Add the Teleport Integration (#16877)

* initial integration scaffolding

* add initial setup for integration tests using docker-compose

* add first integration test

* critical test pass

* add test_connect_ok

* fix test_connect_exception and passing test_connect_ok

* add test to check common metrics collection

* add metadata.csv

* ddev test teleport -fs

* delete some comments

* wip: use openmetrics base class

* catch main super.check exception, passing -> first two tests

* move exception to test to unit tests

* add unit tests, setup mocks, fix integration tests

* assert common metrics in unit tests

* add metrics fixture

* add teleport_cache_stale_events mocks

* reporting common metrics

* rename 'version' tag to 'teleport_version'

* format

* remove docker-compose down nothing behavior

* update metadata.csv metric names format

* update unit and integration tests to match the new metric names

* fix implementation to pass the tests

* [PLINT-302] Report Teleport Proxy metrics (#17018)

* add unit tests for proxy metrics

* passing metrics that don't require mocks

* tests passing for grpc_client_* metrics

* separate unit tests by teleport metrics groups

* update teleport proxy metrics test to check all metrics

* update fixtures with missing proxy metrics

* update proxy metric names in the test

* collect proxy metrics in the check

* format

* ignore linting on a long line

* separate metrics maps into metrics.py per suggestion

* ddev validate ci --sync

* ddev validate config teleport -s

* ddev validate models teleport -s

* ddev validate labeler --sync

* remove arch suffix from docker-compose teleport image

* add E2E test

* fix linting

* [PLINT-303] Report Teleport Auth Service and Backends metrics (#17050)

* add test_auth_teleport_metrics test
collect auth service metrics
update fixtures with missing auth service metrics
format
add 'cluster_name_not_found' metric
fix wrong metrics, grpc_server metrics belong to Auth service
replace single quotes with double quotes + format
change prefix for auth audit_log metrics
add auth s3 backend metrics test
collect auth s3 backend metrics
update fixtures with auth s3 backend metrics

* add support for backend cache metrics

* add support for backend dynamoDB metrics

* add support for backend firestore metrics

* add support for backend GCP GCS metrics

* add support for backend ETCD metrics

* lint

* Refactor and cleanup Teleport Integration (#17084)

* use metrics_path fixture in tests

* use instance fixture in tests

* move metrics constants in tests to common.py

* handle check exception

* remove the match parameter when testing for exception

* add .common prefix to common instance metrics for filtering purposes later

* update integration tests

* fix linting

* fix e2e tests

* use the COMMON_METRICS const in the integration and e2e tests

* format

* use the INSTANCE const in the test_e2e.py

* update the config properties to align with the RFC suggestion

* lint

* make DEFAULT_DIAG_PORT class constant

* [PLINT-304] Report metrics for the Teleport SSH Service (#17111)

* use metrics_path fixture in tests

* use instance fixture in tests

* move metrics constants in tests to common.py

* handle check exception

* remove the match parameter when testing for exception

* add .common prefix to common instance metrics for filtering purposes later

* update integration tests

* fix linting

* fix e2e tests

* use the COMMON_METRICS const in the integration and e2e tests

* format

* use the INSTANCE const in the test_e2e.py

* update the config properties to align with the RFC suggestion

* lint

* make DEFAULT_DIAG_PORT class constant

* add tests for SSH service metrics

* collect SSH metrics, tests passing

* cleanup: move METRIC_MAP to metrics.py

* [PLINT-306] Report metrics for the Teleport Kubernetes Service (#17113)

* add tests for Kubernetes service metrics

* successfully collecting kubernetes client metrics

* add tests for Kubernetes service server metrics

* successfully collecting kubernetes server metrics

* [PLINT-305] Report metrics for the Teleport Database Service (#17114)

* add tests for Database service metrics

* successfully collecting database service metrics

* [PLINT-308] Report metrics for the Teleport Enhanced Session Recording / BPF (#17116)

* add tests for BPF metrics

* successfully collecting BPF metrics

* [PLINT-307] Report metrics for the Teleport internal Prometheus (#17117)

* add tests for Prometheus metrics

* successfully collecting Prometheus metrics

* [PLINT-326] Add `teleport_service` tag to Teleport metrics (#17216)

