Let tctl make plugins #41038
Let tctl make plugins #41038
Conversation
api/types/constants.go
Outdated
| const ( | ||
| // HostedPluginLabel defines the name for the hosted plugin label. | ||
| // When this label is set to "true" on a Plugin resource, | ||
| // it indicates that the Plugin should be run by the Cloud service, | ||
| // rather than self-hosted plugin services. | ||
| HostedPluginLabel = TeleportNamespace + "/hosted-plugin" | ||
| ) | ||
|
|
||
| const ( | ||
| // OktaOrgURLLabel is the label used by Okta-managed resources to indicate | ||
| // the upstream Okta organization that they come from. | ||
| OktaOrgURLLabel = "okta/org" | ||
|
|
||
| // OktaCredPurposeLabel is used by Okta-managed PluginStaticCredentials to | ||
| // indicate their purpose | ||
| OktaCredPurposeLabel = "okta/purpose" | ||
|
|
||
| // OktaCredPurposeAuth indicates that the credential is intended for | ||
| // authenticating with the Okta REST API | ||
| OktaCredPurposeAuth = "okta-auth" | ||
|
|
||
| // OktaCredPurposeSCIMToken indicates that theis to be used for authenticating | ||
| // SCIM requests from the upstream organization. The content of the credential | ||
| // is a bcrypt hash of actual token. | ||
| OktaCredPurposeSCIMToken = "scim-bearer-token" | ||
| ) |
There was a problem hiding this comment.
All of these constants are defined in teleport.e. Is there a corresponding teleport.e PR that removes them from there and uses these?
There was a problem hiding this comment.
Not yet, but its on the way
There was a problem hiding this comment.
gravitational/teleport.e#4098
tool/tctl/common/plugins_command.go
Outdated
| Required(). | ||
| StringVar(&p.install.okta.apiToken) | ||
| p.install.okta.cmd. | ||
| Flag("saml-connector", "SAML connector to link to plugin"). |
There was a problem hiding this comment.
What does it mean to "link" connector? Will it try to create connector with this name, or somehow adopt an existing one? It's not clear from this description.
| }, | ||
| } | ||
|
|
||
| if _, err := args.plugins.CreatePlugin(ctx, req); err != nil { |
There was a problem hiding this comment.
Web UI doesn't let you create more than 1 instance of a hosted plugin, incl. Okta. How will this behave if you already have an Okta integration running?
And similarly, our UI prompts user to cleanup old Okta integration before creating a new one if it detects there are resources left from the previous instance of Okta integration. Does this behave the same way? @smallinsky should have details about it.
There was a problem hiding this comment.
Yes It should behave the same way and the cleanup step will be retuned in error message.
Co-authored-by: Roman Tkachenko <[email protected]> Co-authored-by: Jakub Nyckowski <[email protected]>
tool/tctl/common/plugins_command.go
Outdated
| if oktaSettings.samlConnector == "" { | ||
| return trace.BadParameter("SCIM support requires saml-connector to be set") | ||
| } |
There was a problem hiding this comment.
Why samlConnector is only validated when SCIM is enabled ?
Don't we reference to samlConnector in our okta sync flow ? For instance:
https://github.com/gravitational/teleport.e/blob/5012ca517540f8d1d44bda375fc5de0e8113e04a/lib/okta/synchronize.go#L640
There was a problem hiding this comment.
Ok, will just make it flat-out required
tool/tctl/common/plugins_command.go
Outdated
| } | ||
| } | ||
|
|
||
| if oktaSettings.samlConnector != "" { |
There was a problem hiding this comment.
if samlConnector was provided can we get the okta org from connector spec ?
There was a problem hiding this comment.
We can try it, and give a warning to set it explicitly if it can't be found. The App ID label is only guaranteed to be set if the SAML Connector was created though the Okta install flow; if it was created manually it may not exist.
tool/tctl/common/plugins_command.go
Outdated
| func (p *PluginsCommand) initInstall(parent *kingpin.CmdClause, config *servicecfg.Config) { | ||
| p.install.cmd = parent.Command("install", "Install new plugin instance") | ||
|
|
||
| p.install.okta.cmd = p.install.cmd.Command("okta", "Install an okta integration") |
There was a problem hiding this comment.
| p.install.okta.cmd = p.install.cmd.Command("okta", "Install an okta integration") | |
| p.install.okta.cmd = p.install.cmd.Command("okta", "Install an Okta integration") |
tool/tctl/common/plugins_command.go
Outdated
| fmt.Printf("Failed validating SAML connector: %v", err) | ||
| return trace.Wrap(err) |
There was a problem hiding this comment.
| fmt.Printf("Failed validating SAML connector: %v", err) | |
| return trace.Wrap(err) | |
| return trace.Wrap(err, "failed validating SAML connector") |
tool/tctl/common/plugins_command.go
Outdated
| fmt.Printf("Plugin creation failed: %v\n", err) | ||
| return trace.Wrap(err) |
There was a problem hiding this comment.
| fmt.Printf("Plugin creation failed: %v\n", err) | |
| return trace.Wrap(err) | |
| return trace.Wrap(err, "plugin creation failed") |
Co-authored-by: Roman Tkachenko <[email protected]>
Allows
tctlto install an Okta integration without having the user resort to crafting a PluginRequest in JSON. It's not as automated as the Web-based installer, but is a reasonable mid-point if you need more control over integration behaviour.Example:
Note: Currently defaults to
--sync--usersand--sync-groupsbeing enabled for parity with the Web-based installer, but I'm not wedded to it. Perhaps defaulting to "off" would be less surprising for a CLI.Full option set:
Also moves some constants (e.g. Okta plugin label names) from Enterprise to OSS where they can be seen from
tctl. A following PR will update the enterprse definitions to point back to the new constants created here.Changelog: Added support for creating Okta integrations in
tctl.