gitlab: Rewrite plugin to use new API client.

- Use new teleport/api client. - Add comments to the issue when new access review is submitted. - Automatically change issue status once request is approved/denied. - Manage plugin data state safely using compare-and-swap. - Migrate tests to testify. - Also update slack, mattermost and pagerduty plugins with a new `addr` config setting instead of deprecated `auth_server`. Closes #188. Closes #209.
gravitational · Sep 2, 2021 · 299867c · 299867c
1 parent cd51a9c
commit 299867c
Show file tree

Hide file tree

Showing 31 changed files with 2,490 additions and 1,135 deletions.
diff --git a/access/gitlab/README.md b/access/gitlab/README.md
@@ -1,31 +1,89 @@
-# Teleport / Gitlab plugin
+# Teleport GitLab Plugin
 
 The plugin allows teams to setup permissions workflow over their existing or new
-Gitlab projects. When someone requests new permissions, an issue will be opened,
+GitLab projects. When someone requests new roles in Teleport, an issue will be opened,
 and the team members can assign approval or denied label to the issue to approve
 or deny the request.
 
-## Quick setup
+## Setup
 
-To get things up & running quickly:
+### Install the plugin
 
-1. On Gitlab, go "User Settings" -> "Access Tokens". Create a token with api
+Get the plugin distribution.
+
+```bash
+$ curl -L https://get.gravitational.com/teleport-access-gitlab-v7.0.2-linux-amd64-bin.tar.gz
+$ tar -xzf teleport-access-gitlab-v7.0.2-linux-amd64-bin.tar.gz
+$ cd teleport-access-gitlab
+$ ./install
+```
+
+### Set up GitLab project & API token
+
+1. On GitLab, go "User Settings" -> "Access Tokens". Create a token with api
    scope, remember the token.
 2. Create a project, get its numeric "Project ID" from "Project Overview" ->
    "Details" page.
 3. You might want to create the Board with lists: `Teleport: Pending`,
    `Teleport: Approved`, and `Teleport: Denied`. The plugin will work if you
    just change labels on issues, but with a Board you can just drag the issue
    into a status-column you want.
-4. Create an /etc/teleport-gitlab.yml
+
+### Teleport User and Role
+
+Using Web UI or `tctl` CLI utility, create the role `access-gitlab` and the user `access-gitlab` belonging to the role `access-gitlab`. You may use the following YAML declarations.
+
+#### Role
+
+```yaml
+kind: role
+metadata:
+  name: access-gitlab
+spec:
+  allow:
+    rules:
+      - resources: ['access_request']
+        verbs: ['list', 'read', 'update']
+version: v4
+```
+
+#### User
+
+```yaml
+kind: user
+metadata:
+  name: access-gitlab
+spec:
+  roles: ['access-gitlab']
+version: v2
+```
+
+### Generate the certificate
+
+For the plugin to connect to Auth Server, it needs an identity file containing TLS/SSH certificates. This can be obtained with tctl:
+
+```bash
+$ tctl auth sign --auth-server=AUTH-SERVER:PORT --format=file --user=access-gitlab --out=/var/lib/teleport/plugins/gitlab/auth_id --ttl=8760h
+```
+
+Here, `AUTH-SERVER:PORT` could be `localhost:3025`, `your-in-cluster-auth.example.com:3025`, `your-remote-proxy.example.com:3080` or `your-teleport-cloud.teleport.sh:443`. For non-localhost connections, you might want to pass the `--identity=...` option to authenticate yourself to Auth Server.
+
+### Save configuration file
+
+By default, configuration file is expected to be at `/etc/teleport-gitlab.toml`.
 
 ```toml
 # /etc/teleport-gitlab.toml
 [teleport]
-auth_server = "example.com:3025"                         # Teleport Auth Server GRPC API address
-client_key = "/var/lib/teleport/plugins/gitlab/auth.key" # Teleport GRPC client secret key
-client_crt = "/var/lib/teleport/plugins/gitlab/auth.crt" # Teleport GRPC client certificate
-root_cas = "/var/lib/teleport/plugins/gitlab/auth.cas"   # Teleport cluster CA certs
+# Teleport Auth/Proxy Server address.
+#
+# Should be port 3025 for Auth Server and 3080 or 443 for Proxy.
+# For Teleport Cloud, should be in the form of "your-account.teleport.sh:443".
+addr = "example.com:3025"
+
+# Identity file exported by `tctl auth sign`.
+#
+identity = "/var/lib/teleport/plugins/gitlab/auth_id"
 
 [db]
 path = "/var/lib/teleport/plugins/gitlab/database" # Path to the database file
@@ -47,6 +105,23 @@ output = "stderr" # Logger output. Could be "stdout", "stderr" or "/var/lib/tele
 severity = "INFO" # Logger severity. Could be "INFO", "ERROR", "DEBUG" or "WARN".
 ```
 
-The plugin creates labels on Gitlab automatically if they don't exist yet. You
-don't have to set anything up on Gitlab, except for the project (create new, or
-grab project ID from an existing one), and the Board.
+### Run the plugin
+
+```bash
+teleport-gitlab start
+```
+
+If something bad happens, try to run it with `-d` option i.e. `teleport-gitlab start -d` and attach the stdout output to the issue you are going to create.
+
+If for some reason you want to disable TLS termination in the plugin and deploy it somewhere else e.g. on some reverse proxy, you may want to run the plugin with `--insecure-no-tls` option. With `--insecure-no-tls` option, plugin's webhook server will talk plain HTTP protocol.
+
+## Building from source
+
+To build the plugin from source you need Go >= 1.16 and `make`.
+
+```bash
+git clone https://github.com/gravitational/teleport-plugins.git
+cd teleport-plugins/access/gitlab
+make
+./build/teleport-gitlab start
+```