While the api client already had support for the new upsert method
it was unimplemented server side and would always fallback to the
legacy UpsertOIDCConnector RPC. This implements the RPC handler
and updates the signature of UpsertOIDCConnector to return the
upserted connector in the same manner that Create and Update do.
While the api client already had support for the new upsert method
it was unimplemented server side and would always fallback to the
legacy UpsertSAMLConnector RPC. This implements the RPC handler
and updates the signature of UpsertSAMLConnector to return the
upserted connector in the same manner that Create and Update do.
While the api client already had support for the new upsert method
it was unimplemented server side and would always fallback to the
legeacy UpsertGithubConnector RPC. This implements the RPC handler
and updates the signature of UpsertGithubConnector to return the
upserted connector in the same manner that Create and Update do.
* Make Opsgenie plugin update statussink on healthcheck
* Update integrations/access/opsgenie/client.go
Co-authored-by: Marco André Dinis <marco.dinis@goteleport.com>
* Simplify logger use in opsgenie client
---------
Co-authored-by: Marco André Dinis <marco.dinis@goteleport.com>
Fix the operator `Dockerfile.gha` to copy the correct paths from the
context for the build. These paths changed pretty much at the same time
as `Dockerfile.gha` was added - just an overlap in development - in
commit f31a90d4a4, which modified the
original `Dockerfile` on which `Dockerfile.gha` is based.
* Remove `Dialer(client.Config)` from Credential interface
* Re-add support for address-less configuration
* Only use profile address if none are explicitly provided
* Try all methods with credential provided address
* Fall back to address from credential
* Remove log message
* Adjust log message
* Spell explicitly correctly
* Formalize CredentialsWithDefaultAddrs interface
* GetDefaultAddrs -> DefaultAddrs
* Revert "Deprecate field AdvancedAccessWorkflows to AccessRequest.Enabled (#34792)"
This reverts commit 79d1a5d16e.
* Add IGS related fields to features and modules
* Boiler plate for enabling access monitoring through modules
* Add IGS related license fields
* Use access monitoring feature flag instead
* Fix test
* Add backwards comp without deprecating field
* Address CR
* Address CR
* Retry jira getIssue status if result mismatches webhook payload
* Fix formatting
* Move initial getIssue call to retry loop
* Update tests for jira plugin to include status in webhook response
* Working docker image for building tbot with buildbox
* Build from centos builder and chmod binary
* Pin gcompat version
* Add README
* Switch to GHA based build
* Minor style adjustments
* Run dronegen
Add a new `Dockerfile.gha` alongside the existing `Dockerfile` that can
build the operator container image without any build args. The build
args it had could be determined from inside the Dockerfile, so doing
this removes the need to pass them in. This in turn makes it simpler to
call from CI and to build locally.
In particular, `GOLANG_VERSION` and `PROTOC_VERSION` are taken from
`build.assets/versions.mk`, and `COMPILER_NAME` is determined from the
predefined `$TARGETARCH` arg.
Once Drone no longer builds the operator on any branch, this
`Dockerfile` will replace the previous one, with the `Makefile` updated
to remove the build args. It is done this way as previous changes to the
build of the operator were not backported to v12 and v13, complicating
backporting changes to existing files.
* Start writing out rough plan
* More progress
* Refactor tbot/identity.Identity
* Fix TBot main test
* Add real Insecure rather than using tls.InsecureSkipVerify
* Fix Imports
* Restore integrations/operator
* Remove unused field
* Unnecessary sprintf
* Use facade in integration/operator
* Don't forget License!
* Another license file
* Correctly set Insecure for authclient.Connect
* Fix Insecure status with `tsh` profile
* Add GoDocs for DestinationNop
* GoDoc UnstableClientCredentialOutput
* Deprecate AdvancedAccessWorkflows proto field
* Remove AdvancedAccessWorkflows feature module field
* Rename fields
* Rename fields for all plugins
* Test ping proto response
* Address CR
Bumps the go group in /integrations/kube-agent-updater with 1 update: [k8s.io/api](https://github.com/kubernetes/api).
- [Commits](https://github.com/kubernetes/api/compare/v0.28.3...v0.28.4)
---
updated-dependencies:
- dependency-name: k8s.io/api
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
When access list endpoints are not implemented, the access list app in the
access plugins will cease to run. This could happen if the integration is
being run against an open source server.
* Add Slack access list reminders.
Access list review reminders will now be sent to owners via Slack every week
until the access list is reviewed. Some small modifications were made to the
access list application to support partial success. Additionally, some changes
were made to the way access applications are instantiated to maintain
compatibility with enterprise.
* Tweak error returns, debug statements.
* Notify once per day after the next audit date has passed, remove access list name from slack notifications.
* Fix for day notifications.
* Introduce scaffolding for access list Slack notification.
The initial scaffolding for notification of the need for reviews for access
lists has been introduced. This is not expected to do anything just yet, but
will do so in a follow on PR.
This has additionally separated the plugin data from the dynamic access core,
as it no longer is tightly coupled to access requests. No effort was made to
refactor the existing plugin data backend logic.
* Ensure that the context is cancelled on process termination.
* Remove debug hour addition.
* Correct notification date calcs, add test for notifications.
* Expire the access list after two weeks, use a single map instead of multiple plugin data keys.
* Run GCI.
* Tune tests, retry period is now a duration.
* Get rid of gocron, use intervals, test using intervals.
* GCI.
* Renames, test tweaks.
* Refactor access plugins.
* GCI.
* Adjust tests, remove generics, plugin data uses JSON marshal instead of custom marshaling.
* Move recipient back to common.
* Missed a few recipients imports.
* Tweaks to logic, auto registration of apps, commenting and cleanup.
* Add fields for to-be-supported token claims
* Modify validation to include new field
* Add comparisons for new fields to joining logic
* Add support for globby matching for sub, ref, namespace_path and project_path
* Document which fields support globby matching
* Add tests for join rule engine changes
* Regenerate operator CRDs
* Add docs for new fields
* Correct punctuation in error message
Co-authored-by: Marco André Dinis <marco.dinis@goteleport.com>
* Correctly use GoDoc-esque comments
* Address docs comments
* Reuse glob matching code
* Correct type of RunnerID field
---------
Co-authored-by: Marco André Dinis <marco.dinis@goteleport.com>
* use eventuallyWithT
* integrations/operator: remove require checks from Eventually funcs
* fixup! integrations/operator: remove require checks from Eventually funcs
* Fix Teleport update reconciliation on `status` updates
This pull request addresses the issue where the Teleport operator reconciliation runs every time the operator updates the `status` subresource.
This continuous reconciliation has led to an infinite loop, causing millions of reconciliations per minute.
When an error occurs, such as having invalid role properties, the Operator updates the status and returns an error, which should trigger a rescheduled reconciliation with exponential backoff. The problem arises because the operator failed to enforce a resource generation change, resulting in an immediate trigger of a new reconciliation when the `status` field is updated.
This pull request modifies the operator to avoid updating subresources and only trigger updates when there is a change in resource generation.
Special thanks to @strideynet for confirming my hypothesis and giving
the solution!
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
* return proper status conditions on failures
* enforce condition update on silentUpdateStatus
---------
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
`examples/go-client` and `integrations/kube-agent-updater` appear to be the only usage of gRPC using a version older than 1.58.3
examples/go-client is primarily addressed through updating the `api` module.
Bumps the go group in /integrations/kube-agent-updater with 1 update: [k8s.io/api](https://github.com/kubernetes/api).
- [Commits](https://github.com/kubernetes/api/compare/v0.28.2...v0.28.3)
---
updated-dependencies:
- dependency-name: k8s.io/api
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
In addition to adding server and backend handling for create and
update roles, the services.Access interface was updated to return
a role from the existing Create/UpsertRole methods. Bumps the e
ref to incorporate the associated changes needed there to prevent
breaking the build.
* Fix issue with ServiceNow incidents not including link to access request
* Add cluster to incident desciption and include user as caller
* Add status sink to servicenow client
* Fix formatting
* Undefer status updating in servicenow plugin
* Add log of plugin status
* Update integrations/access/servicenow/client.go
Co-authored-by: Marco André Dinis <marco.dinis@goteleport.com>
* Fix bug caused by caller_id field being a different type on response
* Change format for description for resource requests
* Fix mock servicenow to use seperate incident response type
* Update integrations/access/servicenow/client_test.go
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
* Fix formating
* Update tests
---------
Co-authored-by: Roman Tkachenko <roman@goteleport.com>
Co-authored-by: Marco André Dinis <marco.dinis@goteleport.com>
* feat: add auto-user deletion postgres
* refactor: change to IsEnabled func to check auto-user
* test: fix linting and test
* refactor(db): code review suggestions
* refactor: rename option to best effort drop
* refactor(api): rename createa database user mode property
* refactor(services): review suggestions
* feat(postgres): add log for user deletion result
* refactor(integrations): regenerate crd manifests
* feat(examples): update operator role spec
* refactor(db): use common sql state codes
services.UsersService now takes a context and returns the user
from write operations as shown in the diff below. The bulk of the
changes are from modifying code to account for the additional
parameter and/or return value. Functional changes to better make
use of the new API will come in follow up PRs.
```diff
// UserGetter is responsible for getting users
type UserGetter interface {
// GetUser returns a user by name
- GetUser(user string, withSecrets bool) (types.User, error)
+ GetUser(ctx context.Context, user string, withSecrets bool) (types.User, error)
}
// UsersService is responsible for basic user management
type UsersService interface {
UserGetter
// CreateUser creates user, only if the user entry does not exist
- CreateUser(user types.User) error
+ CreateUser(ctx context.Context, user types.User) (types.User, error)
// UpdateUser updates an existing user.
