Setup Teleport

.gitignore

@@ -20,3 +20,4 @@
 /docs/book
 
 /vendor
+/teleport

Makefile

@@ -136,5 +136,41 @@ undeploy: setup ## Undeploy controller from the K8s cluster specified in ~/.kube
 
 ##@ Setup
 
+.PHONY: setup
 setup:
 	aqua install -l
+
+.PHONY: get-teleport-manifests
+get-teleport-manifests:
+	helm repo add teleport https://charts.releases.teleport.dev
+	helm repo update
+	helm template teleport --namespace teleport teleport/teleport-cluster \
+		--create-namespace \
+		--version 15.3.7 \
+		--values ./test/teleport/cluster/values.yaml \
+		> ./test/teleport/cluster/teleport-cluster.yaml
+
+.PHONY: get-teleport
+get-teleport:
+	rm -rf teleport
+	wget https://cdn.teleport.dev/teleport-v15.3.7-linux-amd64-bin.tar.gz
+	tar -xvf teleport-v15.3.7-linux-amd64-bin.tar.gz
+	rm teleport-v15.3.7-linux-amd64-bin.tar.gz
+
+.PHONY: deploy-teleport
+deploy-teleport:
+	# Setup Teleport
+	kubectl create namespace teleport
+	kustomize build ./test/teleport/cluster | kubectl apply -f -
+	kubectl -n teleport wait --for=condition=available --timeout=180s --all deployments
+
+	# Setup Teleport Node
+	TOKEN=$$(kubectl exec -it -n teleport deployment/teleport-auth -- tctl tokens add --type=node --format json | jq -r ".token") && \
+		sed -i "s/auth_token: .*/auth_token: $$TOKEN/g" ./test/teleport/node/teleport-secret.yaml
+	kustomize build ./test/teleport/node | kubectl apply -f -
+
+	# Setup api-access
+	kubectl exec -i -n teleport deployment/teleport-auth -- tctl create -f < ./test/teleport/api/api-access.yaml
+	kubectl exec -i -n teleport deployment/teleport-auth -- tctl users add api-access --roles=api-access
+
+generate-api-token:

aqua.yaml

@@ -17,3 +17,4 @@ packages:
 - name: golangci/golangci-lint@v1.59.0
 - name: tilt-dev/ctlptl@v0.8.29
 - name: tilt-dev/tilt@v0.33.17
+- name: helm/helm@v3.16.1

cluster.yaml

@@ -9,3 +9,18 @@ name: kind-login-protector-dev
 product: kind
 kubernetesVersion: v1.30.0
 registry: ctlptl-registry
+kindV1Alpha4Cluster:
+  nodes:
+  - role: control-plane
+  - role: worker
+    extraPortMappings:
+    - containerPort: 30080
+      hostPort: 3080
+    - containerPort: 30023
+      hostPort: 3023
+    - containerPort: 30024
+      hostPort: 3024
+    - containerPort: 30026
+      hostPort: 3026
+    - containerPort: 31025
+      hostPort: 3025

config/teleport/kustomization.yaml

@@ -0,0 +1,4 @@
+resources:
+  - ../default
+patchesStrategicMerge:
+  - ./manager.yaml

config/teleport/manager.yaml

@@ -0,0 +1,15 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: controller-manager
+  namespace: system
+spec:
+  template:
+    spec:
+      securityContext: null
+      containers:
+        - command:
+            - /login-protector
+          args: null
+          name: manager
+          securityContext: null

test/teleport/README.md

@@ -0,0 +1,36 @@
+# Teleport Support
+
+## Development
+
+```bash
+# Install necessary tools.
+$ make setup
+
+# Setup Teleport CLI
+$ make setup-teleport
+
+# Start a test Kubernetes cluster.
+$ make start-dev
+```
+
+```bash
+# Deploy Teleport
+$ make deploy-teleport
+```
+
+You can see the following output:
+
+```console
+User "api-access" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:
+https://localhost:3080/web/invite/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+
+NOTE: Make sure localhost:3080 points at a Teleport proxy which users can access.
+```
+
+Open the URL in your browser and set the password for the api-access user.
+You should set up MFA(Multi-Factor Authentication).
+
+```bash
+$ ./teleport/tsh login --proxy=localhost:3080 --user=api-access --insecure --ttl=5256000
+$ ./teleport/tctl --auth-server=localhost:3025 auth sign --ttl=87500h --user=api-access --out=./test/teleport/api/api-access.pem
+```

test/teleport/api/api-access.yaml

@@ -0,0 +1,15 @@
+kind: role
+metadata:
+  name: api-access
+spec:
+  allow:
+    rules:
+      - resources:
+          - session_tracker
+        verbs:
+          - list
+          - read
+  deny: {}
+  options:
+    max_session_ttl: 87600h0m0s
+version: v7

test/teleport/cluster/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - teleport-cluster.yaml
+patches:
+  - path: service-patch.yaml

test/teleport/cluster/service-patch.yaml

@@ -0,0 +1,52 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: teleport
+  namespace: teleport
+spec:
+  type: NodePort
+  ports:
+    - name: tls
+      port: 443
+      targetPort: 3080
+      nodePort: 30080
+      protocol: TCP
+    - name: sshproxy
+      port: 3023
+      targetPort: 3023
+      nodePort: 30023
+      protocol: TCP
+    - name: k8s
+      port: 3026
+      targetPort: 3026
+      nodePort: 30026
+      protocol: TCP
+    - name: sshtun
+      port: 3024
+      targetPort: 3024
+      nodePort: 30024
+      protocol: TCP
+    - name: mysql
+      port: 3036
+      targetPort: 3036
+      nodePort: 30036
+      protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: teleport-auth
+  namespace: teleport
+spec:
+  type: NodePort
+  ports:
+    - name: auth
+      port: 3025
+      targetPort: 3025
+      nodePort: 31025
+      protocol: TCP
+    - name: kube
+      port: 3026
+      targetPort: 3026
+      nodePort: 31026
+      protocol: TCP