diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 837fc614..c9c3763c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -87,6 +87,7 @@ jobs: run: ./scripts/get-baton.sh && mv baton /usr/local/bin - name: Get baton resources run: baton resources + - name: Grant entitlement if: env.CONNECTOR_ENTITLEMENT != '' && env.CONNECTOR_PRINCIPAL != '' && env.CONNECTOR_PRINCIPAL_TYPE != '' run: | diff --git a/.github/workflows/example-workflow.yaml b/.github/workflows/example-workflow.yaml new file mode 100644 index 00000000..24ee5efe --- /dev/null +++ b/.github/workflows/example-workflow.yaml @@ -0,0 +1,52 @@ +# This is a basic workflow to help you get started. +# It will take the following action whenever a push is made to the "main" branch. +on: + push: + branches: + - auth +jobs: + demo: + permissions: + # The "id-token: write" permission is required or Machine ID will not be + # able to authenticate with the cluster. + id-token: write + contents: read + # The name of the workflow, and the Linux distro to be used to perform the + # required steps. + name: example + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v3 + - name: Fetch Teleport binaries + uses: teleport-actions/setup@v1 + with: + version: 16.4.6 + - name: Fetch credentials using Machine ID + id: auth + uses: teleport-actions/auth@v2 + with: + # Use the address of the auth/proxy server for your own cluster. + proxy: conductorone.teleport.sh:443 + # Use the name of the join token resource you created in step 1. + token: example-token + # Specify the length of time that the generated credentials should be + # valid for. This is optional and defaults to "1h" + certificate-ttl: 1h + # Enable the submission of anonymous usage telemetry. This + # helps us shape the future development of `tbot`. You can disable this + # by omitting this. + anonymous-telemetry: 1 + - name: List nodes (tsh) + # Enters a command from the cluster, in this case "tsh ls" using Machine + # ID credentials to list remote SSH nodes. + run: tsh ls + - name: List nodes (tctl) + run: tctl nodes ls + - name: Run hostname via SSH (tsh) + # Ensure that `root` matches the username of a remote SSH username, and + # that hostname matches an SSH host name that is a part of the Teleport + # cluster configured for access. + run: tsh ssh root@38362a9e9008 hostname + - name: Run hostname via SSH (OpenSSH) + run: ssh -F ${{ steps.auth.outputs.ssh-config }} root@38362a9e9008.conductorone.teleport.sh hostname diff --git a/.github/workflows/tbot.yaml b/.github/workflows/tbot.yaml new file mode 100644 index 00000000..57206ba0 --- /dev/null +++ b/.github/workflows/tbot.yaml @@ -0,0 +1,34 @@ +# This is a basic workflow to help you get started. +# It will take the following action whenever a push is made to the "main" branch. +on: + push: + branches: + - auth + - main +jobs: + demo: + permissions: + # The "id-token: write" permission is required or Machine ID will not be + # able to authenticate with the cluster. + id-token: write + contents: read + # The name of the workflow, and the Linux distro to be used to perform the + # required steps. + name: tbot auth + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Fetch Teleport binaries + uses: teleport-actions/setup@v1 + with: + version: 16.4.6 + + - name: Execute Machine ID + env: + # TELEPORT_ANONYMOUS_TELEMETRY enables the submission of anonymous + # usage telemetry. This helps us shape the future development of + # tbot. You can disable this by omitting this. + TELEPORT_ANONYMOUS_TELEMETRY: 1 + run: tbot start -c ./tbot.yaml --oneshot diff --git a/tbot.yaml b/tbot.yaml new file mode 100644 index 00000000..4bdb8de5 --- /dev/null +++ b/tbot.yaml @@ -0,0 +1,10 @@ +version: v2 +proxy_server: conductorone.teleport.sh:443 +onboarding: + join_method: github + token: example-token +oneshot: true +storage: + type: memory +# outputs will be filled in during the completion of an access guide. +outputs: []