(7.0) Use auth service for teleport nodes (#2029)

* Use auth service for teleport nodes * Backport system teleport show-config command
gravitational · Aug 24, 2020 · 80cccfb · 80cccfb
1 parent 2f61b2f
commit 80cccfb
Show file tree

Hide file tree

Showing 10 changed files with 196 additions and 5 deletions.
diff --git a/Makefile b/Makefile
@@ -46,7 +46,7 @@ GRAVITY_INTERMEDIATE_RELEASE ?= 6.1.31
 RELEASE_TARBALL_NAME ?=
 RELEASE_OUT ?=
 
-TELEPORT_TAG = 3.2.14
+TELEPORT_TAG = 3.2.16
 # TELEPORT_REPOTAG adapts TELEPORT_TAG to the teleport tagging scheme
 TELEPORT_REPOTAG := v$(TELEPORT_TAG)
 PLANET_TAG := 7.0.41-$(K8S_VER_SUFFIX)

diff --git a/assets/site-app/resources/site.yaml b/assets/site-app/resources/site.yaml
@@ -291,3 +291,17 @@ spec:
     nodePort: 32009
   selector:
     app: gravity-site
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gravity-site-auth
+  namespace: kube-system
+spec:
+  type: NodePort
+  ports:
+  - name: auth
+    port: 3025
+    nodePort: 32025
+  selector:
+    app: gravity-site
diff --git a/build.assets/Makefile b/build.assets/Makefile
@@ -74,7 +74,7 @@ TELEKUBE_TSH_PKG := gravitational.io/tsh_$(OS)_$(ARCH):$(GRAVITY_TAG)
 
 # Version of tsh binary that gets published into distribution OpsCenter, may differ from
 # the one Gravity currently depends on
-TELEKUBE_TSH_TAG := v3.2.14
+TELEKUBE_TSH_TAG := v3.2.16
 
 # Extra flags that may be provided when publishing telekube artifacts (e.g. --insecure)
 TELEKUBE_PUBLISH_FLAGS ?=

diff --git a/lib/defaults/defaults.go b/lib/defaults/defaults.go
@@ -747,6 +747,8 @@ const (
 
 	// GravitySiteNodePort is a default site NodePort load balancer port
 	GravitySiteNodePort = 32009
+	// GravitySiteAuthNodePort is the node port where gravity-site exposes teleport auth service
+	GravitySiteAuthNodePort = 32025
 
 	// OIDCConnectorID is a default OIDC connector to use
 	OIDCConnectorID = "google"

diff --git a/lib/ops/opsservice/configure.go b/lib/ops/opsservice/configure.go
@@ -42,6 +42,7 @@ import (
 
 	teleetcd "github.com/gravitational/teleport/lib/backend/etcdbk"
 	telecfg "github.com/gravitational/teleport/lib/config"
+	teledefaults "github.com/gravitational/teleport/lib/defaults"
 	teleservices "github.com/gravitational/teleport/lib/services"
 	teleutils "github.com/gravitational/teleport/lib/utils"
 
@@ -1184,9 +1185,17 @@ func (s *site) getTeleportNodeConfig(ctx *operationContext, masterIPs []string,
 		fileConf.Logger.Severity = "info"
 	}
 
+	// Add all available master nodes as auth servers for the teleport node.
 	for _, masterIP := range masterIPs {
-		fileConf.AuthServers = append(fileConf.AuthServers, fmt.Sprintf("%v:3025", masterIP))
+		fileConf.AuthServers = append(fileConf.AuthServers,
+			fmt.Sprintf("%v:%v", masterIP, teledefaults.AuthListenPort))
 	}
+	// Teleport auth service is also exposed as a node port so add it as an
+	// auth service as well and it will be used if none of the masters
+	// present in the config are available.
+	fileConf.AuthServers = append(fileConf.AuthServers,
+		fmt.Sprintf("%v:%v", node.AdvertiseIP, defaults.GravitySiteAuthNodePort))
+
 	fileConf.AuthToken = joinToken.Token
 
