Add teleport-update binary scaffolding and disable command #46418
Conversation
|
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
sclevine
added
the
no-changelog
|
AFAIK there were some concerns about new binaries that had a name that had |
tool/teleport-update/main.go
Outdated
| Proxy: func(req *http.Request) (*url.URL, error) { | ||
| return httpproxy.FromEnvironment().ProxyFunc()(req.URL) | ||
| }, |
There was a problem hiding this comment.
Do we gain much from using x/net/http/httpproxy over just http.ProxyFromEnvironment?
There was a problem hiding this comment.
I copied the webclient for consistency:
teleport/api/client/webclient/webclient.go
Lines 92 to 112 in f2b0d11
Would you prefer I use http.ProxyFromEnvironment instead?
There was a problem hiding this comment.
We should definitely update the webclient too, that's quite inefficient - the standard library uses a sync.Once to store the returned ProxyFunc() from the vendored copy of x/net/http/httpproxy.
FWIW I would just take the lib/defaults.Transport() and add the TLSClientConfig to it unless there's a reason to avoid that.
There was a problem hiding this comment.
The webclient uses tracehttp -- should I avoid that?
There was a problem hiding this comment.
Switched to the defaults transport to merge -- let me know if I should bring tracehttp back in the future. Not sure If we need the telemetry provided by that package.
tool/teleport-update/main.go
Outdated
|
|
||
| app := libutils.InitCLIParser("teleport-updater", appHelp).Interspersed(false) | ||
| app.Flag("debug", "Verbose logging to stdout.").Short('d').BoolVar(&ccfg.Debug) | ||
| app.Flag("data-dir", "Directory to store teleport versions. Access to this directory should be limited.").StringVar(&ccfg.DataDir) |
There was a problem hiding this comment.
I'd prefer the config file to be an option (containing the path to a data dir) rather than the data dir being an option and the config file being in a fixed position in the data dir, but that's sort of a matter of style.
There was a problem hiding this comment.
From an end-user perspective, this should always be the equivalent of /var/lib/teleport. Users shouldn't have to worry about multiple data directories. The directory is shared with Teleport, because there is (limited) interaction between the tools (e.g., DB backups, host UUID)
Additionally, the data directory contains more than just the config file (e.g., teleport versions, DB backups, DB metadata files).
|
Thanks for catching this @espadolini. It's probably not a huge issue here if we throughly test all releases and processes (dev workflows, releases, etc.) first. I was apprehensive about this with fdpass because we were on a very fast timetable and it added unnecessary risk. |
|
@hugoShaka mind giving this another review? |
sclevine
force-pushed
the
sclevine/teleport-update-scaffold
branch
from
3e7b2e2
to
02476f1
Compare
|
Looking for an additional review 🙂 |
tool/teleport-update/main.go
Outdated
| Proxy: func(req *http.Request) (*url.URL, error) { | ||
| return httpproxy.FromEnvironment().ProxyFunc()(req.URL) | ||
| }, |
There was a problem hiding this comment.
We should definitely update the webclient too, that's quite inefficient - the standard library uses a sync.Once to store the returned ProxyFunc() from the vendored copy of x/net/http/httpproxy.
FWIW I would just take the lib/defaults.Transport() and add the TLSClientConfig to it unless there's a reason to avoid that.
public-teleport-github-review-bot
bot
removed request for
vapopov and
capnspacehook
sclevine
force-pushed
the
sclevine/teleport-update-scaffold
branch
from
1c1e7d5
to
9cfde07
Compare
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
* Add main.go * wip * group flag * wip * wip * mvp * wip * separate files * cleanup * jitter * scaffold only * remove teleport changes * remove teleport changes - group * test * test lock * remove edition * feedback * clarify default data dir * cleanup * move version to status * consistent naming for update.yaml * improve lock test * explain lint * use shared locking logic * fix test * Move disable logic to lib * feedback * switch to default transport
This PR contains scaffolding and config file management for the
teleport-updatebinary described by #40190.The
teleport-updatebinary will be used to enable, disable, and trigger automatic Teleport agent updates. The new auto-updates system manages a local installation of the cluster-specified version of Teleport stored in/var/lib/teleport/versions.This is the first in a series of PRs extracted and tested from this proof-of-concept: #46357
The
disablecommand is not useful withoutenable, but it is implemented to drive out configuration management.RFD: #47126
Goal (internal): https://github.com/gravitational/cloud/issues/10289
Example: