Cloud Teleport: Building access plugins for Gravitational

Cover for Cloud Teleport: Building access plugins for Gravitational

For the Martian team with a strong belief in open source and dozens of published open source projects, the product development for Teleport was a perfect fit. Evil Martians got the chance to sparkle the brilliance for an open-core professional development service designed for engineers and built by them. It’s no way but to be flawless.

Teleport (ex-Gravitational) is the startup with open source infrastructure solutions that enable businesses to run, access, and distribute their cloud-native applications in restricted environments based on Kubernetes clusters, hybrid private clouds, or secure on-premise infrastructures. Martians’ duty was to design and implement some approval workflow plugins for these enterprise customers.

Evil Martians implemented and documented five plugins for the Teleport privileged access management system: integrations with Slack, Jira, Mattermost, GitLab, and PagerDuty to approve access requests fast and secure in these environments. In this project, we started to shape the ecosystem of integrations to let the startup’s customers adjust their permission systems to their corporate and legislation requirements.

Teleport is written in Go. It was also a great match as Martians have a great experience with our own open source projects in Go—such as imgproxy, Overmind, and Lefthook.

Teleporting to clouds

In the age of SaaS, with tons of cloud applications for every single business process, cloud security is still the biggest concern for enterprise customers. For the sake of compliance, they should take into account government policies like storing data in local areas or legal and corporate standards of avoiding public clouds for sensitive information. The business rules also necessitate keeping clear of “vendor lock-in”.

That’s where Teleport comes in to give a hand. They are working to help technology startups with packaging, deploying, and running their SaaS on private clouds of their enterprise customers to securely facilitate app deployments. Having a strong cloud computing background, the team chose Kubernetes to ease cloud deployment and run cloud applications across environments while meeting security and compliance requirements. Teleport has been a long-standing supporter for Kubernetes, believing that building software with Kubernetes instead of building in the cloud dependencies upfront will break the dependency on the individual cloud providers.

Gravitational, recently rebranded as Teleport, was founded in 2015. In 2019, the project has raised $25M in Series A rounds in 2019 with over $29M in total to date from many leading investors, including Y Combinator, CrunchFund, Spectrum 28, Zillionize, SV Angel, Kleiner Perkins, and Fort Ventures. It has around 100 enterprise customers, including NASDAQ, Samsung, Splunk, Ticketmaster, Telefonica, Sumo Logic, Snowflake Computing, and Epic Games.

Martians enjoyed the privilege of helping with Teleport. The problem tackling by Teleport is—unfortunately—not a physical teleporting feature, but equally important authorization and access requests automation. It started as an internal tool and became more popular as a single point to configure accesses in cutting-edge network cloud environments with authorization tied to internal enterprise services. For instance, if a company has a corporate Windows environment for all employees and a deployment environment like Kubernetes for engineers, they need to work bundled.

To simplify administration, Teleport wanted to extend and customize permission elevation workflow to grant or deny access in real time through messengers and collaboration applications. The idea was to move away from root accounts and let engineers do it on the fly via Slack or other supported platforms.

Approval workflow in Slack (video from Teleport)

Plug it in

In this project, Martians helped to design Slack, Jira, Mattermost, GitLab, and PagerDuty integrations for Teleport. When a customer’s user requests additional roles in a corporate cluster, admins get notifications to Slack, Jira, or others. They can immediately approve or deny this request in the same place in a click. In Jira’s case, a task will be created and put on a special access requests board automatically. The integration connects all the layers and related software components to create a single flow of the approval process while keeping the whole environment secure: those plugins are meant to be hosted in the customer’s cluster itself.

Permissions via Jira server (video from Teleport)

Fun fact: although we worked with Jira in this integration, this task management software was only for Teleport customers. The project’s team, like Martian’s one, uses an open GitHub project to organize todos and pull requests so everyone can trace the project history through the repo and discuss the product. You can take a look at what Teleport’s working on and see what to expect from future releases.

We designed these integrations as plugins—in a separate repository with opt-in behavior. This approach doesn’t require any core changes for the Teleport product itself, thus saving time and resources. The next critical advantage is that it ensures the robustness and security of the open source platform. The project doesn’t have to tighten the security requirements around the open-core repository, so even super sensitive enterprise clients can continue using Teleport without worrying about any extras or plugins being loaded into it.

