paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-04 22:13:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

puppet: Use IAM join method, when possible.

Browse Source
This commit is contained in:
Alex Vandiver
2024-01-30 14:55:29 -05:00
committed by Tim Abbott
parent 24d3832926
commit 16305761ac
4 changed files with 28 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
puppet/zulip_ops/manifests/teleport/db.pp
View File

@@ -5,6 +5,8 @@
class zulip_ops::teleport::db { class zulip_ops::teleport::db {
include zulip_ops::teleport::base include zulip_ops::teleport::base
$is_ec2 = zulipconf('machine', 'hosting_provider', 'ec2') == 'ec2'
$join_token = zulipsecret('secrets', 'teleport_join_token', '')
file { '/etc/teleport_db.yaml': file { '/etc/teleport_db.yaml':
ensure => file, ensure => file,
owner => 'root', owner => 'root',

13
puppet/zulip_ops/manifests/teleport/node.pp
View File

@@ -1,10 +1,13 @@
# @summary Provide Teleport SSH access to a node. # @summary Provide Teleport SSH access to a node.
# #
# https://goteleport.com/docs/admin-guide/#adding-nodes-to-the-cluster # EC2 nodes will automatically join the cluster; non-EC2 hosts will
# details additional manual steps to allow a node to join the cluster. # need to set a teleport_join_token secret. See
# https://goteleport.com/docs/agents/join-services-to-your-cluster/join-token/#generate-a-token
class zulip_ops::teleport::node { class zulip_ops::teleport::node {
include zulip_ops::teleport::base include zulip_ops::teleport::base
$is_ec2 = zulipconf('machine', 'hosting_provider', 'ec2') == 'ec2'
$join_token = zulipsecret('secrets', 'teleport_join_token', '')
concat { '/etc/teleport_node.yaml': concat { '/etc/teleport_node.yaml':
ensure => present, ensure => present,
owner => 'root', owner => 'root',
@@ -13,9 +16,9 @@ class zulip_ops::teleport::node {
notify => Service['teleport_node'], notify => Service['teleport_node'],
} }
concat::fragment { 'teleport_node_base': concat::fragment { 'teleport_node_base':
target => '/etc/teleport_node.yaml', target => '/etc/teleport_node.yaml',
source => 'puppet:///modules/zulip_ops/teleport_node.yaml', content => template('zulip_ops/teleport_node.yaml.template.erb'),
order => '01', order => '01',
} }
zulip_ops::teleport::part { 'node': } zulip_ops::teleport::part { 'node': }

9
puppet/zulip_ops/templates/teleport_db.yaml.template.erb
View File

@@ -12,6 +12,15 @@ teleport:
# Use the proxy address, to support running the db_service, which requires # Use the proxy address, to support running the db_service, which requires
# a reverse tunnel. # a reverse tunnel.
- teleport.zulipchat.net:443 - teleport.zulipchat.net:443
<% if @is_ec2 -%>
join_params:
method: iam
token_name: iam-token
<% else -%>
join_params:
method: token
token_name: <%= @join_token %>
<% end %>
ssh_service: ssh_service:
enabled: no enabled: no

10
puppet/zulip_ops/files/teleport_node.yaml → puppet/zulip_ops/templates/teleport_node.yaml.template.erb
View File

@@ -5,7 +5,15 @@ teleport:
# Use the proxy address, to support running the app_service, which requires # Use the proxy address, to support running the app_service, which requires
# a reverse tunnel. # a reverse tunnel.
- teleport.zulipchat.net:443 - teleport.zulipchat.net:443
<% if @is_ec2 -%>
join_params:
method: iam
token_name: iam-token
<% else -%>
join_params:
method: token
token_name: <%= @join_token %>
<% end %>
ssh_service: ssh_service:
enabled: "yes" enabled: "yes"
commands: commands: