From 74ab839a83ca078b6792281e36cd9d1e526a1c36 Mon Sep 17 00:00:00 2001
From: Josh Wolfe <joshuafwolfe@gmail.com>
Date: Wed, 30 Nov 2022 15:56:10 -0500
Subject: [PATCH] Add teleport cluster & agent

---
 kubernetes/apps/admin/kustomization.yaml      |  1 +
 .../admin/teleport/agent-helm-release.yaml    | 27 +++++++++++++++++++
 .../admin/teleport/cluster-helm-release.yaml  | 24 +++++++++++++++++
 .../apps/admin/teleport/config-pvc.yaml       | 13 +++++++++
 .../apps/admin/teleport/kustomization.yaml    |  7 +++++
 .../bootstrap/cluster-secrets.sops.yaml       |  6 +++--
 .../flux-system/helm-repos/kustomization.yaml |  1 +
 .../flux-system/helm-repos/teleport.yaml      | 10 +++++++
 8 files changed, 87 insertions(+), 2 deletions(-)
 create mode 100644 kubernetes/apps/admin/teleport/agent-helm-release.yaml
 create mode 100644 kubernetes/apps/admin/teleport/cluster-helm-release.yaml
 create mode 100644 kubernetes/apps/admin/teleport/config-pvc.yaml
 create mode 100644 kubernetes/apps/admin/teleport/kustomization.yaml
 create mode 100644 kubernetes/bootstrap/flux-system/helm-repos/teleport.yaml

diff --git a/kubernetes/apps/admin/kustomization.yaml b/kubernetes/apps/admin/kustomization.yaml
index 09622ba1e..fdd8efab7 100644
--- a/kubernetes/apps/admin/kustomization.yaml
+++ b/kubernetes/apps/admin/kustomization.yaml
@@ -7,3 +7,4 @@ resources:
   - flux-notifications
   - traefik
   - dashboard
+  - teleport
diff --git a/kubernetes/apps/admin/teleport/agent-helm-release.yaml b/kubernetes/apps/admin/teleport/agent-helm-release.yaml
new file mode 100644
index 000000000..8a24323ff
--- /dev/null
+++ b/kubernetes/apps/admin/teleport/agent-helm-release.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: teleport-agent
+  namespace: admin
+spec:
+  interval: 5m
+  upgrade:
+    force: true
+  chart:
+    spec:
+      chart: teleport-kube-agent
+      version: 11.1.0
+      sourceRef:
+        kind: HelmRepository
+        name: teleport
+        namespace: flux-system
+      interval: 5m
+  values:
+    authToken: "${teleport_join_token}"
+    proxyAddr: "teleport-cluster.admin.svc.cluster.local:3080"
+    roles: "kube,app"
+    kubeClusterName: "${teleport_cluster_name}"
+    appResources:
+      - labels:
+          "*": "*"
diff --git a/kubernetes/apps/admin/teleport/cluster-helm-release.yaml b/kubernetes/apps/admin/teleport/cluster-helm-release.yaml
new file mode 100644
index 000000000..4b5b69862
--- /dev/null
+++ b/kubernetes/apps/admin/teleport/cluster-helm-release.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: teleport-cluster
+  namespace: admin
+spec:
+  interval: 5m
+  upgrade:
+    force: true
+  chart:
+    spec:
+      chart: teleport-cluster
+      version: 11.1.0
+      sourceRef:
+        kind: HelmRepository
+        name: teleport
+        namespace: flux-system
+      interval: 5m
+  values:
+    clusterName: "teleport.${domain}"
+    kubeClusterName: "${teleport_cluster_name}"
+    persistence:
+      existingClaimName: teleport-cluster-config
diff --git a/kubernetes/apps/admin/teleport/config-pvc.yaml b/kubernetes/apps/admin/teleport/config-pvc.yaml
new file mode 100644
index 000000000..2cb5977d4
--- /dev/null
+++ b/kubernetes/apps/admin/teleport/config-pvc.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: teleport-cluster-config
+  namespace: admin
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: longhorn