Building the plugins

Involving the Martian team, Teleport pursued several critical aims:

First, these plugins were in heavy demand of Teleport enterprise customers, so they had to be built as an out-of-the-box product, entirely ready for use.

Second, the plugin format for integrations design was a brand-new way to experiment with. Teleport decided to invite Evil Martians as an outside contractor to keep the high code quality across the product while experimenting, along with proper communications and documentation according to engineering culture standards both teams shared.

Third, the team needed off-site feedback before presenting the plugin platform to the community. Martians provided detailed feedback with some recommendations for the company to improve the API for plugins to meet a plugin developer’s needs adequately.

Besides, Martians took on the product manager role for integrations, designing MVPs, elaborating all the scenarios, writing reviews, and creating all the guidelines for enterprise customers to install plugins.

Our team also helped to put into shape and to enhance their repository with integrational plugins. We designed a well-defined and clear example to build plugins with all the essential tests to cover. The code is written in Go with an eye on the potential adaptation for customers’ needs.

Go to GitHub to get Teleport plugins and to bring your permission system in line with your business requirements.

On foot of this structure, we built integrations with Slack and Jira and created the full spec. We made these two plugins a standard for integrations design, complemented with tests and setting tutorials. Then, we followed this pattern and built extensions for Mattermost (i.e., on-premise off-brand slack clone), PagerDuty, and GitLab for accesses.

We found that even before the plugin’s official release on our website, we got more from our customers who were highly interested in these features than we invested in this project. It was totally worth it! We’d love to continue working together on other projects.

Approval requests in Mattermost (video from Teleport)

Teleport is an outstanding professional product for engineers. Having deep expertise in pro-tools product design for our open source and customers’ projects, we couldn’t help to make it even better by some bugs research and subsequent debugging on the next stage. The core team fixed them instantly.

These plugins are currently the #1 selling point for our Teleport product.

Tech stack under the hood

Technically, Teleport uses a replacement of SSH to access different machines in the cluster and integrates with the company’s LDAP / SSO / identity management system. That helps to isolate critical infrastructure and enforce both two-factor authentication when using SSH and Kubernetes and Github org permissions.

Recently, Teleport started to migrate from the REST API to gRPC for more transparent and easier communications between these layers and systems and API calls organization. Martians with some hands-on experience in gRPC were happy to use this stack again to organize a prompt synchronization for plugins permissions workflow. gRPC is several times faster when sending and receiving data to compare with REST and perfect in data serialization. These gRPC framework advantages were also instrumental in plugins design as their most critical part includes a listener for events stream to get notifications about new access request creation.

Results

In collaboration with the company, the Evil Martians team designed, built, and assisted in releasing five integrations for Teleport, helping the startup team improve some backend issues in parallel. We also created the detailed documentation that allowed customers to start building on top of the integrations even before they were officially released.

It is also worth noting individually the great support from the Teleport team and the pleasure to work with a customer who shares the same vision of open-core approach in business and brilliant engineering culture that empowers us to complete the project in a short time.

PagerDuty plugin (video from Teleport)

We initiated to shape the overall integration ecosystem for Teleport to allow hundreds of current and potential customers to tweak their Teleport-based access request systems to adapt them to specific security, compliance, and business requirements.

Both the Teleport team and their clients were extremely impressed with the work Martians had done:

For years of dealing with different consulting agencies, and having some experience being the consultant myself, this collaboration with Evil Martians was a gulp of fresh air—definitely one of the best experiences we’ve had. We were paying close attention to their work quality, ethics, etc. and we loved how the Martian engineering team worked on Teleport plugins: everything from the way they communicated and approached the project to their code quality, their curiosity, and their striving to figure out the right way to build things—that left a strong impression on me.

As both Kubernetes and security market experts predict the sustainable growth trajectory for professional cloud development tools, the newest plugins help Teleport reduce operational overhead and make cloud deployment and policy compliance easy-to-use.

Teleport has its commitment to keeping open standards to help customers to be fully compatible with existing cloud applications and infrastructure. Things are going well at this point as their software has over 10,000 stars on Github and is used by thousands of developers.

If you provide professional software products for software or DevOps engineers or have the same vision of commercial open source or “Open Core” products, give Martians a ping to help you with open source development from our top guns.

Join our email newsletter

Get all the new posts delivered directly to your inbox. Unsubscribe anytime.