kandra: Extract the Teleport host CA to disk.

2025-11-02 21:13:36 +00:00 · 2025-04-02 10:36:43 -04:00
parent a1bba7a453
commit 258003a1c8
4 changed files with 15 additions and 2 deletions
--- a/puppet/kandra/manifests/aws_tools.pp
+++ b/puppet/kandra/manifests/aws_tools.pp
@@ -38,7 +38,6 @@ class kandra::aws_tools {
      ],
      before  => Exec['Cleanup aws_signing_helper'],
    }
-    package { 'sqlite3': ensure => installed }
    file { '/usr/local/bin/teleport-aws-credentials':
      ensure  => file,
      require => [
--- a/puppet/kandra/manifests/profile/base.pp
+++ b/puppet/kandra/manifests/profile/base.pp
@@ -24,6 +24,8 @@ class kandra::profile::base {
    'emacs-nox',
    # Prevent accidental reboots
    'molly-guard',
+    # For extracting Teleport certs
+    'sqlite3',
    # Useful tools in a production environment
    'screen',
    'strace',
--- a/puppet/kandra/manifests/teleport/node.pp
+++ b/puppet/kandra/manifests/teleport/node.pp
@@ -22,4 +22,17 @@ class kandra::teleport::node {
  }

  kandra::teleport::part { 'node': }
+
+  $host_ca_path = '/etc/ssl/certs/teleport-ca-host.cert'
+  $host_ca_extract = @("EOT")
+    sqlite3 /var/lib/teleport/proc/sqlite.db "select value from kv where key = '/ids/node/current'" \
+      | jq -r .spec.tls_ca_certs[] \
+      | base64 -d \
+      > ${host_ca_path}
+    | EOT
+  exec { 'teleport host CA':
+    require => [Service['teleport_node'], Package['sqlite3']],
+    creates => $host_ca_path,
+    command => $host_ca_extract,
+  }
 }
--- a/puppet/kandra/templates/teleport_db.yaml.template.erb
+++ b/puppet/kandra/templates/teleport_db.yaml.template.erb
@@ -37,7 +37,6 @@ db_service:
    - name: "<%= @hostname %>"
      protocol: "postgres"
      uri: "<%= @fqdn %>:5432"
-      ca_cert_file: /etc/ssl/certs/teleport-ca.crt
      static_labels:
        hostname: "<%= @hostname %>"
      dynamic_labels: