This PR adds a k8s Custom Resource Definition for Login Rules, which
will be used in a following PR to enable configuration of Teleport Login
Rules via kubectl.
This CRD, similar to the currently existing CRDs, is generated from the
protobuf spec. The difference is that login rules are defined in their
own package, do not use gogo syntax in the proto file, and the login
rule type does not contain an explicit "spec" field. Some workarounds in
crdgen/main.go and crdgen/schemagen.go cover over these differences to
make login rules appear like any other resource.
This commit updates copied and generated code under
integrations/operator.
First of all, this commit includes the result of running make manifests in
integrations/operator to update the CRDs used by the k8s operator. These
are generated from the .proto files in the API package and are only
updated when someone runs make manifests.
Second, this commit updates the unit tests in
integrations/operator/crdgen. A static copy of the .proto files is kept
there so that every teleport PR updating the protobufs does not have to
break the CRD tests. Previously only types.proto and wrappers.proto were
kept there, with some hacks to make the imports work. Now that our
import structure is a little more complicated, I am copying all of the
api .proto files in. Only types explicitly listed in crdgen/main.go
actually generate CRDs. The test snapshots are necessarily updated here.
Reconciling StatefulSets requires more work than reconciling deployments
because they are really conservative about rollouts and can end up stuck
really fast. The StatefulSet controller does exactly what the Deployment
controller does except that it also tries to deleted unhealthy pods
belonging to older revisions of the StatefulSet. This approach allows to
unblock the statefulset (deleted pods will be replaced by pods using the
lastest PodSpec) while not reducing availability (if the Statefulset is
broken but some old pod is still working we don't touch it).
* Vendor slack plugin and supporting libraries
* Fix up plugin integration tests (wip)
* Run GCI on vendored code
* Use newtype instead of type alias
golangci-lint currently panics on this,
"skip-files" et al don't help, as it is a linter panic, not an error
See d717045480
* Remove long-runing plugins tests from difftest
* Move access plugin tests to unit-tests-integrations
This PR adds the following version getters:
- basic HTTP (getting version from an s3 bucket)
Also the following maintenance triggers:
- basic HTTP (getting maintenance from an s3 bucket)
It also adds the following changes:
- add a common `cache` package to cache the lookups involving network
requests to ensure we don't issue too many calls to external resources
- add a common `basichttp` package providing a test HTTP server and a
simple HTTP client
Part of https://github.com/gravitational/teleport/issues/22450
This commit implements the cosign image signature validation in the updater.
Cosign does all the heavy lifting, so this is a 90% tests / 10% actual code PR.
Testing the validator against various valid and invalid signed images
was tricky, and I had to craft custom fixtures. As fixture creation is
complex, I put all the logic into a dedicated tool generating test
layers and manifests we can reproductively test against. In retrospect,
Part of https://github.com/gravitational/teleport/issues/22450
* Add type for GitLab ProvisionToken
* Add default behaviour for domain
* Add IDTokenClaims for GitLab
* Add gitlab token source and token validator
* Thread GitLab support through auth and tbot packages
* Adjust cluster name fetching in token validator
* Initialize GitLab token validator in auth
* Improve comment on `sub`
* Working GitLab CI delegated joining
* Add additional token rule fields
* Add checking for new configuration fields
* add additional test cases for validation of gitlab config struct
* Add TestAuth_RegisterUsingToken_GitLab
* Add tests for IDTokenSource
* Fix imports
* Add tests for GitLab Token Validator
* Fix some comments that were incomplete
* Add license headers
This trigger allows a maintenance to start if the teleport-kube-agent is
unhealthy. A workload is unhealthy if at least one if its managed pods
is unhealthy. A pod is unhealthy if it has not been ready for 10 minutes
or more.
* Move configuration from lib/service to lib/service/servicecfg
The new servicecfg package will hold only configuration for services.
This will allow other packages (like tctl and tsh) to depend on
servicecfg without pulling in all of lib/service (which has a number
of platform-specific details).
This is the first step towards being able to build tctl for Windows.
* Move PAM and BPF config into servicecfg
This breaks a compile-time dependency on BPF/PAM for tctl.
This PR implements the core of the kube-agent-updater, which is part of
https://github.com/gravitational/teleport/issues/21516#issue-1576935859
In order to have a fully working updater we still need to:
- implement the interfaces for version retrieval, image validation and maintenance trigger
- add statefulset support (and deal with the potential deadlocks)
- implement the CI and release pipeline (Dockerfile, README, Makefile, github action, drone)
- integrate in the `teleport-kube-agent` helm chart
Those changes will happen in subsequent PRs.
