fluxcd: teleport agent

2026-06-07 14:30:10 +00:00
parent 837b30ff49
commit 0837efccf9
12 changed files with 98 additions and 23 deletions
@@ -0,0 +1,11 @@
+creation_rules:
+  # encrypt all values from file
+  - path_regex: \.private\.dec\.yaml$
+    encrypted_regex: '^(.*)$'
+    age:
+      - age1f9e4pvp5y8gzuk8mz2s5xm85dd7znxhk56tcpuxqwn78qfjwja0qekwlju
+  # encrypt secrets files
+  - path_regex: .*.yaml
+    encrypted_regex: ^(data|stringData)$
+    age: 
+      - age1f9e4pvp5y8gzuk8mz2s5xm85dd7znxhk56tcpuxqwn78qfjwja0qekwlju
@@ -1,19 +1,15 @@
 # Teleport-agent

-## Setup and Deploy
+## Setup

-### Application layer
+Using flux for reconciliation.

- agent helm chart
-
-```bash
-./ops-scripts/apply-app.sh
+``` bash
+./ops-scripts/apply-flux.sh
 ```

-### Infra
+**Encrypt secrets:**

- namespace
-  
-```bash
-./ops-scripts/apply-infra.sh
+``` bash
+sops -e deploy/app/helm-values-secret.dec.yaml > deploy/app/helm-values-secret.yaml
 ```
@@ -1,3 +0,0 @@
-**
-!.gitignore
-!**.example.**
@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: teleport
+spec:
+  interval: 40h
+  url: https://charts.releases.teleport.dev
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: node-red-settings
+    namespace: default
+type: Opaque
+stringData:
+    roles: ENC[AES256_GCM,data:LnMmFa1Nw29i4CZxseiI+Gyd,iv:GEYphwL17N6MbV/cw79IQ0XvaF+os3sqLPcihFkoU/o=,tag:B7XjbSiJRBsTzRaWE7PKpQ==,type:str]
+    authToken: ENC[AES256_GCM,data:LnK+oJdVJV/1/Y9d4vEGTursMEOLvK5BR7alhk2ZsjE=,iv:h/Y93x8e7gx+cOzeH1GZJknNJk0ZmAUACJDvDKXeKHw=,tag:4gpZJqoLUA3AhaOrsNu6fA==,type:str]
+    proxyAddr: ENC[AES256_GCM,data:o5GMP1gcO7d+xBnu0TY7KCFYbyFm/CNFUF4FXa7PFA==,iv:byC/YaMiCEIoORHs5yp8hebV46pocrR2TjaFGN4SNJ8=,tag:0k9C5JqCSwMlnmcQNGKr0w==,type:str]
+    kubeClusterName: ENC[AES256_GCM,data:1laDtQ==,iv:oh7BITQ/E07WHraLSnMlalsmfUA3UOVT18h7Z9W4Gxs=,tag:drua4LT1kVdtd6AsvFTllg==,type:str]
+    labels:
+        teleport.internal/resource-id: ENC[AES256_GCM,data:JKPmeKERfekLvw5t1OKOvEZ2Pj3PRMFuauxHrv+tomJ0DJif,iv:50hzLHJBnT8/HECXshhnsINY1GMO5xB4zUyKDsMJLng=,tag:kKujkCp2bd2cvtPeuXnJbQ==,type:str]
+sops:
+    age:
+        - enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkU01YcEZ0YUQ1UEE5djh1
+            L09jTitrRjFMRU1Rem9XVW1BYjlZaHl0WkhrClhwenU1eFpMaTRMYm5NUmFrbUN5
+            MVFacnM2ak1OTU9qMWlJUlZGQTdEeUEKLS0tIForTTFReTZMWGt1cDV5ZUx0UXNB
+            WEczQjBad3Z4WVFhZTdBOENBZmMyOWsKIxJmYshgSE+TAPXOVMgibmhgBxk6cZMo
+            GGfau043oYzsTclKRiZ4Nqvm4xPoK6ROrOtLlwqD3cT5+n024bv/ZQ==
+            -----END AGE ENCRYPTED FILE-----
+          recipient: age1f9e4pvp5y8gzuk8mz2s5xm85dd7znxhk56tcpuxqwn78qfjwja0qekwlju
+    encrypted_regex: ^(data|stringData)$
+    lastmodified: "2026-06-07T14:23:19Z"
+    mac: ENC[AES256_GCM,data:MhTqEKu1mLpcsIzN9UY7ltXPUsqsyb+/oWgi3bwcp6VScERP4tIYeqZyCAzQFw+oOvsR2Ii/PCDPRY536MrkPCQeacrsnneuemYn/FIZfwezZQMPBSGjInncs6IvoUDi8y/0TtL92voYqGqlVv0WuOvcNol83Baj/tKUa7QT8tA=,iv:IZxuNcDOlm+7F1SPILqXtQA8+wQBPv5/C6CWRSn2sxs=,tag:CxveRc4Vp71IXeCk8zJNMw==,type:str]
+    version: 3.13.1
@@ -1,6 +0,0 @@
-roles: kube,app,discovery
-authToken: ""
-proxyAddr: ""
-kubeClusterName: casa
-labels:
-    teleport.internal/resource-id: ""
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: teleport-agent
+resources:
+ - helm-repo.yaml 
+ # - helm-release.yaml 
+secretGenerator:
+  - name: teleport-agent-helm-install-values
+    files:
+      - values.yaml=helm-values.yaml
+generatorOptions:
+  disableNameSuffixHash: true
@@ -0,0 +1,2 @@
+**
+!.gitignore
@@ -0,0 +1,16 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: teleport-agent
+spec:
+  interval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: casa
+    namespace: casa-limbosolutions-com
+  path: services/teleport-agent/deploy/app
+  prune: true
+  decryption:
+    provider: sops
+    secretRef:
+      name: flux-sops-age
@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: teleport-agent
+resources:
+ - app-sync.yaml
+secretGenerator:
+  - name: flux-sops-age
+    files:
+      - "age.agekey=./.env.d/age.agekey"
+generatorOptions:
+  disableNameSuffixHash: true
@@ -0,0 +1,4 @@
+#!/bin/bash
+set -e
+
+kubectl kustomize deploy/flux | kubectl apply -f -
@@ -1,3 +0,0 @@
-#!/bin/bash
-set -e
-kubectl create namespace teleport-agent || true