GitHub proxy part 2.5: git_server cache (#49564)

* GitHub proxy part 2.5: git_server cache

* revert event

* fix getAll

* review comments

api/client/client.go

@@ -55,6 +55,7 @@ import (
 	"github.com/gravitational/teleport/api/client/discoveryconfig"
 	"github.com/gravitational/teleport/api/client/dynamicwindows"
 	"github.com/gravitational/teleport/api/client/externalauditstorage"
+	gitserverclient "github.com/gravitational/teleport/api/client/gitserver"
 	kubewaitingcontainerclient "github.com/gravitational/teleport/api/client/kubewaitingcontainer"
 	"github.com/gravitational/teleport/api/client/okta"
 	"github.com/gravitational/teleport/api/client/proto"
@@ -77,7 +78,7 @@ import (
 	discoveryconfigv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/discoveryconfig/v1"
 	dynamicwindowsv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/dynamicwindows/v1"
 	externalauditstoragev1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/externalauditstorage/v1"
-	gitserverv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/gitserver/v1"
+	gitserverpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/gitserver/v1"
 	identitycenterv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/identitycenter/v1"
 	integrationpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/integration/v1"
 	kubeproto "github.com/gravitational/teleport/api/gen/proto/go/teleport/kube/v1"
@@ -4939,8 +4940,8 @@ func (c *Client) UserTasksServiceClient() *usertaskapi.Client {
 }
 
 // GitServerClient returns a client for managing git servers
-func (c *Client) GitServerClient() gitserverv1.GitServerServiceClient {
-	return gitserverv1.NewGitServerServiceClient(c.conn)
+func (c *Client) GitServerClient() *gitserverclient.Client {
+	return gitserverclient.NewClient(gitserverpb.NewGitServerServiceClient(c.conn))
 }
 
 // GetCertAuthority retrieves a CA by type and domain.

api/client/gitserver/gitserver.go

@@ -0,0 +1,125 @@
+// Copyright 2024 Gravitational, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package gitserver
+
+import (
+	"context"
+
+	"github.com/gravitational/trace"
+
+	gitserverv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/gitserver/v1"
+	"github.com/gravitational/teleport/api/types"
+)
+
+// Client is an Git servers client.
+type Client struct {
+	grpcClient gitserverv1.GitServerServiceClient
+}
+
+// NewClient creates a new Git servers client.
+func NewClient(grpcClient gitserverv1.GitServerServiceClient) *Client {
+	return &Client{
+		grpcClient: grpcClient,
+	}
+}
+
+// GetGitServer returns Git servers by name.
+func (c *Client) GetGitServer(ctx context.Context, name string) (types.Server, error) {
+	server, err := c.grpcClient.GetGitServer(ctx, &gitserverv1.GetGitServerRequest{Name: name})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return server, nil
+}
+
+// ListGitServers returns all Git servers matching filter.
+func (c *Client) ListGitServers(ctx context.Context, pageSize int, pageToken string) ([]types.Server, string, error) {
+	resp, err := c.grpcClient.ListGitServers(ctx, &gitserverv1.ListGitServersRequest{
+		PageSize:  int32(pageSize),
+		PageToken: pageToken,
+	})
+	if err != nil {
+		return nil, "", trace.Wrap(err)
+	}
+
+	servers := make([]types.Server, 0, len(resp.Servers))
+	for _, server := range resp.Servers {
+		servers = append(servers, server)
+	}
+	return servers, resp.NextPageToken, nil
+}
+
+func toServerV2(server types.Server) (*types.ServerV2, error) {
+	serverV2, ok := server.(*types.ServerV2)
+	if !ok {
+		return nil, trace.Errorf("encountered unexpected server type: %T", serverV2)
+	}
+	return serverV2, nil
+}
+
+// CreateGitServer creates a Git server resource.
+func (c *Client) CreateGitServer(ctx context.Context, item types.Server) (types.Server, error) {
+	serverV2, err := toServerV2(item)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	resp, err := c.grpcClient.CreateGitServer(ctx, &gitserverv1.CreateGitServerRequest{
+		Server: serverV2,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return resp, nil
+}
+
+// UpdateGitServer updates a Git server resource.
+func (c *Client) UpdateGitServer(ctx context.Context, item types.Server) (types.Server, error) {
+	serverV2, err := toServerV2(item)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	resp, err := c.grpcClient.UpdateGitServer(ctx, &gitserverv1.UpdateGitServerRequest{
+		Server: serverV2,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return resp, nil
+}
+
+// UpsertGitServer updates a Git server resource, creating it if it doesn't exist.
+func (c *Client) UpsertGitServer(ctx context.Context, item types.Server) (types.Server, error) {
+	serverV2, err := toServerV2(item)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	resp, err := c.grpcClient.UpsertGitServer(ctx, &gitserverv1.UpsertGitServerRequest{
+		Server: serverV2,
+	})
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+	return resp, nil
+}
+
+// DeleteGitServer removes the specified Git server resource.
+func (c *Client) DeleteGitServer(ctx context.Context, name string) error {
+	_, err := c.grpcClient.DeleteGitServer(ctx, &gitserverv1.DeleteGitServerRequest{Name: name})
+	return trace.Wrap(err)
+}
+
+// DeleteAllGitServers removes all Git server resources.
+func (c *Client) DeleteAllGitServers(ctx context.Context) error {
+	return trace.NotImplemented("DeleteAllGitServers servers not implemented")
+}

