + "type": "string", + "default": "", + "examples": [ + "128Mi" + ] + } + }, + "additionalProperties": true + }, + "requests": { + "$id": "#/properties/resources/properties/requests", + "type": "object", + "default": {}, + "examples": [ + { + "cpu": "100m", + "memory": "128Mi" + } + ], + "required": [ + "cpu", + "memory" + ], + "properties": { + "cpu": { + "$id": "#/properties/resources/properties/requests/properties/cpu", + "type": "string", + "default": "", + "examples": [ + "100m" + ] + }, + "memory": { + "$id": "#/properties/resources/properties/requests/properties/memory", + "type": "string", + "default": "", + "examples": [ + "128Mi" + ] + } + }, + "additionalProperties": true + } + }, + "additionalProperties": true + }, + "nodeSelector": { + "$id": "#/properties/nodeSelector", + "type": "object", + "default": {}, + "additionalProperties": true + }, + "tolerations": { + "$id": "#/properties/tolerations", + "type": "array", + "default": [], + "additionalItems": true, + "items": { + "$id": "#/properties/tolerations/items" + } + }, + "affinity": { + "$id": "#/properties/affinity", + "type": "object", + "default": {}, + "additionalProperties": true + }, + "teleport": { + "$id": "#/properties/teleport", + "type": "object", + "default": {}, + "examples": [ + { + "address": "auth.example.com:3025", + "identitySecretName": "teleport-plugin-datadog-auth-id", + "identitySecretPath": "auth_id" + } + ], + "required": [ + "address", + "identitySecretName", + "identitySecretPath" + ], + "properties": { + "address": { + "$id": "#/properties/teleport/properties/address", + "type": "string", + "default": "", + "examples": [ + "auth.example.com:3025" + ] + }, + "identitySecretName": { + "$id": "#/properties/teleport/properties/identitySecretName", + "type": "string", + "default": "" + }, + "identitySecretPath": { + "$id": "#/properties/teleport/properties/identitySecretPath", + "type": "string", + "default": "auth_id", + "examples": [ + "auth_id" + ] + } + }, + "additionalProperties": true + }, + "datadog": { + "$id": "#/properties/datadog", + "type": "object", + "default": {}, + "examples": [ + { + "apiEndpoint": "https://api.datadoghq.com", + "apiKey": "example-api-key", + "applicationKey": "example-application-key", + "severity": "SEV-3", + "fallbackRecipient": "admin@example.com" + } + ], + "required": [ + "apiEndpoint", + "apiKey", + "applicationKey", + "fallbackRecipient" + ], + "properties": { + "apiEndpoint": { + "$id": "#/properties/datadog/properties/apiEndpoint", + "type": "string", + "default": "https://api.datadoghq.com", + "examples": [ + "https://api.datadoghq.com", + "https://api.us3.datadoghq.com", + "https://api.us5.datadoghq.com", + "https://api.datadoghq.eu", + "https://api.ap1.datadoghq.com" + ] + }, + "apiKey": { + "$id": "#/properties/datadog/properties/apiKey", + "type": "string", + "default": "", + "examples": [ + "example-api-key" + ] + }, + "apiKeyFromSecret": { + "$id": "#/properties/datadog/properties/apiKeyFromSecret", + "type": "string", + "default": "", + "examples": [ + "my-datadog-secret" + ] + }, + "apiKeySecretPath": { + "$id": "#/properties/datadog/properties/apiKeySecretPath", + "type": "string", + "default": "datadogApiKey", + "examples": [ + "apikey" + ] + }, + "applicationKey": { + "$id": "#/properties/datadog/properties/applicationKey", + "type": "string", + "default": "", + "examples": [ + "example-application-key" + ] + }, + "applicationKeyFromSecret": { + "$id": "#/properties/datadog/properties/applicationKeyFromSecret", + "type": "string", + "default": "", + "examples": [ + "my-datadog-secret" + ] + }, + "applicationKeySecretPath": { + "$id": "#/properties/datadog/properties/applicationKeySecretPath", + "type": "string", + "default": "datadogApplicationKey", + "examples": [ + "applicationkey" + ] + }, + "fallbackRecipient": { + "$id": "#/properties/datadog/properties/fallbackRecipient", + "type": "string", + "default": "", + "examples": [ + "admin@example.com", + "datadog-team-handle" + ] + }, + "severity": { + "$id": "#/properties/datadog/properties/severity", + "type": "string", + "default": "SEV-3", + "examples": [ + "SEV-3" + ] + } + }, + "additionalProperties": true + }, + "log": { + "$id": "#/properties/log", + "type": "object", + "default": {}, + "examples": [ + { + "output": "stdout", + "severity": "INFO" + } + ], + "required": [ + "output", + "severity" + ], + "properties": { + "output": { + "$id": "#/properties/log/properties/output", + "type": "string", + "default": "stdout", + "examples": [ + "stdout" + ] + }, + "severity": { + "$id": "#/properties/log/properties/severity", + "type": "string", + "default": "INFO", + "examples": [ + "INFO" + ] + } + }, + "additionalProperties": true + }, + "secretVolumeName": { + "$id": "#/properties/secretVolumeName", + "type": "string", + "default": "password-file", + "examples": [ + "my-secret-volume" + ] + } + }, + "additionalProperties": true +} diff --git a/examples/chart/access/datadog/values.yaml b/examples/chart/access/datadog/values.yaml new file mode 100644 index 0000000000000..9c92af3397917 --- /dev/null +++ b/examples/chart/access/datadog/values.yaml @@ -0,0 +1,246 @@ +# +# Plugin specific options +# + +# teleport -- contains the configuration describing how the plugin connects to +# your Teleport cluster. +teleport: + # teleport.address(string) -- is the address of the Teleport cluster the plugin + # connects to. The address must contain both the domain name and the port of + # the Teleport cluster. It can be either the address of the auth servers or the + # proxy servers. + # + # For example: + # - joining a Proxy: `teleport.example.com:443` or `teleport.example.com:3080` + # - joining an Auth: `teleport-auth.example.com:3025` + # + # When the address is empty, `tbot.teleportProxyAddress` + # or `tbot.teleportAuthAddress` will be used if they are set. + address: "" + # teleport.identitySecretName(string) -- is the name of the Kubernetes secret + # that contains the credentials for the connection to your Teleport cluster. + # + # The secret should be in the following format: + # + # ```yaml + # apiVersion: v1 + # kind: Secret + # type: Opaque + # metadata: + # name: teleport-plugin-datadog-identity + # data: + # auth_id: #... + # ``` + # + # Check out the [Access Requests with + # Datadog Incident Management](../../admin-guides/access-controls/access-request-plugins/datadog-hosted.mdx) guide + # for more information about how to acquire these credentials. + identitySecretName: "" + # teleport.identitySecretPath(string) -- is the key in the Kubernetes secret + # specified by `teleport.identitySecretName` that holds the credentials for + # the connection to your Teleport cluster. If the secret has the path, + # `"auth_id"`, you can omit this field. + identitySecretPath: "auth_id" + +# datadog -- contains the configuration used by the plugin to authenticate to Datadog. +# +# You can pass the Datadog keys by setting the chart values or using an existing Kubernetes Secret. +datadog: + # datadog.apiEndpoint(string) -- specifies which Datadog API site to set API + # requests. + apiEndpoint: "https://api.datadoghq.com" + # datadog.apiKey(string) -- is the Datadog API key used by the plugin to interact + # with Datadog. When set, the Chart creates a Kubernetes Secret for you. + # + # This value has no effect if `datadog.apiKeyFromSecret` is set. + apiKey: "" + # datadog.apiKeyFromSecret(string) -- is the name of the Kubernetes Secret + # containing the Datadog apiKey. When this value is set, you must create the + # Secret before creating the chart release. + apiKeyFromSecret: "" + # datadog.apiKeySecretPath(string) -- is the Kubernetes Secret key + # containing the Datadog API key. The secret name is set via `datadog.apiKeyFromSecret`. + apiKeySecretPath: "datadogApiKey" + # datadog.applicationKey(string) -- is the Datadog Application key used by the plugin to interact + # with Datadog. When set, the Chart creates a Kubernetes Secret for you. + # + # This value has no effect if `datadog.applicationKeyFromSecret` is set. + applicationKey: "" + # datadog.applicationKeyFromSecret(string) -- is the name of the Kubernetes Secret + # containing the Datadog applicationKey. When this value is set, you must create the + # Secret before creating the chart release. + applicationKeyFromSecret: "" + # datadog.applicationKeySecretPath(string) -- is the Kubernetes Secret key + # containing the Datadog Application key. The secret name is set via `datadog.applicationKeyFromSecret`. + applicationKeySecretPath: "datadogApplicationKey" + # datadog.fallbackRecipient(string) -- specifies the default recipient for + # Access Request notifications. The recipient can be a Datadog user email or + # a team handle. + fallbackRecipient: "" + # datadog.severity(string) -- specifies the Datadog incident severity. + severity: "SEV-3" + +# log -- controls the plugin logging. +log: + # log.severity(string) -- is the log level for the Teleport process. + # Available log levels are: `DEBUG`, `INFO`, `WARN`, `ERROR`. + # + # The default is `INFO`, which is recommended in production. + # `DEBUG` is useful during first-time setup or to see more detailed logs for debugging. + severity: INFO + # log.output(string) -- sets the output destination for the Teleport process. + # This can be set to any of the built-in values: `stdout`, `stderr`. + # + # The value can also be set to a file path (such as `/var/log/teleport.log`) + # to write logs to a file. Bear in mind that a few service startup messages + # will still go to `stderr` for resilience. + output: stdout + +# tbot -- controls the optional tbot deployment that obtains and renews +# credentials for the plugin to connect to Teleport. +# Only default and mandatory values are described here, see the tbot chart reference +# for the full list of supported values. +tbot: + # tbot.enabled(bool) -- controls if tbot should be deployed with the datadog plugin. + enabled: false + # tbot.clusterName(string) -- is the name of the Teleport cluster tbot and the Datadog plugin will join. + # Setting this value is mandatory when tbot is enabled. + clusterName: "" + # tbot.teleportProxyAddress(string) -- is the teleport Proxy Service address the bot will connect to. + # This must contain the port number, usually 443 or 3080 for Proxy Service. + # Connecting to the Proxy Service is the most common and recommended way to connect to Teleport. + # This is mandatory to connect to Teleport Enterprise (Cloud). + # + # This setting is mutually exclusive with `teleportAuthAddress`. + # + # For example: + # ```yaml + # tbot: + # teleportProxyAddress: "test.teleport.sh:443" + # ``` + teleportProxyAddress: "" + # tbot.teleportAuthAddress(string) -- is the teleport Auth Service address the bot will connect to. + # This must contain the port number, usually 3025 for Auth Service. Direct Auth Service connection + # should be used when you are deploying the bot in the same Kubernetes cluster than your `teleport-cluster` + # Helm release and have direct access to the Auth Service. + # Else, you should prefer connecting via the Proxy Service. + # + # This setting is mutually exclusive with `teleportProxyAddress`. + # + # For example: + # ```yaml + # teleportAuthAddress: "teleport-auth.teleport-namespace.svc.cluster.local:3025" + # ``` + teleportAuthAddress: "" + + # tbot.joinMethod(string) -- describes how tbot joins the Teleport cluster. + # See [the join method reference](../../reference/join-methods.mdx) for a list fo supported values and detailed explanations. + joinMethod: "kubernetes" + token: "" + + # Don't touch the tbot values below, this will break the chart. + # This ensures that tbot.fullname is not shortened if the release name contains "tbot" + nameOverride: tbot + defaultOutput: + enabled: true + +secretVolumeName: "password-file" + +# annotations -- contains annotations to apply to the different Kubernetes +# objects created by the chart. See [the Kubernetes annotation +# documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/) +# for more details. +annotations: + # annotations.config(object) -- contains the Kubernetes annotations + # put on the `ConfigMap` resource created by the chart. + config: {} + # annotations.deployment(object) -- contains the Kubernetes annotations + # put on the `Deployment` or `StatefulSet` resource created by the chart. + deployment: {} + # annotations.pod(object) -- contains the Kubernetes annotations + # put on the `Pod` resources created by the chart. + pod: {} + # annotations.secret(object) -- contains the Kubernetes annotations + # put on the `Secret` resource created by the chart. + # This has no effect when `joinTokenSecret.create` is `false`. + secret: {} + +# +# Deployment +# +# image -- sets the container image used for plugin pods created by the chart. +# +# You can override this to use your own plugin image rather than a Teleport-published image. +image: + # image.repository(string) -- is the image repository. + repository: public.ecr.aws/gravitational/teleport-plugin-datadog + # image.pullPolicy(string) -- is the [Kubernetes image pull policy](https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy). + pullPolicy: IfNotPresent + # image.tag(string) -- Overrides the image tag whose default is the chart appVersion. + # + # Normally, the version of the Teleport plugin matches the + # version of the chart. If you install chart version 15.0.0, you'll use + # the plugin version 15.0.0. Upgrading the plugin is done by upgrading the chart. + # + # + # `image.tag` is intended for development and custom tags. This MUST NOT be + # used to control the plugin version in a typical deployment. This + # chart is designed