search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.33k stars 1.74k forks source link

GitHub Actions Action to assist with using `tbot` and `tsh` in workflows. #16796

Closed strideynet closed 1 year ago

strideynet commented 1 year ago

https://docs.github.com/en/actions/creating-actions

Current Situation

name: Demo
on:
  push:
    branches:
      - main
jobs:
  demo:
    permissions:
      # This is required or tbot will not be able to authenticate
      id-token: write
      contents: read
    name: demo
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Fetch tsh and tbot
        run: echo "Woo ! We'd usually fetch this but I've added them to the repo for this demo" # This would be wget and tar.
      - name: Fetch credentials
        run: ./tbot start -d --join-method=github --token=github-bot --auth-server=example.com:443 --oneshot --destination-dir=./certs --data-dir=./data
      - name: Write file to remote
        run: ./tsh -i ./certs/identity --proxy example.com:443 ssh user@nodename "echo $GITHUB_SHA >> ~/github_run_log"

What's not so great about this:

What would be great:

name: Demo
on:
  push:
    branches:
      - main
jobs:
  demo:
    permissions:
      # This is required or tbot will not be able to authenticate
      id-token: write
      contents: read
    name: demo
    runs-on: ubuntu-latest
    steps:
      - name: Setup Teleport
         uses: gravitational/teleport-action@v1
         with:
           proxy: example.com:443
           token: github-bot
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Write file to remote
        run: tsh ssh user@nodename "echo $GITHUB_SHA >> ~/github_run_log"

The action completes the following:

Thoughts on security:

Incremental approach:

  1. Action downloads binaries, and places them within the path - leveraging caching where possible. a. Allow users to select which binaries
  2. Run tbot automatically - and inform users where the default output directory is
  3. Preconfigure tsh - this will potentially involve changes to tsh itself.

Research

setup-go

https://github.com/actions/setup-go

Setup Go does some of what we want to do (download binaries and place them into the path)

Uses '@actions/tool-cache'

https://github.com/actions/toolkit/tree/main/packages/cache

https://github.com/tonistiigi/go-actions-cache/blob/master/api.md

https://github.com/actions/typescript-action

Passing env vars to future steps

https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable

Adding to path

https://github.com/actions/toolkit/blob/master/packages/core/src/core.ts#L57

Implementation

Docker VS Javascript

strideynet commented 1 year ago

https://github.com/gravitational/teleport-actions

Initial action for cached installation of Teleport: https://github.com/gravitational/teleport-actions/pulls/2

strideynet commented 1 year ago

Initial setup action has now been merged/released. This allows the setup of the Teleport binaries, and attempts to use the GitHub cache.

I have completed a PoC building support into tbot for automatically configuring tsh and tctl with the generated identity file. This may be a suitable option other than using an Action for this functionality.

strideynet commented 1 year ago

Another use case - ease of setup of kubectl against a specific cluster.

strideynet commented 1 year ago

This ticket will be broken up and replaced by tickets on https://github.com/gravitational/teleport-actions for individual actions.