lib/auth/accesspoint/accesspoint.go

@@ -110,6 +110,7 @@ type Config struct {
 	ProvisioningStates      services.ProvisioningStates
 	IdentityCenter          services.IdentityCenter
 	PluginStaticCredentials services.PluginStaticCredentials
+	GitServers              services.GitServers
 }
 
 func (c *Config) CheckAndSetDefaults() error {
@@ -209,6 +210,7 @@ func NewCache(cfg Config) (*cache.Cache, error) {
 		ProvisioningStates:      cfg.ProvisioningStates,
 		IdentityCenter:          cfg.IdentityCenter,
 		PluginStaticCredentials: cfg.PluginStaticCredentials,
+		GitServers:              cfg.GitServers,
 	}
 
 	return cache.New(cfg.Setup(cacheCfg))

lib/auth/authclient/clt.go

@@ -35,6 +35,7 @@ import (
 	"github.com/gravitational/teleport/api/client/databaseobject"
 	"github.com/gravitational/teleport/api/client/dynamicwindows"
 	"github.com/gravitational/teleport/api/client/externalauditstorage"
+	"github.com/gravitational/teleport/api/client/gitserver"
 	"github.com/gravitational/teleport/api/client/proto"
 	"github.com/gravitational/teleport/api/client/secreport"
 	"github.com/gravitational/teleport/api/client/usertask"
@@ -43,7 +44,6 @@ import (
 	clusterconfigpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/clusterconfig/v1"
 	dbobjectimportrulev1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/dbobjectimportrule/v1"
 	devicepb "github.com/gravitational/teleport/api/gen/proto/go/teleport/devicetrust/v1"
-	gitserverv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/gitserver/v1"
 	identitycenterv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/identitycenter/v1"
 	integrationv1 "github.com/gravitational/teleport/api/gen/proto/go/teleport/integration/v1"
 	loginrulepb "github.com/gravitational/teleport/api/gen/proto/go/teleport/loginrule/v1"
@@ -1893,5 +1893,5 @@ type ClientI interface {
 	ProvisioningServiceClient() provisioningv1.ProvisioningServiceClient
 
 	// GitServerClient returns git server client.
-	GitServerClient() gitserverv1.GitServerServiceClient
+	GitServerClient() *gitserver.Client
 }

lib/auth/helpers.go

@@ -372,6 +372,7 @@ func NewTestAuthServer(cfg TestAuthServerConfig) (*TestAuthServer, error) {
 			WindowsDesktops:         svces.WindowsDesktops,
 			DynamicWindowsDesktops:  svces.DynamicWindowsDesktops,
 			PluginStaticCredentials: svces.PluginStaticCredentials,
+			GitServers:              svces.GitServers,
 		})
 		if err != nil {
 			return nil, trace.Wrap(err)

lib/cache/cache.go

@@ -103,6 +103,7 @@ var highVolumeResources = map[string]struct{}{
 	types.KindWindowsDesktopService: {},
 	types.KindKubeServer:            {},
 	types.KindDatabaseObject:        {},
+	types.KindGitServer:             {},
 }
 
 func isHighVolumeResource(kind string) bool {
@@ -200,6 +201,7 @@ func ForAuth(cfg Config) Config {
 		{Kind: types.KindIdentityCenterAccountAssignment},
 		{Kind: types.KindWorkloadIdentity},
 		{Kind: types.KindPluginStaticCredentials},
+		{Kind: types.KindGitServer},
 	}
 	cfg.QueueSize = defaults.AuthQueueSize
 	// We don't want to enable partial health for auth cache because auth uses an event stream
@@ -257,6 +259,7 @@ func ForProxy(cfg Config) Config {
 		{Kind: types.KindAutoUpdateVersion},
 		{Kind: types.KindAutoUpdateAgentRollout},
 		{Kind: types.KindUserTask},
+		{Kind: types.KindGitServer},
 	}
 	cfg.QueueSize = defaults.ProxyQueueSize
 	return cfg
@@ -554,6 +557,7 @@ type Cache struct {
 	identityCenterCache          *local.IdentityCenterService
 	workloadIdentityCache        workloadIdentityCacher
 	pluginStaticCredentialsCache *local.PluginStaticCredentialsService
+	gitServersCache              *local.GitServerService
 
 	// closed indicates that the cache has been closed
 	closed atomic.Bool
@@ -793,6 +797,8 @@ type Config struct {
 	IdentityCenter services.IdentityCenter
 	// PluginStaticCredentials is the plugin static credentials services
 	PluginStaticCredentials services.PluginStaticCredentials
+	// GitServers is the Git server service.
+	GitServers services.GitServerGetter
 }
 
 // CheckAndSetDefaults checks parameters and sets default values
@@ -1044,6 +1050,12 @@ func New(config Config) (*Cache, error) {
 		return nil, trace.Wrap(err)
 	}
 