* update tests to check for 'teleport_service' tag for auth metrics

* update tests to check for 'teleport_service' tag for ssh metrics

* update tests to check for 'teleport_service' tag for proxy metrics

* update tests to check for 'teleport_service' tag for database metrics

* update tests to check for 'teleport_service' tag for kubernetes metrics

* update tests to check for 'teleport_service' tag for common teleport metrics

* add METRIC_MAP_BY_SERVICE

* add custom metric transformer to add 'teleport_service' tag

* remove unexisting metric type case

* remove useless check

* [PLINT-331] Update `metadata.csv` for the Teleport Integration (#17241)

* update metadata.csv

* fix metadata duplications, and invalid histogram types to their corresponding count type

* remove periods at the end of descriptions

* [PLINT-325] Update Teleport Configuration spec (#17261)

* add 'teleport_url' and 'diag_port' properties to the Configuration Spec

* ddev validate config -s

* ddev validate models

* sort metadata.csv

* ddev validate ci -s

* add DEFAULT_METRIC_LIMIT to fix the openmetrics validation-n

* update classifier_tags

* add description to the manifest

* fix tile description

* update manifest check for metrics

* [WIP] add dashboard

* add dashboard entry in the manifest.json

* delele monitors, logs, and saved_views entries from the manifest.json

* remove extra comma in manifest.json

* changelog

* ddev validate label --sync

* [PLINT-362] Standardize metric names (#17383)

* update description 'cluster' -> 'instance'

* change teleport.auth.audit_log.* prefix to teleport.audit_log.* to ease filtering audit log metrics

* standardize metric names in the tests

* update implementation

* update metadata.csv

* remove extra space in metadata.csv

* audit_log -> auth.audit_log

* Send Teleport service check as a metric (#17441)

* update description 'cluster' -> 'instance'

* send count metric instead of service check

* raise on exception

* format

* fix integration tests

* remove obsolete field version in docker-compose.yml

* fix msg arg to self.count and add teleport_status tag to health.up metric

* fix integration tests typo

* fix e2e tests

* log error message on exception

* lint

* add teleport.health.up to metadata.csv

* add assertion for unreachable health state metric tag

* apply suggestion

* Update metadata.csv with descriptions and units (#17456)

* regenerate metadata.csv

* add all missing descriptions

* add some units

* add bucket,sum, and count metrics for histogram metrics

* update units and sort

* fix manifest.json errors

* update README.md with prerequisites section

* delete dashboard

* Apply suggestions from code review

Co-authored-by: Ilia Kurenkov <ilia.kurenkov@datadoghq.com>

---------

Co-authored-by: Ilia Kurenkov <ilia.kurenkov@datadoghq.com>

Author: NouemanKHAL

.codecov.yml

@@ -570,6 +570,10 @@ coverage:
         target: 75
         flags:
         - teamcity
+      Teleport:
+        target: 75
+        flags:
+        - teleport
       Tekton:
         target: 75
         flags:
@@ -1392,6 +1396,11 @@ flags:
     paths:
     - teamcity/datadog_checks/teamcity
     - teamcity/tests
+  teleport:
+    carryforward: true
+    paths:
+    - teleport/datadog_checks/teleport
+    - teleport/tests
   tekton:
     carryforward: true
     paths:

.github/workflows/config/labeler.yml

@@ -335,10 +335,10 @@ integration/oracle:
 - oracle/**/*
 integration/otel:
 - otel/**/*
-integration/pan_firewall:
-- pan_firewall/**/*
 integration/palo_alto_panorama:
 - palo_alto_panorama/**/*
+integration/pan_firewall:
+- pan_firewall/**/*
 integration/pdh_check:
 - pdh_check/**/*
 integration/pgbouncer:
@@ -447,6 +447,8 @@ integration/teamcity:
 - teamcity/**/*
 integration/tekton:
 - tekton/**/*
+integration/teleport:
+- teleport/**/*
 integration/temporal:
 - temporal/**/*
 integration/tenable:

