GitHub Proxy part 2: git_server resource, service, and RBAC #49393
Conversation
greedy52
changed the title
…/48762_git_server
greedy52
force-pushed
the
STeve/48762_git_server
branch
from
227c801 to
177eeec
Compare
greedy52
added
the
no-changelog
| case types.KindGitServer: | ||
| var servers []types.Server | ||
|
|
||
| // TODO(greedy52) use unified resource request once available. |
| if serverV2, err := toServerV2(server); err != nil { | ||
| return nil, trace.Wrap(err) |
There was a problem hiding this comment.
it shouldn't. just safety check
| // CreateGitServerRequest is a request to create a Git server. | ||
| message CreateGitServerRequest { | ||
| // Server is the Git server to create. | ||
| types.ServerV2 server = 1; |
There was a problem hiding this comment.
Theoretical question :-)
If there any possible way to not mix gogole proto with legacy deprecated gogo proto ?
There was a problem hiding this comment.
it's probably doable, i haven't tried. But i will have to do conversions back AND force in a LOT of places as git_server will rely on existing SSH transport. I prefer use the old type and keep backend consistent as the other server resources.
There was a problem hiding this comment.
Is types.ServerV2 leveraged for literally anything here? Is it planned to work for arbitrary git servers reached directly from the server?
There was a problem hiding this comment.
Is it planned to work for arbitrary git servers reached directly from the server?
What do you mean?
Do you mean directly from the proxy server? there will be git agents eventually for private/self-hosted git services.
There was a problem hiding this comment.
Well, the entire point of ServerV2 is that it has a bunch of fields that make sense for servers - so far, a git_server with subkind github is literally only using metadata and one field that was added to ServerSpecV2 that only makes sense in that exact scenario, so I was wondering if in the future we're planning to make use of ServerV2.
There was a problem hiding this comment.
i was thinking yes. For example, a git_server for self-hosted gitlab is basically a non-agentless SSH server that uses its own CA to sign.
I am open to switching git_server to its own type. What worries me more is whether I have to convert this type to satisfy the types.Server interface and/or refactor the SSH transport along the way.
What do you think?
public-teleport-github-review-bot
bot
removed the request for review
from rudream
|
🤖 Vercel preview here: https://docs-2kv7muz8t-goteleport.vercel.app/docs |
|
🤖 Vercel preview here: https://docs-dk4vp5vo8-goteleport.vercel.app/docs |
|
@greedy52 - this PR will require admin approval to merge due to its size. Consider breaking it up into a series smaller changes. |
|
🤖 Vercel preview here: https://docs-65k658emc-goteleport.vercel.app/docs |
greedy52
force-pushed
the
STeve/48762_git_server
branch
from
2989a83 to
84c1e6e
Compare
|
🤖 Vercel preview here: https://docs-ng3o76b5d-goteleport.vercel.app/docs |
* git_server resource and role.allow.github_permissions * implicit RO on KindGitServer * review comments * fix ut * make -C integrations/operator crd * fix ut again * make crds-up-to-date and make -C integrations/terraform docs
* git_server resource and role.allow.github_permissions * implicit RO on KindGitServer * review comments * fix ut * make -C integrations/operator crd * fix ut again * make crds-up-to-date and make -C integrations/terraform docs
* GitHub Proxy part 1: github integration resource (#48999) * github integration resource * fix lib/web * revert withSecrets * use static credentials * address review comments * fix ut * GitHub Proxy part 2: git_server resource, service, and RBAC (#49393) * git_server resource and role.allow.github_permissions * implicit RO on KindGitServer * review comments * fix ut * make -C integrations/operator crd * fix ut again * make crds-up-to-date and make -C integrations/terraform docs * GitHub proxy part 1.5: integration in web ui (#49561) * GitHub proxy part 1.5: integration in web ui * fix lint * GitHub Proxy part 3.5: caching PluginStaticCredentials (#49472) * GitHub Proxy part 3.5: caching PluginStaticCredentials * fix lint * GitHub proxy part 2.5: git_server cache (#49564) * GitHub proxy part 2.5: git_server cache * revert event * fix getAll * review comments * GitHub Proxy part 3: gen github user cert and export CA (#49396) * GitHub Proxy part 3: gen github user cert and export CA * address pr comment * minor refactor * use cache * fix build and cache * GitHub proxy part 4: `tsh git ls` with unified resource (#49596) * GitHub proxy part 4: tsh git ls * fix ut * update username note * fix * GitHub proxy part 5: OAuth flow to retrieve GitHub identity (#49849) * GitHub proxy part 5: OAuth flow to retrieve GitHub identity * review comments round1 * review comments round 2 and update tsh git list * make -C integrations/operator crd * make -C integrations/terraform docs * fix flaky test * GitHub proxy part 6.5: tsh git ssh/clone/config (#50044) * GitHub proxy part 6.5: tsh git ssh/clone/config * review comments * fix test * fix ut for lookpath * fix logger and update dependency version * go mod tidy for integrations * GitHub proxy part 7: audit events (#49923) * GitHub proxy part 7: audit events * make Git Command consistent * fix typo * GitHub proxy: git command recorder (#50505) * GitHub proxy: recording git command * address review * review comments * allow flags after repository for git-upload-pack * GitHub proxy part 6: proxing Git using SSH transport (#49980) * GitHub proxy part 6: proxing Git using SSH transport * better command parsing and update suite * refactor * revert unnecearrty files * address review comments * ut fix * revert localsite_test.go * change special suffix to teleport-github-org for routing * fix routing ut * minor typo edit * fix ut after sshca change * add UT to sshutils * minor review comments * fix api ut because of special suffix change * GitServerReadOnlyClient * downgrade error to warning * run go mod tidy. not sure why it's needed * rename mock.go to mock_test.go * GitHub Proxy: complete audit event flow and add an enterprise guard (#51049) * fix lint and remove accidently checked-in binary * Fix flaky git.TestForwardServer test (#51112)
part of:
Sorry for the bit list of files. Mostly just boiler plate code for a new resource.
Resource yaml
Then: