From 088b335f452b32d95ab874df9fa82302a249349d Mon Sep 17 00:00:00 2001
From: Mark McCormick <mark.mccormick@chainguard.dev>
Date: Tue, 3 Dec 2024 01:32:07 +0000
Subject: [PATCH] Migrate teleport package to use go/build (#35267)

The teleport build was leveraging the upstream projects make build, to
produce the binaries. This meant we were missing binary optimisations by
not leveraging our own go/build pipeline.

The changes in this PR flip the package over to using go/build for the
various components.

---------

Signed-off-by: Mark McCormick <mark.mccormick@chainguard.dev>
Co-authored-by: Dimitri John Ledkov <19779+xnox@users.noreply.github.com>
---
 teleport.yaml | 174 +++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 150 insertions(+), 24 deletions(-)

diff --git a/teleport.yaml b/teleport.yaml
index eedc9282074..fc723743cc1 100644
--- a/teleport.yaml
+++ b/teleport.yaml
@@ -1,6 +1,6 @@
 package:
   name: teleport
-  version: 17.0.1
+  version: 17.0.2
   epoch: 0
   description: The easiest, and most secure way to access and protect all of your infrastructure.
   copyright:
@@ -18,6 +18,7 @@ environment:
       - build-base
       - busybox
       - ca-certificates-bundle
+      - cargo-auditable
       - corepack
       - go
       - node-gyp
@@ -26,6 +27,7 @@ environment:
       - openssl-dev
       - pnpm
       - python3
+      - rust
       - rustup
       - wasm-pack
       - yarn
@@ -35,7 +37,7 @@ pipeline:
   - uses: git-checkout
     with:
       repository: https://github.com/gravitational/teleport
-      expected-commit: dc5837102a82fdfc4807a8c760839f4ca4be08a9
+      expected-commit: a5c84e4b74f1da43a44bd6c18ae184f612fb26f6
       tag: v${{package.version}}
 
   - uses: go/bump
@@ -43,24 +45,38 @@ pipeline:
       deps: github.com/golang-jwt/jwt/v4@v4.5.1
 
   - runs: |
-      # https://github.com/gravitational/teleport#building-teleport
       mkdir -p "${{targets.contextdir}}"/var/lib/teleport
       mkdir -p "${{targets.contextdir}}"/usr/local/bin
 
-      # This build requires the stable version of rust, managed by rustup, because it requires a few other toolchains too.
       rustup install stable
+      rustup default stable
+      ARCH=$(uname -m)
+      export PATH="$HOME/.rustup/toolchains/stable-${ARCH}-unknown-linux-gnu/bin:$PATH"
       rustup target add wasm32-unknown-unknown
 
-      # This is a bit of a hack, but it's the easiest way to get the right version of rustc and cargo in the path.
-      export PATH="$HOME/.rustup/toolchains/stable-${{host.triplet.rust}}/bin:$PATH"
-      make full
+      pnpm config set package-import-method copy
 
-      # create me a for loop that iterates over the binaries in build/
-      # and installs them to "${{targets.contextdir}}"/usr/local/bin
-      for bin in build/*; do
-        echo "Installing $bin to /usr/local/bin"
-        install -Dm755 $bin -t "${{targets.contextdir}}"/usr/local/bin
-      done
+      # Install dependencies and build web assets
+      make ensure-js-deps
+      make ensure-webassets
+
+  - uses: go/build
+    with:
+      packages: ./tool/teleport
+      prefix: usr/local
+      output: ./
+      tags: webassets_embed,kustomize_disable_go_plugin_support
+
+  - uses: go/build
+    with:
+      packages: ./tool/tctl ./tool/tsh ./tool/tbot ./tool/teleport-update
+      prefix: usr/local
+      output: ./
+      tags: kustomize_disable_go_plugin_support
+
+  - runs: |
+      cd tool/fdpass-teleport && cargo auditable build --release --locked
+      install -Dm755 target/release/fdpass-teleport "${{targets.contextdir}}"/usr/local/bin/
 
   - uses: strip
 
@@ -75,18 +91,10 @@ test:
     contents:
       packages:
         - wait-for-it
+        - curl
   pipeline:
-    - runs: |
-        teleport configure -o file
-        teleport start -c /etc/teleport.yaml &
-
-        # wait for teleport to start :3080
-        wait-for-it localhost:3080 -t 10
-
-        echo "Teleport is running on port 3080!"
-
-        # create a user
-        tctl get roles --format=text
+    - name: Check binary versions
+      runs: |
         tbot version
         tbot --help
         tctl version
@@ -95,3 +103,121 @@ test:
         teleport --help
         tsh version
         tsh --help
+    - name: Test auth service and tctl
+      runs: |
+        #!/bin/bash
+        set -e
+
+        # Create required directories
+        mkdir -p /tmp/teleport
+        mkdir -p /var/lib/teleport
+
+        # Create minimal config file for auth server
+        cat <<-EOF > /tmp/teleport-auth.yaml
+        version: v3
+        teleport:
+          data_dir: /tmp/teleport
+          log:
+            output: stderr
+            severity: DEBUG
+        auth_service:
+          enabled: "yes"
+          cluster_name: "test-cluster"
+          listen_addr: 127.0.0.1:3025
+          tokens:
+            - "proxy,node:test123"
+        proxy_service:
+          enabled: "no"
+        ssh_service:
+          enabled: "no"
+        EOF
+
+        # Initialize auth server with static UUID for tctl
+        echo "00000000-0000-0000-0000-000000000000" > /var/lib/teleport/host_uuid
+        chmod 644 /var/lib/teleport/host_uuid
+
+        # Start auth server
+        teleport start --config=/tmp/teleport-auth.yaml --roles=auth &
+        AUTH_PID=$!
+
+        # Wait for auth server
+        wait-for-it 127.0.0.1:3025 -t 30 || (kill $AUTH_PID; exit 1)
+
+        # Give auth server time to initialize
+        sleep 5
+
+        # Test tctl
+        TCTL_CONFIG=$(base64 /tmp/teleport-auth.yaml)
+        TELEPORT_CONFIG="$TCTL_CONFIG" tctl get roles --format=text
+
+        echo "Auth service test successful!"
+        kill $AUTH_PID
+    - name: Test proxy service
+      runs: |
+        #!/bin/bash
+        set -e
+
+        # Create required directories
+        mkdir -p /tmp/teleport-auth /tmp/teleport-proxy
+
+        # Create auth server config
+        cat <<-EOF > /tmp/teleport-auth.yaml
+        version: v3
+        teleport:
+          data_dir: /tmp/teleport-auth
+          log:
+            output: stderr
+            severity: DEBUG
+        auth_service:
+          enabled: "yes"
+          cluster_name: "test-cluster"
+          listen_addr: 127.0.0.1:3025
+          tokens:
+            - "proxy,node:test123"
+        proxy_service:
+          enabled: "no"
+        ssh_service:
+          enabled: "no"
+        EOF
+
+        # Create proxy config
+        cat <<-EOF > /tmp/teleport-proxy.yaml
+        version: v3
+        teleport:
+          data_dir: /tmp/teleport-proxy
+          auth_token: "test123"
+          auth_server: "127.0.0.1:3025"
+        proxy_service:
+          enabled: "yes"
+          web_listen_addr: "127.0.0.1:3080"
+          listen_addr: "127.0.0.1:3023"
+        auth_service:
+          enabled: "no"
+        ssh_service:
+          enabled: "no"
+        EOF
+
+        # Start auth server
+        teleport start --config=/tmp/teleport-auth.yaml --roles=auth &
+        AUTH_PID=$!
+
+        # Wait for auth server
+        wait-for-it 127.0.0.1:3025 -t 30 || (kill $AUTH_PID; exit 1)
+
+        # Start proxy
+        teleport start --config=/tmp/teleport-proxy.yaml --roles=proxy &
+        PROXY_PID=$!
+
+        # Wait for proxy
+        wait-for-it 127.0.0.1:3080 -t 30 || (kill $AUTH_PID $PROXY_PID; exit 1)
+
+        # Test proxy web interface with HTTPS
+        HTTP_CODE=$(curl -k -s -o /dev/null -w "%{http_code}" https://127.0.0.1:3080/webapi/ping)
+        if [ "$HTTP_CODE" != "200" ]; then
+          echo "Proxy web interface test failed with HTTP code: $HTTP_CODE"
+          kill $AUTH_PID $PROXY_PID
+          exit 1
+        fi
+
+        echo "Proxy test successful!"
+        kill $AUTH_PID $PROXY_PID