Introduce tbot-distroless image

[strideynet]

Closes #21280

Paired with https://github.com/gravitational/teleport.e/pull/3465

changelog: tbot-distroless image is now published. This contains just the tbot binary and therefore has a smaller image size.

Successful build: https://drone.platform.teleport.sh/gravitational/teleport/34023
Image: public.ecr.aws/gravitational/tbot-distroless:16.0.0-dev.noah.tbr.1

Working docker run:

docker run public.ecr.aws/gravitational/tbot-distroless:16.0.0-dev.noah.tbr.1                                                                   
Unable to find image 'public.ecr.aws/gravitational/tbot-distroless:16.0.0-dev.noah.tbr.1' locally
16.0.0-dev.noah.tbr.1: Pulling from gravitational/tbot-distroless
8398841c8311: Pull complete 
2b776ada0341: Pull complete 
2a977872b36c: Pull complete 
fcb6f6d2c998: Pull complete 
e8c73c638ae9: Pull complete 
1e3d9b7d1452: Pull complete 
4aa0ea1413d3: Pull complete 
2fa82a9c76b2: Pull complete 
672354a91bfa: Pull complete 
acd581f1e199: Pull complete 
972a9f56458f: Pull complete 
810b5cc4682a: Pull complete 
45c2519a3853: Pull complete 
2b9c28259b9a: Pull complete 
0d7c3f6d6dc4: Pull complete 
Digest: sha256:1d2d377a93cbff0c66953670c19eef2e793d3c630f361758fec802fe0565078a
Status: Downloaded newer image for public.ecr.aws/gravitational/tbot-distroless:16.0.0-dev.noah.tbr.1
Usage: tbot [<flags>] <command> [<args> ...]

Teleport Machine ID

Machine ID issues and renews short-lived certificates so your machines can
access Teleport protected resources in the same way your engineers do!

Find out more at https://goteleport.com/docs/machine-id/introduction/

Flags:
  -d, --[no-]debug  Verbose logging to stdout.
  -c, --config      Path to a configuration file.
      --[no-]fips   Runs tbot in FIPS compliance mode. This requires the FIPS
                    binary is in use.

Commands:
  help         Show help.
  version      Print the version of your tbot binary.
  start        Starts the renewal bot, writing certificates to the data dir at a set interval.
  init         Initialize a certificate destination directory for writes from a separate bot user.
  configure    Creates a config file based on flags provided, and writes it to stdout or a file (-c <path>).
  migrate      Migrates a config file from an older version to the newest version. Outputs to stdout by default.
  db           Execute database commands through tsh.
  proxy        Start a local TLS proxy via tsh to connect to Teleport in single-port mode.

Try 'tbot help [command]' to get help for a given command.

[strideynet]

I'll rebase out the "Release" commit once this is all approved ;)

[marcoandredinis]

This looks good to me, but I would rather have someone from Tooling review this as well

[camscale]

How quickly do you need to get this in? I'd very much prefer to avoid adding to Drone right now, as I am currently moving everything off it. It's a slow and painful process but I hope to have it complete by the end of the week. If you can hold off a little, I'll work with you to get this into the GHA build/publish workflows instead.

[strideynet]

How quickly do you need to get this in? I'd very much prefer to avoid adding to Drone right now, as I am currently moving everything off it. It's a slow and painful process but I hope to have it complete by the end of the week. If you can hold off a little, I'll work with you to get this into the GHA build/publish workflows instead.

More than happy to hold off - especially if it means this can go straight into GHA instead of drone. I'll regroup with you next week on this - thank you Cam.

[strideynet]

Successful build in the pure GHA environment: https://github.com/gravitational/teleport.e/actions/runs/8055743348

Successful publish in a pure GHA environment: https://github.com/gravitational/teleport.e/actions/runs/8056429084

➜  teleport git:(strideynet/tbot-docker-image-remastered) ✗ docker run public.ecr.aws/gravitational/tbot-distroless:16.0.0-dev.noah.tbr.5
Unable to find image 'public.ecr.aws/gravitational/tbot-distroless:16.0.0-dev.noah.tbr.5' locally
16.0.0-dev.noah.tbr.5: Pulling from gravitational/tbot-distroless
8398841c8311: Already exists 
2b776ada0341: Already exists 
2a977872b36c: Already exists 
fcb6f6d2c998: Already exists 
e8c73c638ae9: Already exists 
1e3d9b7d1452: Already exists 
4aa0ea1413d3: Already exists 
2fa82a9c76b2: Already exists 
672354a91bfa: Already exists 
acd581f1e199: Already exists 
972a9f56458f: Already exists 
810b5cc4682a: Already exists 
45c2519a3853: Already exists 
2b9c28259b9a: Already exists 
ed49bf97d7a7: Pull complete 
Digest: sha256:9914a8a4d82ac4dbfa131dcf421f2bf10c46736d5b8f2483c0c2a196feb8bbef
Status: Downloaded newer image for public.ecr.aws/gravitational/tbot-distroless:16.0.0-dev.noah.tbr.5
Usage: tbot [<flags>] <command> [<args> ...]