- UpdateUser(ctx context.Context, user types.User) error
+ UpdateUser(ctx context.Context, user types.User) (types.User, error)
// UpdateAndSwapUser reads an existing user, runs `fn` against it and writes
// the result to storage. Return `false` from `fn` to avoid storage changes.
// Roughly equivalent to [GetUser] followed by [CompareAndSwapUser].
// Returns the storage user.
UpdateAndSwapUser(ctx context.Context, user string, withSecrets bool, fn func(types.User) (changed bool, err error)) (types.User, error)
// UpsertUser updates parameters about user
- UpsertUser(user types.User) error
+ UpsertUser(ctx context.Context, user types.User) (types.User, error)
// CompareAndSwapUser updates an existing user, but fails if the user does
// not match an expected backend value.
CompareAndSwapUser(ctx context.Context, new, existing types.User) error
// DeleteUser deletes a user with all the keys from the backend
DeleteUser(ctx context.Context, user string) error
// GetUsers returns a list of users registered with the local auth server
- GetUsers(withSecrets bool) ([]types.User, error)
+ GetUsers(ctx context.Context, withSecrets bool) ([]types.User, error)
// DeleteAllUsers deletes all users
- DeleteAllUsers() error
+ DeleteAllUsers(ctx context.Context) error
}
```
Depends on gravitational/teleport.e#2346
Implements step 3 of #32949
* Bump the go group in /integrations/kube-agent-updater with 2 updates
Bumps the go group in /integrations/kube-agent-updater with 2 updates: [github.com/docker/distribution](https://github.com/docker/distribution) and [golang.org/x/mod](https://github.com/golang/mod).
Updates `github.com/docker/distribution` from 2.8.2+incompatible to 2.8.3+incompatible
- [Release notes](https://github.com/docker/distribution/releases)
- [Commits](https://github.com/docker/distribution/compare/v2.8.2...v2.8.3)
Updates `golang.org/x/mod` from 0.12.0 to 0.13.0
- [Commits](https://github.com/golang/mod/compare/v0.12.0...v0.13.0)
---
updated-dependencies:
- dependency-name: github.com/docker/distribution
dependency-type: direct:production
update-type: version-update:semver-patch
dependency-group: go
- dependency-name: golang.org/x/mod
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: go
...
Signed-off-by: dependabot[bot] <support@github.com>
* Replaced deprecated import
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Alan Parra <alan.parra@goteleport.com>
* This change introduces a new 'promoted' access request state. The state represents that an access request has been promoted to an access list.
Affected code was modified to adjust to the new promoted state and ensure correct system's behavior.
Added a new 'GetAccessRequest' method for internal use to retrieve access request info.
Disallowed direct promotion of access requests. Introduced 'SubmitAccessReviewAllowPromotion' for promotions.
Added 'PromoteAccessRequest' method and updated its usage to restrict direct promotions.
Refactored code for better readability and testing. Renamed some functions, simplified logic, added test helpers.
Introduced 'promoted' state for access requests to handle promotion workflow.
Added 'PromotedAccessListTitle' in 'AccessReview' to track promotion state.
* Refactor function and message names for better clarity
The function and message names related to the promotion of an access request to an access list were restructured for better readability and consistency. Names like 'PromoteAccessReqResponse' have been replaced with more descriptive names such as 'PromoteAccessRequestResponse'. This increases clarity and consistency across the project.
* Remove the hacky GRPC server implementation
* Change method names to be more descriptive
Renamed all instances of 'PromoteAccessRequest' to 'AccessRequestPromote' in multiple files. The new method name provides a more descriptive and clear understanding of the method's function, which improves code readability and maintenance. This change applies to method definitions, comments, and error messages.
* Refine error message and introduce IsPromoted method
Refined the error message in 'access_request.go' to better indicate that only promoted requests can set the promoted access list title, not just have one. This enhances clarity of error message. Additionally, introduced 'IsPromoted' method in 'access_request.go' file. This method will be useful for quickly checking if a request is in the PROMOTED state.
* Rename variable in SubmitAccessReview method
Renamed the variable "params" to "submission" in the 'SubmitAccessReview' function, in 'auth_with_roles.go' file. The name "submission" provides clearer indictation of its role in submitting access review. This enhances code readability and understandability. No logic changes were made during this update.
* Add support for Protobuf Enums into Operator CRDs
This PR marks the Teleport enum fields as integer or string values. The
integer option is to ensure we are backwards compatibile with
previously installed CRDs.
Users can now represent their roles in Kubernetes custom resources and
refer enum fields as strings while their protobuf wire type is int32.
Fixes#29686
* add tests
* fix unit test