 	fileConf.SSH.Labels = map[string]string{}

diff --git a/lib/process/import.go b/lib/process/import.go
@@ -235,7 +235,7 @@ func (i *importer) findLatestTeleportConfigPackage(clusterName string, teleportV
 	config, err := pack.FindLatestPackageCustom(pack.FindLatestPackageRequest{
 		Packages:   i.packages,
 		Repository: clusterName,
-		Match:      matchTeleportConfigPackage(teleportVersion),
+		Match:      MatchTeleportConfigPackage(teleportVersion),
 	})
 	if err == nil {
 		return config, nil
@@ -254,7 +254,9 @@ func (i *importer) findLatestLegacyTeleportConfigPackage(clusterName string) (*l
 	})
 }
 
-func matchTeleportConfigPackage(teleportVersion semver.Version) pack.MatchFunc {
+// MatchTeleportConfigPackage returns a match function that matches Teleport
+// master configuration package with specified version.
+func MatchTeleportConfigPackage(teleportVersion semver.Version) pack.MatchFunc {
 	return func(env pack.PackageEnvelope) bool {
 		if !env.HasLabel(pack.PurposeLabel, pack.PurposeTeleportMasterConfig) {
 			return false

diff --git a/tool/gravity/cli/commands.go b/tool/gravity/cli/commands.go
@@ -254,6 +254,10 @@ type Application struct {
 	RPCAgentStatusCmd RPCAgentStatusCmd
 	// SystemCmd combines system subcommands
 	SystemCmd SystemCmd
+	// SystemTeleportCmd combines internal Teleport commands
+	SystemTeleportCmd SystemTeleportCmd
+	// SystemTeleportShowConfigCmd displays Teleport config
+	SystemTeleportShowConfigCmd SystemTeleportShowConfigCmd
 	// SystemRotateCertsCmd renews cluster certificates on local node
 	SystemRotateCertsCmd SystemRotateCertsCmd
 	// SystemExportCACmd exports cluster CA
@@ -1480,6 +1484,18 @@ type SystemCmd struct {
 	*kingpin.CmdClause
 }
 
+// SystemTeleportCmd combines internal Teleport commands
+type SystemTeleportCmd struct {
+	*kingpin.CmdClause
+}
+
+// SystemTeleportShowConfigCmd displays Teleport config from specified package
+type SystemTeleportShowConfigCmd struct {
+	*kingpin.CmdClause
+	// Package is the package to show config from
+	Package *string
+}
+
 // SystemRotateCertsCmd renews cluster certificates on local node
 type SystemRotateCertsCmd struct {
 	*kingpin.CmdClause

diff --git a/tool/gravity/cli/register.go b/tool/gravity/cli/register.go
@@ -638,6 +638,10 @@ func RegisterCommands(app *kingpin.Application) *Application {
 
 	g.SystemCmd.CmdClause = g.Command("system", "operations on system components")
 
+	g.SystemTeleportCmd.CmdClause = g.SystemCmd.Command("teleport", "System level operations on Teleport service").Hidden()
+	g.SystemTeleportShowConfigCmd.CmdClause = g.SystemTeleportCmd.Command("show-config", "Display Teleport configuration from the specified package")
+	g.SystemTeleportShowConfigCmd.Package = g.SystemTeleportShowConfigCmd.Flag("package", "Package with Teleport configuration. Can also be 'master' or 'node' to auto-detect package").Required().String()
+
 	g.SystemRotateCertsCmd.CmdClause = g.SystemCmd.Command("rotate-certs", "Renew cluster certificates on a node").Hidden()
 	g.SystemRotateCertsCmd.ClusterName = g.SystemRotateCertsCmd.Arg("cluster-name", "Name of the local cluster").Required().String()
 	g.SystemRotateCertsCmd.ValidFor = g.SystemRotateCertsCmd.Flag("valid-for", "Validity duration in Go format").Default("26280h").Duration()

