puppet: Add a teleport server.

See https://goteleport.com/docs/architecture/overview/ for the general architecture of a Teleport cluster. This commit adds a Teleport auth[1] and proxy[2] server. The auth server serves as a CA for granting time-bounded access to users and authenticating nodes on the cluster; the proxy provides access and a management UI. [1] https://goteleport.com/docs/architecture/authentication/ [2] https://goteleport.com/docs/architecture/proxy/
2021-06-02 01:41:02 +00:00 · 2021-06-02 01:41:02 +00:00 · 1cdf14d195
parent 6143cb6e73
commit 1cdf14d195
7 changed files with 136 additions and 0 deletions
--- a/puppet/zulip_ops/files/supervisor/conf.d/teleport_server.conf
+++ b/puppet/zulip_ops/files/supervisor/conf.d/teleport_server.conf
@ -0,0 +1,8 @@
 [program:teleport_server]
 command=/usr/local/bin/teleport start --config=/etc/teleport_server.yaml
 priority=10
 autostart=true
 autorestart=true
 user=root
 redirect_stderr=true
 stdout_logfile=/var/log/teleport_server.log
--- a/puppet/zulip_ops/files/teleport_server.yaml
+++ b/puppet/zulip_ops/files/teleport_server.yaml
@ -0,0 +1,31 @@
 # See https://goteleport.com/docs/config-reference/ and
 # https://goteleport.com/docs/admin-guide/#configuration
 teleport:
  ca_pin: "sha256:df15ba56d56227e288ce183d7eee77a6bef552aaaa5dc25f0f5ea56494ce14c6"
 auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
  cluster_name: teleport.zulipchat.net
  authentication:
    type: local
    second_factor: on
    u2f:
      app_id: https://teleport.zulipchat.net
      facets:
        - https://teleport.zulipchat.net:443
        - https://teleport.zulipchat.net
        - teleport.zulipchat.net:443
        - teleport.zulipchat.net
 proxy_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3023
  web_listen_addr: 0.0.0.0:443
  public_addr: teleport.zulipchat.net:443
  acme:
    enabled: "yes"
    email: zulip-ops@zulip.com
 ssh_service:
  enabled: no
--- a/puppet/zulip_ops/manifests/profile/teleport.pp
+++ b/puppet/zulip_ops/manifests/profile/teleport.pp
@ -0,0 +1,31 @@
 class zulip_ops::profile::teleport {
  include zulip_ops::profile::base
  include zulip_ops::teleport::base
  file { '/etc/teleport_server.yaml':
    owner  => 'root',
    group  => 'root',
    mode   => '0644',
    source => 'puppet:///modules/zulip_ops/teleport_server.yaml',
  }
  file { "${zulip::common::supervisor_conf_dir}/teleport_server.conf":
    ensure  => file,
    require => [ Package[supervisor], Package[teleport], File['/etc/teleport_server.yaml'] ],
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    source  => 'puppet:///modules/zulip_ops/supervisor/conf.d/teleport_server.conf',