.github/workflows/test-all.yml

@@ -3203,6 +3203,25 @@ jobs:
       test-py3: ${{ inputs.test-py3 }}
       minimum-base-package: ${{ inputs.minimum-base-package }}
     secrets: inherit
+  je68b3b9:
+    uses: ./.github/workflows/test-target.yml
+    with:
+      job-name: Teleport
+      target: teleport
+      platform: linux
+      runner: '["ubuntu-22.04"]'
+      repo: "${{ inputs.repo }}"
+      python-version: "${{ inputs.python-version }}"
+      standard: ${{ inputs.standard }}
+      latest: ${{ inputs.latest }}
+      agent-image: "${{ inputs.agent-image }}"
+      agent-image-py2: "${{ inputs.agent-image-py2 }}"
+      agent-image-windows: "${{ inputs.agent-image-windows }}"
+      agent-image-windows-py2: "${{ inputs.agent-image-windows-py2 }}"
+      test-py2: ${{ inputs.test-py2 }}
+      test-py3: ${{ inputs.test-py3 }}
+      minimum-base-package: ${{ inputs.minimum-base-package }}
+    secrets: inherit
   j840fec7:
     uses: ./.github/workflows/test-target.yml
     with:

teleport/CHANGELOG.md

@@ -0,0 +1,3 @@
+# CHANGELOG - Teleport
+
+<!-- towncrier release notes start -->

teleport/README.md

@@ -0,0 +1,63 @@
+# Agent Check: Teleport
+
+## Overview
+
+This check monitors [Teleport][1] through the Datadog Agent.
+
+## Setup
+
+Follow the instructions below to install and configure this check for an Agent running on a host. For containerized environments, see the [Autodiscovery Integration Templates][3] for guidance on applying these instructions.
+
+### Installation
+
+The Teleport check is included in the [Datadog Agent][2] package.
+No additional installation is needed on your server.
+
+### Prerequisites
+
+The Teleport check gathers Teleport's metrics and performance data using two distinct endpoints:
+   - The [Health endpoint](https://goteleport.com/docs/management/diagnostics/monitoring/#healthz) provides the overall health status of your Teleport instance.
+   - The [OpenMetrics endpoint](https://goteleport.com/docs/reference/metrics/#auth-service-and-backends) extracts metrics on the Teleport instance and the various services operating within that instance.
+
+These endpoints aren't activated by default. To enable the diagnostic HTTP endpoints in your Teleport instance, please refer to the public Teleport [documentation](https://goteleport.com/docs/management/diagnostics/monitoring/#enable-health-monitoring).
+
+### Configuration
+
+1. Edit the `teleport.d/conf.yaml` file, in the `conf.d/` folder at the root of your Agent's configuration directory to start collecting your teleport performance data. See the [sample teleport.d/conf.yaml][4] for all available configuration options.
+
+2. [Restart the Agent][5].
+
+### Validation
+
+[Run the Agent's status subcommand][6] and look for `teleport` under the Checks section.
+
+## Data Collected
+
+### Metrics
+
+See [metadata.csv][7] for a list of metrics provided by this integration.
+
+### Events
+
+The Teleport integration does not include any events.
+
+### Service Checks
+
+The Teleport integration does not include any service checks.
+
+See [service_checks.json][8] for a list of service checks provided by this integration.
+
+## Troubleshooting
+
+Need help? Contact [Datadog support][9].
+
+
+[1]: **LINK_TO_INTEGRATION_SITE**
+[2]: https://app.datadoghq.com/account/settings/agent/latest
+[3]: https://docs.datadoghq.com/agent/kubernetes/integrations/
+[4]: https://github.com/DataDog/integrations-core/blob/master/teleport/datadog_checks/teleport/data/conf.yaml.example
+[5]: https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent
+[6]: https://docs.datadoghq.com/agent/guide/agent-commands/#agent-status-and-information
+[7]: https://github.com/DataDog/integrations-core/blob/master/teleport/metadata.csv
+[8]: https://github.com/DataDog/integrations-core/blob/master/teleport/assets/service_checks.json
+[9]: https://docs.datadoghq.com/help/

teleport/assets/configuration/spec.yaml

@@ -0,0 +1,23 @@
+name: Teleport
+files:
+- name: teleport.yaml
+  options:
+  - template: init_config
+    options:
+    - template: init_config/default
+  - template: instances
+    options:
+    - name: "teleport_url"
+      required: true
+      description: "The Teleport URL to connect to."
+      value:
+        type: string
+        example: "http://127.0.0.1"
+    - name: "diag_port"
+      description: "The Teleport Diagnostic Port."
+      value:
+        type: integer
+        example: 3000
+      
+
+    - template: instances/default

teleport/assets/service_checks.json

@@ -0,0 +1 @@
+[]

teleport/changelog.d/16877.added

@@ -0,0 +1 @@
+Add the Teleport Integration

teleport/datadog_checks/__init__.py

@@ -0,0 +1,4 @@
+# (C) Datadog, Inc. 2024-present
+# All rights reserved
+# Licensed under a 3-clause BSD style license (see LICENSE)
+__path__ = __import__('pkgutil').extend_path(__path__, __name__)  # type: ignore

teleport/datadog_checks/teleport/__about__.py

@@ -0,0 +1,4 @@
+# (C) Datadog, Inc. 2024-present
+# All rights reserved
+# Licensed under a 3-clause BSD style license (see LICENSE)
+__version__ = '0.0.1'

teleport/datadog_checks/teleport/__init__.py

@@ -0,0 +1,7 @@
+# (C) Datadog, Inc. 2024-present
+# All rights reserved
+# Licensed under a 3-clause BSD style license (see LICENSE)
+from .__about__ import __version__
+from .check import TeleportCheck
+
+__all__ = ['__version__', 'TeleportCheck']

teleport/datadog_checks/teleport/check.py

@@ -0,0 +1,88 @@
+# (C) Datadog, Inc. 2024-present
+# All rights reserved
+# Licensed under a 3-clause BSD style license (see LICENSE)
+
+from datadog_checks.base import OpenMetricsBaseCheckV2
+from datadog_checks.base.checks.openmetrics.v2.transform import get_native_dynamic_transformer
+
+from .metrics import METRIC_MAP, METRIC_MAP_BY_SERVICE
+
+
+class TeleportCheck(OpenMetricsBaseCheckV2):
+    __NAMESPACE__ = 'teleport'
+    DEFAULT_METRIC_LIMIT = 0
+    DEFAULT_DIAG_PORT = 3000
+
+    def __init__(self, name, init_config, instances):
+        super().__init__(name, init_config, instances)
+        self.check_initializations.appendleft(self._parse_config)
+        self.check_initializations.append(self._configure_additional_transformers)
+
+    def check(self, _):
+        try:
+            health_endpoint = f"{self.diag_addr}/healthz"
+            response = self.http.get(health_endpoint)
+            response.raise_for_status()
+            self.count("health.up", 1, tags=["teleport_status:ok"])
+        except Exception as e:
+            self.log.error(
+                "Cannot connect to Teleport HTTP diagnostic health endpoint '%s': %s.\nPlease make sure to enable Teleport's diagnostic HTTP endpoints.",  # noqa: E501
+                health_endpoint,
+                str(e),
+            )  # noqa: E501
+            self.count("health.up", 0, tags=["teleport_status:unreachable"])
+            raise
+
+        super().check(_)
+
+    def _parse_config(self):
+        self.teleport_url = self.instance.get("teleport_url")
+        self.diag_port = self.instance.get("diag_port", self.DEFAULT_DIAG_PORT)
+        if self.teleport_url:
+            self.diag_addr = "{}:{}".format(self.teleport_url, self.diag_port)
+            self.instance.setdefault("openmetrics_endpoint", "{}/metrics".format(self.diag_addr))
+            self.instance.setdefault("rename_labels", {'version': "teleport_version"})
+
+    def _configure_additional_transformers(self):
+        metric_transformer = self.scrapers[self.instance['openmetrics_endpoint']].metric_transformer
+        metric_transformer.add_custom_transformer(r'.*', self.configure_transformer_teleport_metrics(), pattern=True)
+
+    def configure_transformer_teleport_metrics(self):
+        def transform(_metric, sample_data, _runtime_data):
+            for sample, tags, hostname in sample_data:
+                metric_name = _metric.name
+                metric_type = _metric.type
+
+                # ignore metrics we don't collect
+                if metric_name not in METRIC_MAP:
+                    continue
+
+                # extract `teleport_service` tag
+                service = METRIC_MAP_BY_SERVICE.get(metric_name, "teleport")
+                tags = tags + [f"teleport_service:{service}"]
+
+                # get mapped metric name
+                new_metric_name = METRIC_MAP[metric_name]
+                if isinstance(new_metric_name, dict) and "name" in new_metric_name:
+                    new_metric_name = new_metric_name["name"]
+
+                # send metric
+                metric_transformer = self.scrapers[self.instance['openmetrics_endpoint']].metric_transformer
+
+                if metric_type == "counter":
+                    self.count(new_metric_name + ".count", sample.value, tags=tags, hostname=hostname)
+                elif metric_type == "gauge":
+                    self.gauge(new_metric_name, sample.value, tags=tags, hostname=hostname)
+                else:
+                    native_transformer = get_native_dynamic_transformer(
+                        self, new_metric_name, None, metric_transformer.global_options
+                    )
+
+                    def add_tag_to_sample(sample, service):
+                        [sample, tags, hostname] = sample
+                        return [sample, tags + [f"teleport_service:{service}"], hostname]
+
+                    modified_sample_data = (add_tag_to_sample(x, service) for x in sample_data)
+                    native_transformer(_metric, modified_sample_data, _runtime_data)
+
+        return transform

