Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitLab Delegated Joining #22705

Merged
merged 23 commits into from
Mar 16, 2023
Merged

GitLab Delegated Joining #22705

merged 23 commits into from
Mar 16, 2023

Conversation

strideynet
Copy link
Contributor

@strideynet strideynet commented Mar 7, 2023
edited
Loading

Closes #17059

  • Automated tests
  • Manual test GitLab cloud
  • Manual test GitLab self-hosted

Docs will come in a future PR o7

@strideynet
Copy link
Contributor Author

strideynet commented Mar 9, 2023
edited
Loading

SaaS GitLab test

image

As of 6c85c3f - we now have working delegated joining. All that remains is adding all the remaining allow rule options and testing against self-hosted GitLab.

Sample workflow:

stages:          # List of stages for jobs, and their order of execution
  - build

build-job:       # This job runs in the build stage, which runs first.
  stage: build
  id_tokens:
    TBOT_GITLAB_JWT:
      aud: teleport.example.com
  script:
    - echo $CI_JOB_JWT | base64
    - echo $CI_JOB_JWT_V2 | base64
    - echo $TBOT_GITLAB_JWT | base64
    - whoami
    - ./tbot start --token=gitlab-bot --destination-dir=./tbot-user --auth-server=teleport.example.com:443 --join-method=gitlab --oneshot
    - ./tsh -i ./tbot-user/identity --proxy teleport.example.com:443 ls

Sample token config:

kind: token
version: v2
metadata:
  name: gitlab-bot
  expires: "3000-01-01T00:00:00Z"
spec:
  roles: [Bot]
  join_method: gitlab
  bot_name: gitlab-demo
  gitlab:
    allow:
      - sub: "project_path:strideynet/gitlab-sandbox:ref_type:branch:ref:main

@strideynet strideynet marked this pull request as ready for review March 13, 2023 14:08
@github-actions github-actions bot requested review from hatched and timothyb89 March 13, 2023 14:08
@strideynet strideynet requested a review from zmb3 March 13, 2023 14:33
@strideynet
Copy link
Contributor Author

strideynet commented Mar 13, 2023
edited
Loading

Remaining task is to stand up a self-hosted GitLab instance and test against this instance !

@strideynet
Copy link
Contributor Author

GitLab instance stood up - will hopefully run a manual test against this instance tomorrow morning.

@strideynet
Copy link
Contributor Author

Self-hosted test

image

.gitlab-ci.yml

stages:          # List of stages for jobs, and their order of execution
  - build

build-job:       # This job runs in the build stage, which runs first.
  stage: build
  id_tokens:
    TBOT_GITLAB_JWT:
      aud: teleport.example.com
  script:
    - ./tbot start --token=gitlab-self-hosted-bot --destination-dir=./tbot-user --data-dir=./tbot-data --auth-server=teleport.example.com:443 --join-method=gitlab --oneshot
    - TELEPORT_LOGIN=root ./tsh -i ./tbot-user/identity --proxy teleport.example.com:443 ls

ProvisionToken resource

kind: token
version: v2
metadata:
  name: gitlab-self-hosted-bot
  expires: "3000-01-01T00:00:00Z"
spec:
  roles: [Bot]
  join_method: gitlab
  bot_name: gitlab-demo
  gitlab:
    domain: gitlab.example.com
    allow:
      - project_path: noah/gitlab-sandbox
        ref_type: branch
        ref: main
        namespace_path: noah

I included some additional fields more than necessary in the allow rules just to check that all of these function as expected.

@strideynet
Copy link
Contributor Author

Also manually tested:

  • Incorrect audience token is rejected
  • Correct issuer is enforced based on whether or not domain is set (e.g a Cloud issued ID token cannot be used against a self-hosted GitLab provision token)

@public-teleport-github-review-bot public-teleport-github-review-bot bot removed the request for review from timothyb89 March 16, 2023 16:04
@strideynet strideynet enabled auto-merge March 16, 2023 16:19
@strideynet strideynet added this pull request to the merge queue Mar 16, 2023
Merged via the queue into master with commit acb255c Mar 16, 2023
@public-teleport-github-review-bot
Copy link

@strideynet See the table below for backport results.

Branch Result
branch/v12 Failed

strideynet added a commit that referenced this pull request Mar 16, 2023
@strideynet
GitLab Delegated Joining (#22705)
fedadee 
* Add type for GitLab ProvisionToken

* Add default behaviour for domain

* Add IDTokenClaims for GitLab

* Add gitlab token source and token validator

* Thread GitLab support through auth and tbot packages

* Adjust cluster name fetching in token validator

* Initialize GitLab token validator in auth

* Improve comment on `sub`

* Working GitLab CI delegated joining

* Add additional token rule fields

* Add checking for new configuration fields

* add additional test cases for validation of gitlab config struct

* Add TestAuth_RegisterUsingToken_GitLab

* Add tests for IDTokenSource

* Fix imports

* Add tests for GitLab Token Validator

* Fix some comments that were incomplete

* Add license headers
@strideynet strideynet mentioned this pull request Mar 16, 2023
Merged
strideynet added a commit that referenced this pull request Mar 17, 2023
@strideynet
GitLab Delegated Joining (#22705) (#23191)
fe5bff3 
* Add type for GitLab ProvisionToken

* Add default behaviour for domain

* Add IDTokenClaims for GitLab

* Add gitlab token source and token validator

* Thread GitLab support through auth and tbot packages

* Adjust cluster name fetching in token validator

* Initialize GitLab token validator in auth

* Improve comment on `sub`

* Working GitLab CI delegated joining

* Add additional token rule fields

* Add checking for new configuration fields

* add additional test cases for validation of gitlab config struct

* Add TestAuth_RegisterUsingToken_GitLab

* Add tests for IDTokenSource

* Fix imports

* Add tests for GitLab Token Validator

* Fix some comments that were incomplete

* Add license headers
@strideynet strideynet deleted the strideynet/gitlab-joining branch March 20, 2023 10:41
@Monster1290 Monster1290 mentioned this pull request Nov 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hatched hatched hatched approved these changes

@zmb3 zmb3 zmb3 approved these changes

Assignees
No one assigned
Labels
machine-id size/lg
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Machine ID: Support delegated joining on GitLab
3 participants
@strideynet @hatched @zmb3