Skip to content

GitHub Proxy part 1: github integration resource#48999

Merged
greedy52 merged 7 commits intomasterfrom
STeve/48762_integration
Nov 23, 2024
Merged

GitHub Proxy part 1: github integration resource#48999
greedy52 merged 7 commits intomasterfrom
STeve/48762_integration

Conversation

@greedy52
Copy link
Copy Markdown
Contributor

@greedy52 greedy52 commented Nov 14, 2024
edited
Loading

Part of:

Changes:

  • New github integration spec added to integration resource
  • Added WithSecrets to GetIntegration and ListIntegrations
  • Auth to populate per-app CA when creating github integration

Many files were touched but most are one-liner for the interface change.

tctl create example:

kind: integration
sub_kind: github
version: v1
metadata:
  name: github-my-org
spec:
  github:
    organization: my-org
  credentials:
    # oauth id and secret
    id_secret:
      id: "my-id"
      secret: "my-secret"

@greedy52 greedy52 added no-changelog Indicates that a PR does not require a changelog entry backport/branch/v17 labels Nov 14, 2024
@greedy52 greedy52 self-assigned this Nov 14, 2024
@greedy52 greedy52 marked this pull request as ready for review November 18, 2024 18:33
@github-actions github-actions Bot added size/md tctl tctl - Teleport admin tool labels Nov 18, 2024
r0mant
r0mant approved these changes Nov 18, 2024
View reviewed changes
Comment thread api/types/integration.go Outdated
@rosstimothy
Copy link
Copy Markdown
Contributor

rosstimothy commented Nov 19, 2024

This doesn't follow the guidance on storing secrets from RFD 153.

If a resource has associated secrets (password, private key, jwt, mfa device, etc.) they should be defined in a separate resource and stored in a separate key range in the backend. The traditional pattern of defining secrets inline and only returning them if a with_secrets flag is provided causes a variety of problems and introduces opportunity for human error to accidentally include secrets when they should not have been. It would then be the responsibility of the caller to get both the base resource and the corresponding secret resource if required.

@greedy52
Copy link
Copy Markdown
Contributor Author

greedy52 commented Nov 19, 2024

This doesn't follow the guidance on storing secrets from RFD 153.

If a resource has associated secrets (password, private key, jwt, mfa device, etc.) they should be defined in a separate resource and stored in a separate key range in the backend. The traditional pattern of defining secrets inline and only returning them if a with_secrets flag is provided causes a variety of problems and introduces opportunity for human error to accidentally include secrets when they should not have been. It would then be the responsibility of the caller to get both the base resource and the corresponding secret resource if required.

Ah, I see! Thanks for pointing out.

May I use plugin_static_credentials which seems implemented for this purpose? Some of the existing credential types align nicely with what's needed here.

teleport/lib/services/local/plugin_static_credentials.go

Lines 41 to 42 in e5c8a5a

// NewPluginStaticCredentialsService creates a new PluginStaticCredentialsService.
func NewPluginStaticCredentialsService(b backend.Backend) (*PluginStaticCredentialsService, error) {

Alternatively I can make a more generic static_credentials resource. What are your thoughts?

@r0mant
Copy link
Copy Markdown
Collaborator

r0mant commented Nov 19, 2024

@greedy52 Let's use plugin_static_credentials. They are specifically for storing secrets for hosted plugins and integrations.

@greedy52
Copy link
Copy Markdown
Contributor Author

greedy52 commented Nov 22, 2024

@greedy52 Let's use plugin_static_credentials. They are specifically for storing secrets for hosted plugins and integrations.

Moved to static credentials now. PTAL.

@greedy52 greedy52 force-pushed the STeve/48762_integration branch from e447d53 to 1116e01 Compare November 22, 2024 03:45
@greedy52 greedy52 requested a review from GavinFrazar November 23, 2024 02:35
GavinFrazar
GavinFrazar approved these changes Nov 23, 2024
View reviewed changes
Comment thread api/proto/teleport/legacy/types/types.proto
Comment thread api/types/integration.go Outdated
Comment thread api/types/integration.go Outdated
Comment thread api/types/integration.go
Comment thread api/types/integration.go Outdated
Comment thread api/types/integration.go
Comment thread lib/auth/integration/integrationv1/credentials.go Outdated
Comment thread lib/auth/integration/integrationv1/credentials.go Outdated
Comment thread lib/auth/integration/integrationv1/credentials.go Outdated
@greedy52
Copy link
Copy Markdown
Contributor Author

greedy52 commented Nov 23, 2024

Thanks for the quick reviews!