teleport/datadog_checks/teleport/config_models/__init__.py

@@ -0,0 +1,24 @@
+# (C) Datadog, Inc. 2024-present
+# All rights reserved
+# Licensed under a 3-clause BSD style license (see LICENSE)
+
+# This file is autogenerated.
+# To change this file you should edit assets/configuration/spec.yaml and then run the following commands:
+#     ddev -x validate config -s <INTEGRATION_NAME>
+#     ddev -x validate models -s <INTEGRATION_NAME>
+
+from .instance import InstanceConfig
+from .shared import SharedConfig
+
+
+class ConfigMixin:
+    _config_model_instance: InstanceConfig
+    _config_model_shared: SharedConfig
+
+    @property
+    def config(self) -> InstanceConfig:
+        return self._config_model_instance
+
+    @property
+    def shared_config(self) -> SharedConfig:
+        return self._config_model_shared

teleport/datadog_checks/teleport/config_models/defaults.py

@@ -0,0 +1,24 @@
+# (C) Datadog, Inc. 2024-present
+# All rights reserved
+# Licensed under a 3-clause BSD style license (see LICENSE)
+
+# This file is autogenerated.
+# To change this file you should edit assets/configuration/spec.yaml and then run the following commands:
+#     ddev -x validate config -s <INTEGRATION_NAME>
+#     ddev -x validate models -s <INTEGRATION_NAME>
+
+
+def instance_diag_port():
+    return 3000
+
+
+def instance_disable_generic_tags():
+    return False
+
+
+def instance_empty_default_hostname():
+    return False
+
+
+def instance_min_collection_interval():
+    return 15

teleport/datadog_checks/teleport/config_models/instance.py

@@ -0,0 +1,63 @@
+# (C) Datadog, Inc. 2024-present
+# All rights reserved
+# Licensed under a 3-clause BSD style license (see LICENSE)
+
+# This file is autogenerated.
+# To change this file you should edit assets/configuration/spec.yaml and then run the following commands:
+#     ddev -x validate config -s <INTEGRATION_NAME>
+#     ddev -x validate models -s <INTEGRATION_NAME>
+
+from __future__ import annotations
+
+from typing import Optional
+
+from pydantic import BaseModel, ConfigDict, field_validator, model_validator
+
+from datadog_checks.base.utils.functions import identity
+from datadog_checks.base.utils.models import validation
+
+from . import defaults, validators
+
+
+class MetricPatterns(BaseModel):
+    model_config = ConfigDict(
+        arbitrary_types_allowed=True,
+        frozen=True,
+    )
+    exclude: Optional[tuple[str, ...]] = None
+    include: Optional[tuple[str, ...]] = None
+
+
+class InstanceConfig(BaseModel):
+    model_config = ConfigDict(
+        validate_default=True,
+        arbitrary_types_allowed=True,
+        frozen=True,
+    )
+    diag_port: Optional[int] = None
+    disable_generic_tags: Optional[bool] = None
+    empty_default_hostname: Optional[bool] = None
+    metric_patterns: Optional[MetricPatterns] = None
+    min_collection_interval: Optional[float] = None
+    service: Optional[str] = None
+    tags: Optional[tuple[str, ...]] = None
+    teleport_url: str
+
+    @model_validator(mode='before')
+    def _initial_validation(cls, values):
+        return validation.core.initialize_config(getattr(validators, 'initialize_instance', identity)(values))
+
+    @field_validator('*', mode='before')
+    def _validate(cls, value, info):
+        field = cls.model_fields[info.field_name]
+        field_name = field.alias or info.field_name
+        if field_name in info.context['configured_fields']:
+            value = getattr(validators, f'instance_{info.field_name}', identity)(value, field=field)
+        else:
+            value = getattr(defaults, f'instance_{info.field_name}', lambda: value)()
+
+        return validation.utils.make_immutable(value)
+
+    @model_validator(mode='after')
+    def _final_validation(cls, model):
+        return validation.core.check_model(getattr(validators, 'check_instance', identity)(model))