diff --git a/README.md b/README.md index 163798e..cc8127f 100644 --- a/README.md +++ b/README.md @@ -54,8 +54,10 @@ https://craignewtondev.medium.com/how-to-fix-kubernetes-namespace-deleting-stuck ### Teleport To get access, you will need to configure teleport. -- Add yourself as a user: `kubectl exec -it deployment.apps/teleport-cluster -n teleport -- tctl users add yourusername --roles=editor,access,admin --logins=root,ubuntu,ec2-user` +- Create the kubernetes role: `kubectl exec -it deployment.apps/teleport-cluster -n teleport -- tctl create -f < terraform-k8s/teleport-k8s-admin-role.yaml` +- Add yourself as a user: `kubectl exec -it deployment.apps/teleport-cluster -n teleport -- tctl users add --roles=editor,access,admin,k8s-admin --logins=root,ubuntu,ec2-user` - Go to the URL they give you and set up your 2fa +- You can use kubernetes if you use tsh to log in: `tsh login --proxy teleport-.:443 --user ` - You should then be able to go to the applications section and pull up gitlab. - Longer term, we hope to configure more of this through code. diff --git a/clusters/gitlab-cluster/tshnode/tshnode.yaml b/clusters/gitlab-cluster/tshnode/tshnode.yaml new file mode 100644 index 0000000..160a8cb --- /dev/null +++ b/clusters/gitlab-cluster/tshnode/tshnode.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + k8s-app: tshnode + name: tshnode + namespace: teleport +spec: + selector: + matchLabels: + k8s-app: tshnode + template: + metadata: + labels: + k8s-app: tshnode + spec: + containers: + - image: amazonlinux + imagePullPolicy: Always + name: ssm + command: ["/bin/bash"] + args: + - -c + - | + yum-config-manager --add-repo https://rpm.releases.teleport.dev/teleport.repo ; + yum install teleport ; + teleport start --roles=node --token=XXX --auth-server=teleport-cluster.teleport:443 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + terminationGracePeriodSeconds: 2 diff --git a/terraform-k8s/teleport-k8s-admin-role.yaml b/terraform-k8s/teleport-k8s-admin-role.yaml new file mode 100644 index 0000000..6624006 --- /dev/null +++ b/terraform-k8s/teleport-k8s-admin-role.yaml @@ -0,0 +1,10 @@ +kind: role +version: v3 +metadata: + name: k8s-admin +spec: + allow: + # This field is used for SSH logins. You have to keep 'logins' as a non-empty random value + # for Kubernetes to work until we fix it. + logins: ['keep-this-value-here'] + kubernetes_groups: ["system:masters"] diff --git a/terraform-k8s/teleport.tf b/terraform-k8s/teleport.tf index ded868b..eba7dc6 100644 --- a/terraform-k8s/teleport.tf +++ b/terraform-k8s/teleport.tf @@ -35,21 +35,46 @@ resource "aws_route53_record" "teleport" { records = [data.kubernetes_service.teleport.status.0.load_balancer.0.ingress.0.hostname] } -resource "aws_route53_record" "teleport-gitlab" { +resource "aws_route53_record" "teleport-wildcard" { zone_id = data.aws_route53_zone.gitlab.zone_id - name = "gitlab.teleport-${var.cluster_name}" + name = "*.teleport-${var.cluster_name}" type = "CNAME" ttl = "300" records = [data.kubernetes_service.teleport.status.0.load_balancer.0.ingress.0.hostname] } +# This is the join token +resource "random_password" "join-token" { + length = 26 + special = true + override_special = "/@£$" +} + +resource "kubernetes_secret" "teleport-kube-agent-join-token" { + depends_on = [kubernetes_namespace.teleport] + metadata { + name = "teleport-kube-agent-join-token" + namespace = "teleport" + } + + data = { + auth-token = random_password.join-token.result + } +} + +# Ideally, this would be done through flux, but we need it to be live +# so we can reference the service to get the elb to put the CNAMEs on. resource "helm_release" "teleport-cluster" { name = "teleport-cluster" - repository = "https://charts.releases.teleport.dev" + # XXX remove the tspencer repo and add teleport back once these PRs get in: + # https://github.com/gravitational/teleport/pull/6586 + # https://github.com/gravitational/teleport/pull/6619 + # repository = "https://charts.releases.teleport.dev" + repository = "https://timothy-spencer.github.io/helm-charts" chart = "teleport-cluster" version = "6.0.0" namespace = "teleport" - depends_on = [kubernetes_namespace.teleport] + depends_on = [kubernetes_secret.teleport-kube-agent-join-token] set { name = "namespace" @@ -61,59 +86,131 @@ resource "helm_release" "teleport-cluster" { value = "true" } + # # XXX temporary + # set { + # name = "logLevel" + # value = "DEBUG" + # } + set { name = "acmeEmail" - value = "security@login.gov" + value = var.certmanager-issuer } - + set { name = "clusterName" value = "teleport-${var.cluster_name}.${var.domain}" } set { - name = "customConfig" - value = "true" + name = "kubeClusterName" + value = "teleport-${var.cluster_name}" } -} -# This is where the customConfig lives (same name as the helm release) -resource "kubernetes_config_map" "teleport-cluster" { - # depends_on = [helm_release.teleport-cluster] - depends_on = [kubernetes_namespace.teleport] - metadata { - name = "teleport-cluster" - namespace = "teleport" + set { + name = "serviceAccountAnnotations.eks\\.amazonaws\\.com/role-arn" + value = aws_iam_role.teleport.arn } + } - data = { - "teleport.yaml" = <