From 61b6fc865cc351fce307913dadabc388ec151d0c Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Tue, 8 Jun 2021 14:41:02 -0700 Subject: [PATCH] puppet: Add a label to teleport applications, to allow RBAC. Roles can only grant or deny access based on labels; set one based on the application name. --- puppet/zulip_ops/manifests/profile/nagios.pp | 5 ++++- puppet/zulip_ops/manifests/teleport/application.pp | 3 ++- puppet/zulip_ops/templates/teleport_app.yaml.template.erb | 8 ++++++++ 3 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 puppet/zulip_ops/templates/teleport_app.yaml.template.erb diff --git a/puppet/zulip_ops/manifests/profile/nagios.pp b/puppet/zulip_ops/manifests/profile/nagios.pp index 5caefa2bc0..14867587c5 100644 --- a/puppet/zulip_ops/manifests/profile/nagios.pp +++ b/puppet/zulip_ops/manifests/profile/nagios.pp @@ -57,7 +57,10 @@ class zulip_ops::profile::nagios { ], notify => Service['apache2'], } - zulip_ops::teleport::application{ 'nagios': port => '3000' } + zulip_ops::teleport::application{ 'nagios': + description => 'Monitoring: nagios and munin', + port => '3000', + } file { '/etc/nagios3/conf.d/contacts.cfg': require => Package[nagios3], diff --git a/puppet/zulip_ops/manifests/teleport/application.pp b/puppet/zulip_ops/manifests/teleport/application.pp index e9249decb3..d24f1688c1 100644 --- a/puppet/zulip_ops/manifests/teleport/application.pp +++ b/puppet/zulip_ops/manifests/teleport/application.pp @@ -3,11 +3,12 @@ # See https://goteleport.com/docs/application-access/ define zulip_ops::teleport::application ( $port, + $description = '', $order = '50', ) { concat::fragment { "teleport_app_${name}": target => '/etc/teleport_node.yaml', order => $order, - content => " - name: ${name}\n uri: http://127.0.0.1:${port}\n", + content => template('zulip_ops/teleport_app.yaml.template.erb'), } } diff --git a/puppet/zulip_ops/templates/teleport_app.yaml.template.erb b/puppet/zulip_ops/templates/teleport_app.yaml.template.erb new file mode 100644 index 0000000000..5ab500ab5b --- /dev/null +++ b/puppet/zulip_ops/templates/teleport_app.yaml.template.erb @@ -0,0 +1,8 @@ +<%# This is appended to puppet/zulip_ops/files/teleport_node.yaml, so should be + indented. Specifically, the "-" should be in the same column as the "T" at + the start of this comment. -%> + - name: "<%= @name %>" + description: "<%= @description %>" + uri: "http://127.0.0.1:<%= @port %>" + labels: + name: "<%= @name %>"