Teleport Machine ID

Machine ID issues and renews short-lived certificates so your machines can
access Teleport protected resources in the same way your engineers do!

Find out more at https://goteleport.com/docs/machine-id/introduction/

Flags:
  -d, --[no-]debug  Verbose logging to stdout.
  -c, --config      Path to a configuration file.
      --[no-]fips   Runs tbot in FIPS compliance mode. This requires the FIPS
                    binary is in use.

Commands:
  help         Show help.
  version      Print the version of your tbot binary.
  start        Starts the renewal bot, writing certificates to the data dir at a set interval.
  init         Initialize a certificate destination directory for writes from a separate bot user.
  configure    Creates a config file based on flags provided, and writes it to stdout or a file (-c <path>).
  migrate      Migrates a config file from an older version to the newest version. Outputs to stdout by default.
  db           Execute database commands through tsh.
  proxy        Start a local TLS proxy via tsh to connect to Teleport in single-port mode.

Try 'tbot help [command]' to get help for a given command.

[strideynet]

Running v16.0.0-dev.noah.tbr.6 build to test b326428

[strideynet]

Once I've got approval on both sides, I'll drop the release commits from this branch.

[camscale]

This has still got drone stuff in it that should be dropped. All this PR needs is the Dockerfile-tbot-distroless file.

To keep the version stuff from a dev tag build getting on the PR, what I often do is create a test branch on top of the PR branch (strideynet/test/tbot-docker-image-remastered in this case) and run make update-version; make update-tag on that. The test branch does not even need to be pushed, since the tag is pushed. Then I throw away the branch when I'm done.

I don't like to approve PRs that have the version changes in it in case some accidentally gets merged - I think it's cleaner and easier to leave it off the PR.

[strideynet]

Running https://github.com/gravitational/teleport.e/actions/runs/8062741799 to validate deb extraction changes and changes on e to use version action.

Failed due to incorrect config

Fixed config and rerunning https://github.com/gravitational/teleport.e/actions/runs/8064136416

[strideynet]

➜  teleport git:(strideynet/migrate-remote-cluster-rpcs-to-grpc) ✗ docker run public.ecr.aws/gravitational/tbot-distroless:16.0.0-dev.noah.tbr.8
Unable to find image 'public.ecr.aws/gravitational/tbot-distroless:16.0.0-dev.noah.tbr.8' locally
16.0.0-dev.noah.tbr.8: Pulling from gravitational/tbot-distroless
8398841c8311: Pull complete 
2b776ada0341: Pull complete 
2a977872b36c: Pull complete 
fcb6f6d2c998: Pull complete 
e8c73c638ae9: Pull complete 
1e3d9b7d1452: Pull complete 
4aa0ea1413d3: Pull complete 
2fa82a9c76b2: Pull complete 
672354a91bfa: Pull complete 
acd581f1e199: Pull complete 
972a9f56458f: Pull complete 
810b5cc4682a: Pull complete 
45c2519a3853: Pull complete 
2b9c28259b9a: Pull complete 
0be80286843c: Pull complete 
Digest: sha256:15008c9ada589182e39aea6914dc53d0bc409ab46cb8e0eea5b9b284b9b2f32b
Status: Downloaded newer image for public.ecr.aws/gravitational/tbot-distroless:16.0.0-dev.noah.tbr.8
Usage: tbot [<flags>] <command> [<args> ...]

Teleport Machine ID

Machine ID issues and renews short-lived certificates so your machines can
access Teleport protected resources in the same way your engineers do!

Find out more at https://goteleport.com/docs/machine-id/introduction/

Flags:
  -d, --[no-]debug  Verbose logging to stdout.
  -c, --config      Path to a configuration file.
      --[no-]fips   Runs tbot in FIPS compliance mode. This requires the FIPS
                    binary is in use.

Commands:
  help         Show help.
  version      Print the version of your tbot binary.
  start        Starts the renewal bot, writing certificates to the data dir at a set interval.
  init         Initialize a certificate destination directory for writes from a separate bot user.
  configure    Creates a config file based on flags provided, and writes it to stdout or a file (-c <path>).
  migrate      Migrates a config file from an older version to the newest version. Outputs to stdout by default.
  db           Execute database commands through tsh.
  proxy        Start a local TLS proxy via tsh to connect to Teleport in single-port mode.

Try 'tbot help [command]' to get help for a given command.

Successful build, publish and run based on the last commit!

[camscale]

Looks really good now. I'm pleased with how simple it's ended up.

[public-teleport-github-review-bot]

@strideynet See the table below for backport results.

Branch	Result
branch/v13	Create PR
branch/v14	Create PR
branch/v15	Create PR