diff --git a/kubernetes/apps/admin/teleport/kustomization.yaml b/kubernetes/apps/admin/teleport/kustomization.yaml
new file mode 100644
index 000000000..0f10accb8
--- /dev/null
+++ b/kubernetes/apps/admin/teleport/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cluster-helm-release.yaml
+  - agent-helm-release.yaml
+  - config-pvc.yaml
diff --git a/kubernetes/bootstrap/cluster-secrets.sops.yaml b/kubernetes/bootstrap/cluster-secrets.sops.yaml
index f3d2e865b..d798ffd01 100644
--- a/kubernetes/bootstrap/cluster-secrets.sops.yaml
+++ b/kubernetes/bootstrap/cluster-secrets.sops.yaml
@@ -36,6 +36,8 @@ stringData:
     flux_discord_webhook: ENC[AES256_GCM,data:PGkEfTVSddiWGha+fc5ZTKep8DpMT8IFTt2gPxIOAEBeUOEB3PVEJP/YIY055acxxUzFIEH39Nze5aCBaq0952d60fITnmMq4eRcci00tY4lPdy8ckSTwxxHnOJ4ob+GBMTBIxO+Z2SqfFPKH+FK1oXPOpl6D4yc,iv:ERRkait6R3UcC95dPQ/QFAVRT5z7Am37QMDrG9PDEN8=,tag:igrrr+sH+tn7M66rp8uCwA==,type:str]
     grafana_admin_password: ENC[AES256_GCM,data:wLQAs6dN1o/vt9NiCsnDM54KRovAqg6k/VpHfy6VrFc=,iv:GP3kSK4rWRQwJAByaX8aDMUlbyVT+2bEN9GDHoG5qaE=,tag:hHPLk7QLy0j38+GGlI0sxA==,type:str]
     alertmanager_discord_webhook: ENC[AES256_GCM,data:RGumR3YkRhX7lBUvWC0BeC+d/2n5/5G84wYtKDR6+wn1seeYRDaduDiecZpz6BvBeZCqBX9D7li2Y1z/4aQqbNhbXuAOXLk/XvmDhv4b8shPdkXa/7tXJWSRukOKEKzpVN75DkkdxnRUyduNlZOkEn82CiHEWz2Dv3YAMzAI,iv:Hwul9Zvh8s+PLm88nCrV6p6JPQiIg3Va0oZB9Bb8xBA=,tag:mp9YCocAMzJcPFGR5jC3ag==,type:str]
+    teleport_cluster_name: ENC[AES256_GCM,data:5+dcSv9/iTCs,iv:5s+6gnUYHqzWuZEuTJDAxkahnX/wwJcVlEqvXs6QJ0s=,tag:R9QZSXrlH22LNsX5G/dPUQ==,type:str]
+    teleport_join_token: ENC[AES256_GCM,data:3+mZN8SEzxhIKzLoy2ePlix1V678/yLsmt2OwKur5iI=,iv:be0YYQYs1AAYItGGiWI9LDJ+72i+LHshxxPbqY87Sr0=,tag:rTvkMYVtaCWrnf953IoAug==,type:str]
 kind: Secret
 metadata:
     creationTimestamp: null
@@ -47,8 +49,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2022-10-30T23:36:17Z"
-    mac: ENC[AES256_GCM,data:FXAtR4IX3iVFQie5UKaxSogCt4zfKCEktnZcsFNdO3mHpAtCOo/XXYIkpGgH8m0VoQypRU1itUunEYK7/YFZlE8xJPHYYLMlftGQuatsFTtnlX4FpnUXs4NQyAWjiy73Fv8g040m2Wh7EcwB95Um3XXi7adhWd0lFGxDlAyZNkY=,iv:5wbG0hl9ugtneoXwgQsC/cr6OWj3Q8tLOOo4hdN5k6Q=,tag:YVoaf5KC5SXLyLOBc4NLVQ==,type:str]
+    lastmodified: "2022-11-30T21:40:41Z"
+    mac: ENC[AES256_GCM,data:xX2aTrZifu20OZyXUlzHK04OG8xbKr7AQhcLbCt5z8G6wsD5KvDC8gqjcFL7b6406GM6IqNuLHY8gDLKPd9pZAAKL2P3xN675LAB/yPL0XXQNL8VYc/MLibBGS0pcVAg8pzT6PWz2z0URvZ4AH6zzSD2t1mUVC6R858miz7u7d0=,iv:PwpX3caeVLe/Xvw5JLglUL6grQri13u7xk6prc9yMWQ=,tag:51UEKcxkGW4Ft+rQqfw0Yg==,type:str]
     pgp:
         - created_at: "2022-08-10T19:08:51Z"
           enc: |
diff --git a/kubernetes/bootstrap/flux-system/helm-repos/kustomization.yaml b/kubernetes/bootstrap/flux-system/helm-repos/kustomization.yaml
index d6a379d6f..71a54f00c 100644
--- a/kubernetes/bootstrap/flux-system/helm-repos/kustomization.yaml
+++ b/kubernetes/bootstrap/flux-system/helm-repos/kustomization.yaml
@@ -12,3 +12,4 @@ resources:
   - grafana.yaml
   - dashboard.yaml
   - bjw-s.yaml
+  - teleport.yaml
diff --git a/kubernetes/bootstrap/flux-system/helm-repos/teleport.yaml b/kubernetes/bootstrap/flux-system/helm-repos/teleport.yaml
new file mode 100644
index 000000000..4469672bf
--- /dev/null
+++ b/kubernetes/bootstrap/flux-system/helm-repos/teleport.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: teleport
+  namespace: flux-system
+spec:
+  interval: 15m
+  url: https://charts.releases.teleport.dev
+  timeout: 3m