feat: add Slack bot integration for kagent

helm/kagent/templates/_helpers.tpl

@@ -106,3 +106,19 @@ Engine labels
 {{ include "kagent.labels" . }}
 app.kubernetes.io/component: engine
 {{- end }}
+
+{{/*
+Slackbot selector labels
+*/}}
+{{- define "kagent.slackbot.selectorLabels" -}}
+{{ include "kagent.selectorLabels" . }}
+app.kubernetes.io/component: slackbot
+{{- end }}
+
+{{/*
+Slackbot labels
+*/}}
+{{- define "kagent.slackbot.labels" -}}
+{{ include "kagent.labels" . }}
+app.kubernetes.io/component: slackbot
+{{- end }}

helm/kagent/templates/slackbot-configmap.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.slackbot.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "kagent.fullname" . }}-slackbot-config
+  namespace: {{ include "kagent.namespace" . }}
+  labels:
+    {{- include "kagent.slackbot.labels" . | nindent 4 }}
+data:
+  permissions.yaml: |
+    # Agent-level permissions configuration
+    # Configure which users/groups can access which agents via Slackbot
+
+    # Example: Restrict k8s-agent to SRE team
+    # agent_permissions:
+    #   kagent/k8s-agent:
+    #     user_groups:
+    #       - S0T8FCWSB  # Replace with your Slack user group ID
+    #     users:
+    #       - [email protected]
+    #     deny_message: "K8s agent requires @sre-team membership"
+
+    # Default: If agent not listed above, it's public (accessible to all)
+    {{- toYaml .Values.slackbot.permissions | nindent 4 }}
+
+    # Global settings
+    settings:
+      user_group_cache_ttl: {{ .Values.slackbot.permissions.settings.user_group_cache_ttl | default 300 }}
+{{- end }}

helm/kagent/templates/slackbot-deployment.yaml

@@ -0,0 +1,119 @@
+{{- if .Values.slackbot.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "kagent.fullname" . }}-slackbot
+  namespace: {{ include "kagent.namespace" . }}
+  labels:
+    {{- include "kagent.slackbot.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.slackbot.autoscaling.enabled }}
+  replicas: {{ .Values.slackbot.replicas }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "kagent.slackbot.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        {{- with .Values.slackbot.podAnnotations | default .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      labels:
+        {{- include "kagent.slackbot.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      serviceAccountName: {{ include "kagent.fullname" . }}-slackbot
+      {{- with .Values.slackbot.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.slackbot.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: slackbot
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.slackbot.image.registry | default .Values.registry }}/{{ .Values.slackbot.image.repository }}:{{ coalesce .Values.tag .Values.slackbot.image.tag .Chart.Version }}"
+          imagePullPolicy: {{ .Values.slackbot.image.pullPolicy | default .Values.imagePullPolicy }}
+          env:
+            # Slack credentials from secret
+            - name: SLACK_BOT_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "kagent.fullname" . }}-slackbot-secrets
+                  key: slack-bot-token
+            - name: SLACK_APP_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "kagent.fullname" . }}-slackbot-secrets
+                  key: slack-app-token
+            - name: SLACK_SIGNING_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "kagent.fullname" . }}-slackbot-secrets
+                  key: slack-signing-secret
+            # Kagent configuration
+            - name: KAGENT_BASE_URL
+              value: "http://{{ include "kagent.fullname" . }}-controller.{{ include "kagent.namespace" . }}.svc.cluster.local:{{ .Values.controller.service.ports.port }}"
+            - name: KAGENT_TIMEOUT
+              value: {{ .Values.slackbot.config.kagentTimeout | quote }}
+            # Server configuration
+            - name: SERVER_HOST
+              value: {{ .Values.slackbot.config.serverHost | quote }}
+            - name: SERVER_PORT
+              value: {{ .Values.slackbot.config.serverPort | quote }}
+            # Logging
+            - name: LOG_LEVEL
+              value: {{ .Values.slackbot.config.logLevel | quote }}
+            # Permissions file
+            - name: PERMISSIONS_FILE
+              value: "/app/config/permissions.yaml"
+            {{- with .Values.slackbot.env }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.slackbot.config.serverPort }}
+              protocol: TCP
+          resources:
+            {{- toYaml .Values.slackbot.resources | nindent 12 }}
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 30
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 3
+            failureThreshold: 3
+          volumeMounts:
+            - name: tmp
+              mountPath: /tmp
+            - name: permissions-config
+              mountPath: /app/config
+              readOnly: true
+      volumes:
+        - name: tmp
+          emptyDir: {}
+        - name: permissions-config
+          configMap:
+            name: {{ include "kagent.fullname" . }}-slackbot-config
+            items:
+              - key: permissions.yaml
+                path: permissions.yaml
+{{- end }}

helm/kagent/templates/slackbot-hpa.yaml

@@ -0,0 +1,37 @@
+{{- if and .Values.slackbot.enabled .Values.slackbot.autoscaling.enabled -}}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "kagent.fullname" . }}-slackbot
+  namespace: {{ include "kagent.namespace" . }}
+  labels:
+    {{- include "kagent.slackbot.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "kagent.fullname" . }}-slackbot
+  minReplicas: {{ .Values.slackbot.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.slackbot.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.slackbot.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.slackbot.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.slackbot.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.slackbot.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+  {{- with .Values.slackbot.autoscaling.behavior }}
+  behavior:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

helm/kagent/templates/slackbot-pdb.yaml

@@ -0,0 +1,19 @@
+{{- if and .Values.slackbot.enabled .Values.slackbot.podDisruptionBudget.enabled -}}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "kagent.fullname" . }}-slackbot
+  namespace: {{ include "kagent.namespace" . }}
+  labels:
+    {{- include "kagent.slackbot.labels" . | nindent 4 }}
+spec:
+  {{- if .Values.slackbot.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ .Values.slackbot.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if .Values.slackbot.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ .Values.slackbot.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "kagent.slackbot.selectorLabels" . | nindent 6 }}
+{{- end }}

helm/kagent/templates/slackbot-role.yaml

@@ -0,0 +1,15 @@
+{{- if and .Values.slackbot.enabled .Values.slackbot.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "kagent.fullname" . }}-slackbot
+  namespace: {{ include "kagent.namespace" . }}
+  labels:
+    {{- include "kagent.slackbot.labels" . | nindent 4 }}
+rules:
+  # Slackbot doesn't need K8s API access - it only talks to Slack and kagent HTTP API
+  # These minimal permissions are for potential future features (e.g., checking pod status)
+  {{- with .Values.slackbot.rbac.rules }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}

helm/kagent/templates/slackbot-rolebinding.yaml

@@ -0,0 +1,17 @@
+{{- if and .Values.slackbot.enabled .Values.slackbot.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "kagent.fullname" . }}-slackbot
+  namespace: {{ include "kagent.namespace" . }}
+  labels:
+    {{- include "kagent.slackbot.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "kagent.fullname" . }}-slackbot
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "kagent.fullname" . }}-slackbot
+    namespace: {{ include "kagent.namespace" . }}
+{{- end }}

helm/kagent/templates/slackbot-secret.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.slackbot.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "kagent.fullname" . }}-slackbot-secrets
+  namespace: {{ include "kagent.namespace" . }}
+  labels:
+    {{- include "kagent.slackbot.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  {{- if .Values.slackbot.secrets.slackBotToken }}
+  slack-bot-token: {{ .Values.slackbot.secrets.slackBotToken | quote }}
+  {{- else }}
+  # IMPORTANT: Replace with your actual Slack Bot Token (xoxb-...)
+  # Or set via: --set slackbot.secrets.slackBotToken=xoxb-...
+  slack-bot-token: ""
+  {{- end }}
+  {{- if .Values.slackbot.secrets.slackAppToken }}
+  slack-app-token: {{ .Values.slackbot.secrets.slackAppToken | quote }}
+  {{- else }}
+  # IMPORTANT: Replace with your actual Slack App Token (xapp-...)
+  # Or set via: --set slackbot.secrets.slackAppToken=xapp-...
+  slack-app-token: ""
+  {{- end }}
+  {{- if .Values.slackbot.secrets.slackSigningSecret }}
+  slack-signing-secret: {{ .Values.slackbot.secrets.slackSigningSecret | quote }}
+  {{- else }}
+  # IMPORTANT: Replace with your actual Slack Signing Secret
+  # Or set via: --set slackbot.secrets.slackSigningSecret=...
+  slack-signing-secret: ""
+  {{- end }}
+{{- end }}

helm/kagent/templates/slackbot-service.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.slackbot.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "kagent.fullname" . }}-slackbot
+  namespace: {{ include "kagent.namespace" . }}
+  labels:
+    {{- include "kagent.slackbot.labels" . | nindent 4 }}
+  {{- with .Values.slackbot.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.slackbot.service.type }}
+  ports:
+    - port: {{ .Values.slackbot.service.ports.port }}
+      targetPort: {{ .Values.slackbot.service.ports.targetPort }}
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "kagent.slackbot.selectorLabels" . | nindent 4 }}
+{{- end }}

helm/kagent/templates/slackbot-serviceaccount.yaml

@@ -0,0 +1,9 @@
+{{- if .Values.slackbot.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "kagent.fullname" . }}-slackbot
+  namespace: {{ include "kagent.namespace" . }}
+  labels:
+    {{- include "kagent.slackbot.labels" . | nindent 4 }}
+{{- end }}