    notify  => Service[$zulip::common::supervisor_service],
  }
  # https://goteleport.com/docs/admin-guide/#ports
  # Port 443 is outward-facing, for UI
  zulip_ops::firewall_allow { 'teleport_server_ui': port => 443 }
  # Port 3023 is outward-facing, for teleport clients to connect to.
  zulip_ops::firewall_allow { 'teleport_server_proxy': port => 3023 }
  # Port 3034 is outward-facing, for teleport servers outside the
  # cluster to connect back to establish reverse proxies.
  zulip_ops::firewall_allow { 'teleport_server_reverse': port => 3024 }
  # Port 3025 is inward-facing, for other nodes to look up auth information
  zulip_ops::firewall_allow { 'teleport_server_auth': port => 3025 }
 }
--- a/puppet/zulip_ops/manifests/teleport/base.pp
+++ b/puppet/zulip_ops/manifests/teleport/base.pp
@ -0,0 +1,12 @@
 class zulip_ops::teleport::base {
  include zulip::supervisor
  $setup_apt_repo_file = "${::zulip_scripts_path}/lib/setup-apt-repo"
  exec{ 'setup-apt-repo-teleport':
    command => "${setup_apt_repo_file} --list teleport",
    unless  => "${setup_apt_repo_file} --list teleport --verify",
  }
  Package { 'teleport':
    require => Exec['setup-apt-repo-teleport'],
  }
 }
--- a/scripts/setup/apt-repos/teleport/bionic.list
+++ b/scripts/setup/apt-repos/teleport/bionic.list
@ -0,0 +1 @@
 deb https://deb.releases.teleport.dev/ stable main
--- a/scripts/setup/apt-repos/teleport/focal.list
+++ b/scripts/setup/apt-repos/teleport/focal.list
@ -0,0 +1 @@
 deb https://deb.releases.teleport.dev/ stable main
--- a/scripts/setup/apt-repos/teleport/teleport-pubkey.asc
+++ b/scripts/setup/apt-repos/teleport/teleport-pubkey.asc
@ -0,0 +1,52 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBF+R3LYBEADOEO9i3Dm5rEAiXONchX3M54QzZX0yHArSpYQ5aJDdJRQbqzqT
 +e2os8NpSjVDZFNz5ul8xkZsnCLX7pgrAYqq+vsXL4bMWDP96S6PjfVIAyV4ylv0
 DBReMdkaAZb/IoPhkSTT+ayw4eGEtUz/k7mxMpQ9ob7qFtGs8aNVT/An5LfFR1Lx
 9WOlFPPIAJKcHVIyRD+4EoCSn1R1c61UHFIRatbAnwOLs3iz4/GU+w9wdbuWbDuk
 nGdG0Lmlzp42HHxeJJFQlOTed97+trktvAiuzA/0lbQHEcWvxfWAy5//cjORp+H3
 RGLp8fJ+fFRAyA4WP6O3wIC4gAAgsEn8WpVT8wZYlLMRf694SeawBtyUSlcsn9i1
 LuOh5akOY3iQtH01+rMBjOaMkCmpT2nQaUH+HS2iZBddBHdAMMQtj2UolMRbUSxH
 +GJczes1t9/WH3vbvh5ESMOy0fH14Tjo+9yQYa4EhFNNloAG10DYFLlCj47fWDdS
 o/++vhZsKaS7yLHDGOLPT+x15ComG2gupmRkbATvUddztlsfF+tD97laT9eaLB1W
 zxszqr8+LxP961wmbS2j+ZBbXyrPr1Fln/TdyFAhkIMJ+J5hZB+NcjRUwUoB7nOd
 +FbTxtnyJb2iaJNCJHJQVA85IYzUpXA3CDdgUHF810kVBcBPBtLhZC5ybQARAQAB
 tCtHcmF2aXRhdGlvbmFsLCBJbmMgPGluZm9AZ3Jhdml0YXRpb25hbC5jb20+iQJU
