Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Teleterm: add support for access requesting kube namespaces #47347

Open
wants to merge 2 commits into
base: lisa/kube-namespace-3
Choose a base branch
from
Open

Teleterm: add support for access requesting kube namespaces #47347

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ed04815
Add request mode field to access capabilities
kimlisa Oct 8, 2024
65cb297
Add teleterm support for access requesting kube namespaces
kimlisa Oct 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
439 changes: 283 additions & 156 deletions gen/proto/go/teleport/lib/teleterm/v1/cluster.pb.go
View file
Open in desktop

Large diffs are not rendered by default.

138 changes: 137 additions & 1 deletion gen/proto/ts/teleport/lib/teleterm/v1/cluster_pb.ts
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions lib/teleterm/apiserver/handler/handler_clusters.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,7 @@ func newAPIRootClusterWithDetails(cluster *clusters.ClusterWithDetails) (*api.Cl
}
apiCluster.LoggedInUser.RequestableRoles = cluster.RequestableRoles
apiCluster.LoggedInUser.SuggestedReviewers = cluster.SuggestedReviewers
apiCluster.LoggedInUser.RequestMode = cluster.RequestMode
apiCluster.AuthClusterId = cluster.AuthClusterID
apiCluster.LoggedInUser.Acl = cluster.ACL
userType, err := clusters.UserTypeFromString(cluster.UserType)
Expand Down
26 changes: 20 additions & 6 deletions lib/teleterm/clusters/cluster.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,8 @@ type ClusterWithDetails struct {
ProxyVersion string
// ShowResources tells if the cluster can show requestable resources on the resources page.
ShowResources constants.ShowResources
// RequestMode defines access request mode for specific resources.
RequestMode *api.AccessRequestMode
}

// Connected indicates if connection to the cluster can be established
Expand Down Expand Up @@ -194,17 +196,29 @@ func (c *Cluster) GetWithDetails(ctx context.Context, authClient authclient.Clie
Cluster: c,
SuggestedReviewers: caps.SuggestedReviewers,
RequestableRoles: caps.RequestableRoles,
Features: authPingResponse.ServerFeatures,
AuthClusterID: authClusterID,
ACL: acl,
UserType: user.GetUserType(),
ProxyVersion: clusterPingResponse.ServerVersion,
ShowResources: webConfig.UI.ShowResources,
RequestMode: &api.AccessRequestMode{
KubernetesResources: makeKubernetesRequestMode(caps.RequestMode.KubernetesResources),
},
Features: authPingResponse.ServerFeatures,
AuthClusterID: authClusterID,
ACL: acl,
UserType: user.GetUserType(),
ProxyVersion: clusterPingResponse.ServerVersion,
ShowResources: webConfig.UI.ShowResources,
}

return withDetails, nil
}

func makeKubernetesRequestMode(resources []types.RequestModeKubernetesResource) []*api.RequestModeKubernetesResource {
apiResources := make([]*api.RequestModeKubernetesResource, 0, len(resources))
for _, resource := range resources {
apiResources = append(apiResources, &api.RequestModeKubernetesResource{Kind: resource.Kind})
}

return apiResources
}

func convertToAPIResourceAccess(access services.ResourceAccess) *api.ResourceAccess {
return &api.ResourceAccess{
List: access.List,
Expand Down
17 changes: 17 additions & 0 deletions proto/teleport/lib/teleterm/v1/cluster.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,21 @@
SHOW_RESOURCES_ACCESSIBLE_ONLY = 2;
}

// RequestModeKubernetesResources is the Kubernetes resource identifier used
// in access request mode settings.

Check failure on line 74 in proto/teleport/lib/teleterm/v1/cluster.proto

View workflow job for this annotation

GitHub Actions / Lint (Proto) 

Previously present field "9" with name "request_mode" on message "LoggedInUser" was deleted without reserving the name "request_mode".

Check failure on line 74 in proto/teleport/lib/teleterm/v1/cluster.proto

View workflow job for this annotation

GitHub Actions / Lint (Proto) 

Previously present field "9" with name "request_mode" on message "LoggedInUser" was deleted without reserving the number "9".
// Modeled after existing message KubernetesResource.
message RequestModeKubernetesResource {
// Kind specifies the Kubernetes Resource type.
string kind = 1;
}

// AccessRequestMode describes request mode settings for applicable resources.
message AccessRequestMode {
// KubernetesResources defines which Kubernetes subresources a user can
// request during request creation.
repeated RequestModeKubernetesResource kubernetes_resources = 1;
}

// LoggedInUser describes a logged-in user
message LoggedInUser {
// name is the user name
Expand Down Expand Up @@ -97,6 +112,8 @@
USER_TYPE_SSO = 2;
}
UserType user_type = 8;
// RequestMode defines what resource kinds a user can request for applicable resources.
AccessRequestMode request_mode = 9;
}

// ACL is the access control list of the user
Expand Down
14 changes: 14 additions & 0 deletions web/packages/shared/components/AccessRequests/NewRequest/kube.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
import { KubeResourceKind } from 'teleport/services/kube';

import { PendingListItem } from './RequestCheckout';
import { RequestableResourceKind } from './resource';

export type KubeNamespaceRequest = {
kubeCluster: string;
Expand Down Expand Up @@ -78,3 +79,16 @@ export function getKubeResourceRequestMode(
disableCheckoutFromKubeRestrictions,
};
}

export function requiresKubeResourceSelection({
dryRun,
requestMode,
kind,
}: {
dryRun: boolean;
requestMode: KubeResourceKind[];
kind: RequestableResourceKind;
}) {
const requiresKubeResourceSelection = requestMode.length > 0;
return dryRun && kind === 'kube_cluster' && requiresKubeResourceSelection;
}
42 changes: 29 additions & 13 deletions web/packages/teleterm/src/ui/AccessRequestCheckout/AccessRequestCheckout.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ import * as Icon from 'design/Icon';
import { pluralize } from 'shared/utils/text';

import { RequestCheckoutWithSlider } from 'shared/components/AccessRequests/NewRequest';
import { excludeKubeClusterWithNamespaces } from 'shared/components/AccessRequests/NewRequest/kube';

import useAccessRequestCheckout from './useAccessRequestCheckout';
import { AssumedRolesBar } from './AssumedRolesBar';
Expand Down Expand Up @@ -102,6 +103,9 @@ export function AccessRequestCheckout() {
pendingRequestTtlOptions,
startTime,
onStartTimeChange,
fetchKubeNamespaces,
bulkToggleKubeResources,
allowedKubeSubresourceKinds,
} = useAccessRequestCheckout();

const isRoleRequest = data[0]?.kind === 'role';
Expand All @@ -110,12 +114,21 @@ export function AccessRequestCheckout() {
setShowCheckout(false);
}

const filteredData = data?.filter(d =>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we the need optional chaining here.

excludeKubeClusterWithNamespaces(d, data)
);

const numAddedResources = filteredData?.length;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And here.


// We should rather detect how much space we have,
// but for simplicity we only count items.
const moreToShow = Math.max(data.length - MAX_RESOURCES_IN_BAR_TO_SHOW, 0);
const moreToShow = Math.max(
filteredData.length - MAX_RESOURCES_IN_BAR_TO_SHOW,
0
);
return (
<>
{data.length > 0 && !isCollapsed() && (
{filteredData.length > 0 && !isCollapsed() && (
<Box
px={3}
py={2}
Expand All @@ -133,17 +146,22 @@ export function AccessRequestCheckout() {
>
<Flex flexDirection="column" minWidth={0}>
<Text mb={1}>
{data.length}{' '}
{pluralize(data.length, isRoleRequest ? 'role' : 'resource')}{' '}
{numAddedResources}{' '}
{pluralize(
numAddedResources,
isRoleRequest ? 'role' : 'resource'
)}{' '}
added to access request:
</Text>
<Flex gap={1} flexWrap="wrap">
{data
{filteredData
.slice(0, MAX_RESOURCES_IN_BAR_TO_SHOW)
.map(c => {
let resource = {
name: c.name,
key: `${c.clusterName}-${c.kind}-${c.id}`,
name: c.subResourceName
? `${c.id}/${c.subResourceName}`
: c.name,
key: `${c.clusterName}-${c.kind}-${c.id}-${c.subResourceName}`,
Icon: undefined,
};
switch (c.kind) {
Expand All @@ -158,6 +176,7 @@ export function AccessRequestCheckout() {
resource.Icon = Icon.Database;
break;
case 'kube_cluster':
case 'namespace':
resource.Icon = Icon.Kubernetes;
break;
case 'role':
Expand Down Expand Up @@ -259,12 +278,9 @@ export function AccessRequestCheckout() {
setPendingRequestTtl={setPendingRequestTtl}
startTime={startTime}
onStartTimeChange={onStartTimeChange}
// TODO: these are placeholders to satisy linters.
// There is a split PR that handles teleterm support
// that will be merged right after this one (once both are approved)
bulkToggleKubeResources={() => null}
fetchKubeNamespaces={() => null}
allowedKubeSubresourceKinds={[]}
fetchKubeNamespaces={fetchKubeNamespaces}
bulkToggleKubeResources={bulkToggleKubeResources}
allowedKubeSubresourceKinds={allowedKubeSubresourceKinds}
/>
)}
</Transition>
Expand Down
Loading
Loading