gitlab: Rewrite plugin to use new API client.

- Use new teleport/api client. - Add comments to the issue when new access review is submitted. - Automatically change issue status once request is approved/denied. - Manage plugin data state safely using compare-and-swap. - Migrate tests to testify. Closes #188. Closes #209.
gravitational · Aug 23, 2021 · be05d5e · be05d5e
1 parent 969836d
commit be05d5e
Show file tree

Hide file tree

Showing 13 changed files with 2,189 additions and 1,087 deletions.
diff --git a/access/gitlab/README.md b/access/gitlab/README.md
@@ -1,13 +1,24 @@
-# Teleport / Gitlab plugin
+# Teleport Gitlab plugin
 
 The plugin allows teams to setup permissions workflow over their existing or new
-Gitlab projects. When someone requests new permissions, an issue will be opened,
+Gitlab projects. When someone requests new roles in Teleport, an issue will be opened,
 and the team members can assign approval or denied label to the issue to approve
 or deny the request.
 
-## Quick setup
+## Setup
 
-To get things up & running quickly:
+### Install the plugin
+
+Get the plugin distribution.
+
+```bash
+$ curl -L https://get.gravitational.com/teleport-access-gitlab-v7.0.2-linux-amd64-bin.tar.gz
+$ tar -xzf teleport-access-gitlab-v7.0.2-linux-amd64-bin.tar.gz
+$ cd teleport-access-gitlab
+$ ./install
+```
+
+### Gitlab API token & project setup
 
 1. On Gitlab, go "User Settings" -> "Access Tokens". Create a token with api
    scope, remember the token.
@@ -17,15 +28,55 @@ To get things up & running quickly:
    `Teleport: Approved`, and `Teleport: Denied`. The plugin will work if you
    just change labels on issues, but with a Board you can just drag the issue
    into a status-column you want.
-4. Create an /etc/teleport-gitlab.yml
+
+### Teleport User and Role
+
+Using Web UI or `tctl` CLI utility, create the role `access-gitlab` and the user `access-gitlab` belonging to the role `access-gitlab`. You may use the following YAML declarations.
+
+#### Role
+
+```yaml
+kind: role
+metadata:
+  name: access-gitlab
+spec:
+  allow:
+    rules:
+      - resources: ['access_request']
+        verbs: ['list', 'read', 'update']
+version: v3
+```
+
+#### User
+
+```yaml
+kind: user
+metadata:
+  name: access-gitlab
+spec:
+  roles: ['access-gitlab']
+version: v2
+```
+
+### Generate the certificate
+
+For the plugin to connect to Auth Server, it needs an identity file containing TLS/SSH certificates. This can be obtained with tctl:
+
+```bash
+$ tctl auth sign --auth-server=AUTH-SERVER:PORT --format=file --user=access-gitlab --out=/var/lib/teleport/plugins/gitlab/auth_identity --ttl=8760h
+```
+
+Here, `AUTH-SERVER:PORT` could be `localhost:3025`, `your-remote-auth.example.com:3025`, `your-remote-proxy.teleport.sh:443`. For remote connections, you might want to pass the `--identity=...` option to authenticate yourself to Auth Server.
+
+### Save configuration file
+
+By default, configuration file is expected to be at `/etc/teleport-gitlab.toml`.
 
 ```toml
 # /etc/teleport-gitlab.toml
 [teleport]
-auth_server = "example.com:3025"                         # Teleport Auth Server GRPC API address
-client_key = "/var/lib/teleport/plugins/gitlab/auth.key" # Teleport GRPC client secret key
-client_crt = "/var/lib/teleport/plugins/gitlab/auth.crt" # Teleport GRPC client certificate
-root_cas = "/var/lib/teleport/plugins/gitlab/auth.cas"   # Teleport cluster CA certs
+auth_server = "example.com:3025"                   # Teleport Auth/Proxy Server address (should be port 443 for Teleport Cloud)
+identity = "/var/lib/teleport/plugins/gitlab/auth_identity"
 
 [db]
 path = "/var/lib/teleport/plugins/gitlab/database" # Path to the database file
@@ -47,6 +98,23 @@ output = "stderr" # Logger output. Could be "stdout", "stderr" or "/var/lib/tele
 severity = "INFO" # Logger severity. Could be "INFO", "ERROR", "DEBUG" or "WARN".
 ```
 
-The plugin creates labels on Gitlab automatically if they don't exist yet. You
-don't have to set anything up on Gitlab, except for the project (create new, or
-grab project ID from an existing one), and the Board.
+### Run the plugin
+
+```bash
+teleport-gitlab start
+```
+
+If something bad happens, try to run it with `-d` option i.e. `teleport-gitlab start -d` and attach the stdout output to the issue you are going to create.
+
+If for some reason you want to disable TLS termination in the plugin and deploy it somewhere else e.g. on some reverse proxy, you may want to run the plugin with `--insecure-no-tls` option. With `--insecure-no-tls` option, plugin's webhook server will talk plain HTTP protocol.
+
+## Building from source
+
+To build the plugin from source you need Go >= 1.16 and `make`.
+
+```bash
+git clone https://github.com/gravitational/teleport-plugins.git
+cd teleport-plugins/access/gitlab
+make
+./build/teleport-gitlab start
+```