to run a specific plugin version. You will face + # compatibility issues trying to run a different version with it. + # + # If you want to run the Teleport plugin version `X.Y.Z`, you should use + # `helm install --version X.Y.Z` instead. + # + tag: "" + +# imagePullSecrets(list) -- is a list of secrets containing authorization tokens +# which can be optionally used to access a private Docker registry. +# +# See the [Kubernetes reference](https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod) for more details. +imagePullSecrets: [] + +nameOverride: "" +fullnameOverride: "" + +# Deprecated way to set pod annotations. `annotations.pod` should be preferred. +podAnnotations: {} + +# podSecurityContext(object) -- sets the pod security context for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) +# for more details. +# +# To unset the security context, set it to `null` or `~`. +podSecurityContext: {} + +# securityContext(object) -- sets the container security context for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) +# for more details. +# +# To unset the security context, set it to `null` or `~`. +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +# resources(object) -- sets the resource requests/limits for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) +# for more details. +resources: {} + +# nodeSelector(object) -- sets the node selector for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) +# for more details. +nodeSelector: {} + +# tolerations(list) -- sets the tolerations for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/) +# for more details. +tolerations: [] + +# affinity(object) -- sets the affinities for any pods created by the chart. +# See [the Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity) +# for more details. +affinity: {} diff --git a/examples/chart/index.html b/examples/chart/index.html index 39b8d7b9522c4..8f48ba224c0af 100644 --- a/examples/chart/index.html +++ b/examples/chart/index.html @@ -55,6 +55,20 @@

See our
+ 
teleport-plugin-datadog:
+      # Install the Teleport Datadog Incident Management Plugin to create Datadog incidents on Access Requests.
+      # Click the link above to see the README.
+
+      helm install ${RELEASE_NAME?} teleport/teleport-plugin-datadog \
+        --create-namespace \
+        --namespace ${NAMESPACE?} \
+        --set teleport.address="${TELEPORT_ADDR?}" \
+        --set teleport.identitySecretName="${ID_SECRET}" \
+        --set datadog.apiEndpoint="https://api.datadoghq.com" \
+        --set datadog.apiKey="${DATADOG_API_KEY}" \
+        --set datadog.applicationKey="${DATADOG_APPLICATION_KEY}" \
+        --set datadog.fallbackRecipient="${EMAIL?}"
+ 
tbot:
       # Install the TBot chart to automatically configure a tbot agent to
       # generate short-lived credentials for consumption by clients.
diff --git a/integrations/access/datadog/README.md b/integrations/access/datadog/README.md
index 568e21df2e65d..466d2456e158f 100644
--- a/integrations/access/datadog/README.md
+++ b/integrations/access/datadog/README.md
@@ -1,6 +1,6 @@
 # Teleport Datadog Incident Management plugin
 
 The Teleport Access API provides a simple Datadog Incident Management plugin that
-creates incidents in Datadog when an access request is created. You can find the
+creates incidents in Datadog when an Access Request is created. You can find the
 Teleport Access API in the main Teleport repository and the Datadog Incident
 Management plugin in `https://github.com/gravitational/teleport/tree/master/integrations/access/datadog`.
diff --git a/version.mk b/version.mk
index 81bf604850810..642813aa0118f 100644
--- a/version.mk
+++ b/version.mk
@@ -28,7 +28,7 @@ setver: validate-semver helm-version tsh-version
 # The weird -i usage is to make the sed commands work the same on both Linux and Mac. Test on both platforms if you change it.
 .PHONY:helm-version
 helm-version:
-	for CHART in teleport-cluster tbot teleport-kube-agent teleport-cluster/charts/teleport-operator event-handler access/discord access/email access/jira access/mattermost access/msteams access/pagerduty access/slack; do \
+	for CHART in teleport-cluster tbot teleport-kube-agent teleport-cluster/charts/teleport-operator event-handler access/discord access/email access/jira access/mattermost access/msteams access/pagerduty access/slack access/datadog; do \
 		sed -i'.bak' -e "s_^\\.version:\ .*_.version: \\&version \"$${VERSION}\"_g" examples/chart/$${CHART}/Chart.yaml || exit 1; \
 		rm -f examples/chart/$${CHART}/Chart.yaml.bak; \
 	done