+	gitServersCache, err := local.NewGitServerService(config.Backend)
+	if err != nil {
+		cancel()
+		return nil, trace.Wrap(err)
+	}
+
 	cs := &Cache{
 		ctx:                          ctx,
 		cancel:                       cancel,
@@ -1093,6 +1105,7 @@ func New(config Config) (*Cache, error) {
 		identityCenterCache:          identityCenterCache,
 		workloadIdentityCache:        workloadIdentityCache,
 		pluginStaticCredentialsCache: pluginStaticCredentialsCache,
+		gitServersCache:              gitServersCache,
 		Logger: log.WithFields(log.Fields{
 			teleport.ComponentKey: config.Component,
 		}),

lib/cache/cache_test.go

@@ -143,6 +143,7 @@ type testPack struct {
 	identityCenter          services.IdentityCenter
 	workloadIdentity        *local.WorkloadIdentityService
 	pluginStaticCredentials *local.PluginStaticCredentialsService
+	gitServers              services.GitServers
 }
 
 // testFuncs are functions to support testing an object in a cache.
@@ -416,6 +417,11 @@ func newPackWithoutCache(dir string, opts ...packOption) (*testPack, error) {
 		return nil, trace.Wrap(err)
 	}
 
+	p.gitServers, err = local.NewGitServerService(p.backend)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
 	return p, nil
 }
 
@@ -471,6 +477,7 @@ func newPack(dir string, setupConfig func(c Config) Config, opts ...packOption)
 		IdentityCenter:          p.identityCenter,
 		WorkloadIdentity:        p.workloadIdentity,
 		PluginStaticCredentials: p.pluginStaticCredentials,
+		GitServers:              p.gitServers,
 		MaxRetryPeriod:          200 * time.Millisecond,
 		EventsC:                 p.eventsC,
 	}))
@@ -887,6 +894,7 @@ func TestCompletenessInit(t *testing.T) {
 			IdentityCenter:          p.identityCenter,
 			PluginStaticCredentials: p.pluginStaticCredentials,
 			EventsC:                 p.eventsC,
+			GitServers:              p.gitServers,
 		}))
 		require.NoError(t, err)
 
@@ -973,6 +981,7 @@ func TestCompletenessReset(t *testing.T) {
 		PluginStaticCredentials: p.pluginStaticCredentials,
 		MaxRetryPeriod:          200 * time.Millisecond,
 		EventsC:                 p.eventsC,
+		GitServers:              p.gitServers,
 	}))
 	require.NoError(t, err)
 
@@ -1186,6 +1195,7 @@ func TestListResources_NodesTTLVariant(t *testing.T) {
 		MaxRetryPeriod:          200 * time.Millisecond,
 		EventsC:                 p.eventsC,
 		neverOK:                 true, // ensure reads are never healthy
+		GitServers:              p.gitServers,
 	}))
 	require.NoError(t, err)
 
@@ -1282,6 +1292,7 @@ func initStrategy(t *testing.T) {
 		PluginStaticCredentials: p.pluginStaticCredentials,
 		MaxRetryPeriod:          200 * time.Millisecond,
 		EventsC:                 p.eventsC,
+		GitServers:              p.gitServers,
 	}))
 	require.NoError(t, err)
 
@@ -3557,6 +3568,7 @@ func TestCacheWatchKindExistsInEvents(t *testing.T) {
 		types.KindIdentityCenterPrincipalAssignment: types.Resource153ToLegacy(newIdentityCenterPrincipalAssignment("some_principal_assignment")),
 		types.KindWorkloadIdentity:                  types.Resource153ToLegacy(newWorkloadIdentity("some_identifier")),
 		types.KindPluginStaticCredentials:           &types.PluginStaticCredentialsV1{},
+		types.KindGitServer:                         &types.ServerV2{},
 	}
 
 	for name, cfg := range cases {

lib/cache/collections.go

@@ -179,6 +179,7 @@ type cacheCollections struct {
 	identityCenterAccountAssignments   collectionReader[identityCenterAccountAssignmentGetter]
 	workloadIdentity                   collectionReader[WorkloadIdentityReader]
 	pluginStaticCredentials            collectionReader[pluginStaticCredentialsGetter]
+	gitServers                         collectionReader[services.GitServerGetter]
 }
 
 // setupCollections returns a registry of collections.
@@ -810,6 +811,19 @@ func setupCollections(c *Cache, watches []types.WatchKind) (*cacheCollections, e
 			}
 			collections.byKind[resourceKind] = collections.pluginStaticCredentials
 
+		case types.KindGitServer:
+			if c.GitServers == nil {
+				return nil, trace.BadParameter("missing parameter GitServers")
+			}
+			collections.gitServers = &genericCollection[
+				types.Server,
+				services.GitServerGetter,
+				gitServerExecutor,
+			]{
+				cache: c,
+				watch: watch,
+			}
+			collections.byKind[resourceKind] = collections.gitServers
 		default:
 			return nil, trace.BadParameter("resource %q is not supported", watch.Kind)
 		}