* Restore Kubernetes Integration tests
This PR re-enables the Kubernetes integrations tests using a KinD
(Kubernetes in Docker) cluster.
New steps have been introduced to GitHub's Integrations (Non-Root)
Action that configure the KinD cluster using
[`helm/kind-action`](https://github.com/helm/kind-action) and do some
network configurations allowing the container where tests run to connect
to the KinD control plane.
This PR also fixes some of the tests and fixes a bug that affected
joining operations when the target service was a legacy kubernetes
proxy. Some improvements will be introduced in future patches to improve
the logic and reduce the time required for the tests to run.
Fixes#25539
* fix data race in spdystream dep
* address feedback
* remove docker installation
* fix test
- Add a generalized client store made up of a key, profile, and trusted certs store. Each sub store can support different backends (~/.tsh, identity_file, in-memory).
- Replace custom identity file handling with in-memory client store.
- Fix issues with trusted certs handling.
Previously, we needed:
- create on namespaces
- impersonate on all users/groups/service accounts
- list pods in kube-system namespace (via teleport-ci-test-group)
- exec/portforward on kube-dns pod in kube-system namespace (via teleport-ci-test-group)
Now, we need:
- create on namespaces
- create on pods in namespace teletest
- impersonate on all users/groups
- get/exec/portforward on pod test-pod in namespace teletest (via teleport-ci-test-group)
Unfortunately, `resourceNames` in RBAC doesn't work with `create` verbs,
so we can't scope down impersonation to just the right users/groups.
- Updates the identity files exported by `tctl auth sign` to include the
user's TLS certificate, as well as the set of available TLS root CA
certs.
- Adds a new GRPC-based auth server method, `GenerateUserCerts`, which
exports both SSH and TLS based certs.
First part of addressing #1033 is ability to load credentials from the
credentials file(s).
This commit adds -i flag processing, i.e. a certificate can be fed via a
cert.file and used to login.
Functionality:
`teleport` binary now serves web assets from its own binary file.
Unless `DEBUG` environment variable is set to "1" or "true", in
this case it will look for ../web/dist (as located in github repo)
which can be used for development.
Design:
To avoid accumulating 3rd party dependencies with a ton of extra
features and licenses, this implementation uses minimalistic
implementation of http.FileSystem interface on top of the embedded ZIP
archive.
1. The assets are zipped into assets.zip during build process
2. assets.zip gets appended to the end of `teleport` binary
3. The resulting file is converted into a self-extracting ZIP
4. Teleport opens itself using the built-in zip unarchiver, and loads
the assets on demand.
Notes:
1. LOC is tiny (dozens)
2. RAM consumption is CONSTANT regardless of the ZIP size, about 500Kb
increase vs load-from-file, and most of it is linking zip archive
code from the standard library. Tested with a 20MB ZIP archive.
1. tctl auth export now dumps both user&host keys if --type key is missing
2. created fixtures for testing key imports: they're in
fixtures/trusted_clusters
3. configuration parser reads "trusted_clusters" files expecting the
output of tctl auth export