diff --git a/tool/gravity/cli/run.go b/tool/gravity/cli/run.go
@@ -846,6 +846,9 @@ func Execute(g *Application, cmd string, extraArgs []string) (err error) {
 		return exportCertificateAuthority(localEnv,
 			*g.SystemExportCACmd.ClusterName,
 			*g.SystemExportCACmd.CAPath)
+	case g.SystemTeleportShowConfigCmd.FullCommand():
+		return showTeleportConfig(localEnv,
+			*g.SystemTeleportShowConfigCmd.Package)
 	case g.SystemReinstallCmd.FullCommand():
 		return systemReinstall(localEnv,
 			*g.SystemReinstallCmd.Package,

diff --git a/tool/gravity/cli/teleport.go b/tool/gravity/cli/teleport.go
@@ -0,0 +1,141 @@
+/*
+Copyright 2020 Gravitational, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cli
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+	"io"
+
+	"github.com/gravitational/gravity/lib/loc"
+	"github.com/gravitational/gravity/lib/localenv"
+	"github.com/gravitational/gravity/lib/pack"
+	"github.com/gravitational/gravity/lib/process"
+
+	"github.com/gravitational/teleport/lib/config"
+	"github.com/gravitational/teleport/lib/defaults"
+
+	"github.com/coreos/go-semver/semver"
+	"github.com/gravitational/trace"
+	"gopkg.in/yaml.v2"
+)
+
+func showTeleportConfig(env *localenv.LocalEnvironment, packageName string) error {
+	locators, err := getTeleportLocators(env, packageName)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+	config, err := readTeleportFileConfig(locators.configReader)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+	configBytes, err := yaml.Marshal(config)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+	fmt.Println(string(configBytes))
+	return nil
+}
+
+func readTeleportFileConfig(reader io.ReadCloser) (*config.FileConfig, error) {
+	vars, err := pack.ReadConfigPackage(reader)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	configBase64 := vars[defaults.ConfigEnvar]
+	if configBase64 == "" {
+		return nil, trace.BadParameter("empty teleport config")
+	}
+	configBytes, err := base64.StdEncoding.DecodeString(configBase64)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	var config config.FileConfig
+	if err := yaml.Unmarshal(configBytes, &config); err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return &config, nil
+}
+
+type teleportLocators struct {
+	teleportLocator loc.Locator
+	configLocator   loc.Locator
+	configEnvelope  pack.PackageEnvelope
+	configReader    io.ReadCloser
+}
+
+func getTeleportLocators(env *localenv.LocalEnvironment, packageName string) (*teleportLocators, error) {
+	teleportLocator, err := pack.FindInstalledPackage(env.Packages, loc.Teleport)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	teleportVersion, err := teleportLocator.SemVer()
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	var configLocator *loc.Locator
+	switch packageName {
+	case "master":
+		configLocator, err = findTeleportMasterConfig(env, *teleportVersion)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		fmt.Printf("Using Teleport master config from %s\n", configLocator)
+	case "node":
+		configLocator, err = findTeleportNodeConfig(env)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+		fmt.Printf("Using Teleport node config from %s\n", configLocator)
+	default:
+		configLocator, err = loc.ParseLocator(packageName)
+		if err != nil {
+			return nil, trace.Wrap(err)
+		}
+	}
+	envelope, reader, err := env.Packages.ReadPackage(*configLocator)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return &teleportLocators{
+		teleportLocator: *teleportLocator,
+		configLocator:   *configLocator,
+		configEnvelope:  *envelope,
+		configReader:    reader,
+	}, nil
+}
+
+func findTeleportMasterConfig(env *localenv.LocalEnvironment, teleportVersion semver.Version) (*loc.Locator, error) {
+	clusterEnv, err := env.NewClusterEnvironment()
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	cluster, err := clusterEnv.Operator.GetLocalSite(context.TODO())
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return pack.FindLatestPackageCustom(pack.FindLatestPackageRequest{
+		Packages:   env.Packages,
+		Repository: cluster.Domain,
+		Match:      process.MatchTeleportConfigPackage(teleportVersion),
+	})
+}
+
+func findTeleportNodeConfig(env *localenv.LocalEnvironment) (*loc.Locator, error) {
+	return pack.FindInstalledConfigPackage(env.Packages, loc.Teleport)
+}