 BBMBCAA+FiEEDF6LpWWOMg0bAxF5yH7VOmKCxBEFAl+R3LYCGwMFCRLMAwAFCwkI
 BwIGFQoJCAsCBBYCAwECHgECF4AACgkQyH7VOmKCxBFfxxAAiXWJm86oZtVdAlp1
 pzpKeV0pwgrnt7Uk8fu5tYpdE/oVMnwcdsDDQucItGtHGfjmzs3Cr8/praekenf1
 9iHSz422OpIGzCI4VfXaFPVfzbV1w7cSOnceY6lPnKUMrRBKKJX5Nw/6LZS40gsQ
 BoeZxe0MXB4tBc4dY30f1MQ44amRYmtTA7wep+ymVRfkPnHNnIrsdYGldbfPsbPO
 PUX8ZnWZiuI0+NgX3oBOl6YY4JehBJj61Ukx1DPHHLhhundHumChYFn+LBIZxD3O
 B9uoRzUzwUIM0N9IUjpGvtkqtm7Vbs6/bDxI4Owgsa7vXpEXZ2qD0AIle7sD0Fjl
 F19o2mXmEeQp9Fl4OrkZCURCQvPq9UCh6Nu0a1+SnbG+qXyyvqszy2tkV4xmcF4w
 Gib0SVT8RR08NeJXkHtBscnecgUA1BTH8J8RnUeQXZhUn51bVJk4JaDnEXp8VEP2
 gNce+oUY2XQtLDVzHysGhexDrWk8ycl/zvwyxKv+kj5QhjXugHkOMnW53mdMe3N/
 gwsV+kJUm6NdtLtTAOkky/GfkIGTWNQPD2/42T+0cA9lTVxihh+wz9tgA1ZbtVOK
 P2DNA10rsCuzGPFn8d6Khymt0o66dgfEloy9Y14leoqUCMPU3ibLP6bYuow2AJUz
 KcvTgmfjP1/ghNXI7E2vgNi8wta5Ag0EX5HctgEQALx4btbP47LwrIqB4loog2sT
 pac7fdbA+YVeqP/9KoLw1ZB+5DeqNKmtUHSau9mRVh8a8g7slpGhH6hxlEHr7ek/
 mA/o91jB4RGo5mfyuWcJQKRyHS4pWciEM/gK+o6lEceTdUwvKI6OrJ4koPd3HZth
 mw+xPyAdGKY3oBmrXeZ6XkuDfME8doRmuwlw/tbmje63/2j97ebiFfQcyWLH32d8
 T+yEpAj+55Qxp6aJZaDOeAuzBtyAopxGRjGsxBUF/VSUwxYb0bmwWgPIhPC77oEk
 AEMPsIsI9LJ8fQY/sOzwhyNNt+b7rgto6AFskz7urezzCuuIwMeupmC78QWGw9jM
 zHFf3R6O1KQ0v8PBYYb6BHkjzho6hTcOZO9Zh+XO4k6uEwlu+Zc0AmyHmQeQ3I8Z
 tAb//LJk9X62yNPE/8wjtEUzXqyzlLpGjRFr6kQv+6nqs8JxyCnS34Q+au2IqOnn
 iFkHj/w79mtmzR4G43wo3x1nGjyz+vTpsurmJ+qFMO0bLcE/HV8aGxs0YeQsByOc
 SU8TK6v+Wkn58LT4cvjIO5G/2UM7kucXl56hqvguvnFTLNqewWtqgS7IRuykcYgK
 HrBYb/iVH+Fb+9Th9VX7bl0ZeoH7O8RbvxKGkd90+DPsurBeIQ7S4zM9w7WnAsAC
 Sgs8owYZpHpyrK8QFD4zABEBAAGJAjwEGAEIACYWIQQMXoulZY4yDRsDEXnIftU6
 YoLEEQUCX5HctgIbDAUJEswDAAAKCRDIftU6YoLEEURID/4oQhZZPindZJHiwQqm
 0a8H1ssgZAz6E8PejoN0gbsblbOrtkGDLU8gvzksvd/9luSLRgPw++m6ut87PeMv
 MKc4UIyRb5oSgh5WE0bW9191Gkfge9DRrIdtUDG8N+oTlIWYHTXC5zlwmfMobtQE
 kFUdPbedhytYx1wgbh8KP8sLXGPXut5VqDy/EgNzqERnI5kLeiDvMsLz0xjdHpGW
 ASfJMNX120GU8Mwqa6gWvP52BB20pU9bC1VQX1qiqD6V1GpxQJ2jACKke6boiqbL
 Bdb0UgmW4XYIp4ZjLC842e0qSyfd8rt3PzYrbK/NPuXAV7f+wAhPSC18v+1Ap5Kh
 KKHRLvyUVGxwaBVedOuuC/OqJwSSLa0cQKytFK+3OJAdTYoHtsh++ScgEL/wOCXs
 gM5xmlI6Pk/6Ev0Hz/kDY5F0w4/VvSEaS/7TSkmf5JvxdueVObf5ry5O+L4J7t7y
 JwdtPhXgHR0PHidnh/02SVn8XIzHdB9OZ2i6Wr12loFZGltWdmJVkQC/cj/HBr5I
 ZizQril+7cXDI/8Hyk04d19rmjSIU49FderpNYYOv38dqaAsosYge6JzYdIzJrJH
 /DIKnSAU/a14sFUrNm+TYJmZto35hSltUxLEzLIWeR9TjpOh6VS1UzdGQh32NP+h
 oq8y1SJMCrfC9Ub5q2/ijiJWUw==
 =+Ne5
 -----END PGP PUBLIC KEY BLOCK-----
		`@ -0,0 +1 @@`
							`deb https://deb.releases.teleport.dev/ stable main`