Skip to content

[teleport-update] Add support for tbot Managed Updates #60478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

[teleport-update] Add support for tbot Managed Updates #60478

wants to merge 8 commits into from

Conversation

@sclevine
Copy link
Member

@sclevine sclevine commented Oct 22, 2025
edited
Loading

This PR builds on #55499 and #60477 to add support for tbot Managed Updates to teleport-update, following the same pattern as for teleport. This means that teleport-update will:

  1. Create a systemd service for tbot
  2. Restart tbot after updates
  3. Monitor tbot for various failures that might occur during the update process
  4. Revert tbot when failures are detected

Notably, the new functionality does not interfere with any existing tbot services or deployments.

Similar to teleport/teleport.yaml, configuration defaults such as the proxy address may be pulled from tbot.yaml so that tbot-only installations can be converted to Managed Updates with minimal setup.

Avoiding interference with existing services:

If no tbot.service is present on the system already, teleport-update will create one that is unstarted and disabled. Users are prompted to configure tbot and then enable and start the service if tbot functionality is desired.

If tbot.service exists, teleport-update will only update or otherwise manage it if it contains the # teleport-update (version) header.

The --overwrite flag may be used to overwrite any existing binaries or services, including tbot.service.

Install suffix:

As with teleport, multiple independently updated installations (containing teleport, tbot, and other binaries) may be created by passing --install-suffix.

Systemd configuration overrides:

Systemd service fields such as User and Group can be set persistently using systemd drop-ins, which are created automatically by the systemctl edit command.

Bot tracking:

Unlike Teleport agents, bots do not have persistent connections and cannot be tracked during upgrades. The design in this PR works around this implementation in several ways:

  1. Bot-only installations are always updated when their group is scheduled to upgrade, with no backpressure or tracking. This behavior is identical to other agentless installations that do not provide a tracking UUID to auth.
  2. If a bot is installed alongside a running Teleport agent, and the bot fails /readyz checks, both the agent and bot are reverted, and backpressure / canary functionality applies as expected.

Note that a failed /readyz check will revert the bot back to the previously installed version in all cases.

Note that tbot does not support soft reloads, so Managed Updates will cause tbot to restart while dropping connections. This is mitigated by Managed Updates scheduling, which allows users to control exactly when tbot installations are updated (separately from agents, if desired).

(apologies for typo in branch name -- github does not allow changing source branch names)

changelog: add support for tbot to teleport-update

RFD: #47126
Goal (internal): https://github.com/gravitational/cloud/issues/14225

@sclevine sclevine mentioned this pull request Oct 22, 2025
Merged
@rosstimothy rosstimothy mentioned this pull request Oct 23, 2025
Open
@sclevine sclevine force-pushed the sclevine/autoupdates-tbot-readyz branch from 0213852 to 0c78ed2 Compare October 28, 2025 17:54
Base automatically changed from sclevine/autoupdates-tbot-readyz to master October 28, 2025 23:20
@sclevine sclevine force-pushed the sclevine/clevine/autoupdates-tbot-tu branch from 9e536cf to a927c43 Compare October 28, 2025 23:55
@sclevine sclevine marked this pull request as ready for review October 29, 2025 00:36
@github-actions github-actions bot requested review from rana and ryanclark October 29, 2025 00:36
@sclevine
Copy link
Member Author

sclevine commented Oct 29, 2025

@strideynet let me know if I should adjust reviewers

@sclevine sclevine mentioned this pull request Oct 30, 2025
Closed
@sclevine sclevine requested review from vapopov and removed request for rana and ryanclark October 30, 2025 17:01
@sclevine sclevine mentioned this pull request Oct 30, 2025
Open
@strideynet strideynet requested a review from boxofrad October 31, 2025 13:01
strideynet
strideynet reviewed Oct 31, 2025
View reviewed changes
strideynet
strideynet approved these changes Oct 31, 2025
View reviewed changes
Copy link
Contributor

@strideynet strideynet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good from the MWI side - I haven't looked too deeply into the nuts and bolts of the autoupdate agent itself.

boxofrad
boxofrad approved these changes Nov 3, 2025
View reviewed changes
Copy link
Contributor

@boxofrad boxofrad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job!

@sclevine
PID and readyz changes for tbot
b9c7101 
remove teleport-update changes

Revert "remove teleport-update changes"

This reverts commit ee1bf09.
@sclevine
revert extra linting fixes
3839684
@sclevine
simplify test matrix
df0af68
@sclevine
merge conflict
8547363
@sclevine sclevine force-pushed the sclevine/clevine/autoupdates-tbot-tu branch from 16293f0 to bcfac25 Compare November 3, 2025 19:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@boxofrad boxofrad boxofrad approved these changes

@strideynet strideynet strideynet approved these changes

Assignees

No one assigned

Labels

backport/branch/v16 backport/branch/v17 backport/branch/v18 size/lg

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sclevine @boxofrad @strideynet