@greedy52 greedy52 enabled auto-merge November 23, 2024 18:38
@greedy52 greedy52 force-pushed the STeve/48762_integration branch from 431c09c to 2e63dc7 Compare November 23, 2024 19:04
@greedy52 greedy52 force-pushed the STeve/48762_integration branch from 2e63dc7 to 9a1609e Compare November 23, 2024 19:51
@greedy52 greedy52 added this pull request to the merge queue Nov 23, 2024
Merged via the queue into master with commit 3c6df87 Nov 23, 2024
@greedy52 greedy52 deleted the STeve/48762_integration branch November 23, 2024 20:27
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Nov 23, 2024

@greedy52 See the table below for backport results.

Branch Result
branch/v17 Failed

This was referenced Nov 23, 2024
Closed
Merged
greedy52 added a commit that referenced this pull request Jan 15, 2025
@greedy52
GitHub Proxy part 1: github integration resource (#48999)
c62ab89 
* github integration resource

* fix lib/web

* revert withSecrets

* use static credentials

* address review comments

* fix ut
greedy52 added a commit that referenced this pull request Jan 16, 2025
@greedy52
GitHub Proxy part 1: github integration resource (#48999)
3467219 
* github integration resource

* fix lib/web

* revert withSecrets

* use static credentials

* address review comments

* fix ut
github-merge-queue Bot pushed a commit that referenced this pull request Jan 16, 2025
@greedy52
[v17] GitHub proxy (#51086)
7ca4e53 
* GitHub Proxy part 1: github integration resource (#48999)

* github integration resource

* fix lib/web

* revert withSecrets

* use static credentials

* address review comments

* fix ut

* GitHub Proxy part 2: git_server resource, service, and RBAC (#49393)

* git_server resource and role.allow.github_permissions

* implicit RO on KindGitServer

* review comments

* fix ut

* make -C integrations/operator crd

* fix ut again

* make crds-up-to-date and make -C integrations/terraform docs

* GitHub proxy part 1.5: integration in web ui (#49561)

* GitHub proxy part 1.5: integration in web ui

* fix lint

* GitHub Proxy part 3.5: caching PluginStaticCredentials (#49472)

* GitHub Proxy part 3.5: caching PluginStaticCredentials

* fix lint

* GitHub proxy part 2.5: git_server cache (#49564)

* GitHub proxy part 2.5: git_server cache

* revert event

* fix getAll

* review comments

* GitHub Proxy part 3: gen github user cert and export CA (#49396)

* GitHub Proxy part 3: gen github user cert and export CA

* address pr comment

* minor refactor

* use cache

* fix build and cache

* GitHub proxy part 4: `tsh git ls` with unified resource (#49596)

* GitHub proxy part 4: tsh git ls

* fix ut

* update username note

* fix

* GitHub proxy part 5: OAuth flow to retrieve GitHub identity (#49849)

* GitHub proxy part 5: OAuth flow to retrieve GitHub identity

* review comments round1

* review comments round 2 and update tsh git list

* make -C integrations/operator crd

* make -C integrations/terraform docs

* fix flaky test

* GitHub proxy part 6.5: tsh git ssh/clone/config (#50044)

* GitHub proxy part 6.5: tsh git ssh/clone/config

* review comments

* fix test

* fix ut for lookpath

* fix logger and update dependency version

* go mod tidy for integrations

* GitHub proxy part 7: audit events (#49923)

* GitHub proxy part 7: audit events

* make Git Command consistent

* fix typo

* GitHub proxy: git command recorder (#50505)

* GitHub proxy: recording git command

* address review

* review comments

* allow flags after repository for git-upload-pack

* GitHub proxy part 6: proxing Git using SSH transport (#49980)

* GitHub proxy part 6: proxing Git using SSH transport

* better command parsing and update suite

* refactor

* revert unnecearrty files

* address review comments

* ut fix

* revert localsite_test.go

* change special suffix to teleport-github-org for routing

* fix routing ut

* minor typo edit

* fix ut after sshca change

* add UT to sshutils

* minor review comments

* fix api ut because of special suffix change

* GitServerReadOnlyClient

* downgrade error to warning

* run go mod tidy. not sure why it's needed

* rename mock.go to mock_test.go

* GitHub Proxy: complete audit event flow and add an enterprise guard (#51049)

* fix lint and remove accidently checked-in binary

* Fix flaky git.TestForwardServer test (#51112)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r0mant r0mant r0mant approved these changes

@GavinFrazar GavinFrazar GavinFrazar approved these changes

@smallinsky smallinsky Awaiting requested review from smallinsky

Assignees

@greedy52 greedy52

Labels

backport/branch/v17 no-changelog Indicates that a PR does not require a changelog entry size/md tctl tctl - Teleport admin tool

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@greedy52 @rosstimothy @r0mant @GavinFrazar @smallinsky