d905eb6131
puppet: Add a database teleport server.
...
Host-based md5 auth for 127.0.0.1 must be removed from `pg_hba.conf`,
otherwise password authentication is preferred over certificate-based
authentication for localhost.
2021-06-08 22:21:21 -07:00
61b6fc865c
puppet: Add a label to teleport applications, to allow RBAC.
...
Roles can only grant or deny access based on labels; set one based on
the application name.
2021-06-08 15:19:04 -07:00
4f51d32676
puppet: Add a teleport application server.
...
This requires switching to a reverse tunnel for the auth connection,
with the side effect that the `zulip_ops::teleport::node` manifest can
be applied on servers anywhere in the Internet; they do not need to
have any publicly-available open ports.
2021-06-02 18:38:38 -07:00
c59421682f
puppet: Add a teleport node on every host.
...
Teleport nodes[1] are the equivalent to SSH servers. In addition to
this config, joining the teleport cluster will require presenting a
one-time "join token" from the proxy server[2], which may either be
short-lived or static.
[1] https://goteleport.com/docs/architecture/nodes/
[2] https://goteleport.com/docs/admin-guide/#adding-nodes-to-the-cluster
2021-06-02 18:38:38 -07:00
1cdf14d195
puppet: Add a teleport server.
...
See https://goteleport.com/docs/architecture/overview/ for the general
architecture of a Teleport cluster. This commit adds a Teleport auth[1]
and proxy[2] server. The auth server serves as a CA for granting
time-bounded access to users and authenticating nodes on the cluster;
the proxy provides access and a management UI.
[1] https://goteleport.com/docs/architecture/authentication/
[2] https://goteleport.com/docs/architecture/proxy/
2021-06-02 18:38:38 -07:00
Alex Vandiver