diff --git a/services/teleport-agent/.sops.yaml b/services/teleport-agent/.sops.yaml new file mode 100644 index 0000000..9fa527f --- /dev/null +++ b/services/teleport-agent/.sops.yaml @@ -0,0 +1,11 @@ +creation_rules: + # encrypt all values from file + - path_regex: \.private\.dec\.yaml$ + encrypted_regex: '^(.*)$' + age: + - age1f9e4pvp5y8gzuk8mz2s5xm85dd7znxhk56tcpuxqwn78qfjwja0qekwlju + # encrypt secrets files + - path_regex: .*.yaml + encrypted_regex: ^(data|stringData)$ + age: + - age1f9e4pvp5y8gzuk8mz2s5xm85dd7znxhk56tcpuxqwn78qfjwja0qekwlju \ No newline at end of file diff --git a/services/teleport-agent/README.md b/services/teleport-agent/README.md index 7397e00..55c0efb 100644 --- a/services/teleport-agent/README.md +++ b/services/teleport-agent/README.md @@ -1,19 +1,15 @@ # Teleport-agent -## Setup and Deploy +## Setup -### Application layer +Using flux for reconciliation. -- agent helm chart - -```bash -./ops-scripts/apply-app.sh +``` bash +./ops-scripts/apply-flux.sh ``` -### Infra +**Encrypt secrets:** -- namespace - -```bash -./ops-scripts/apply-infra.sh +``` bash +sops -e deploy/app/helm-values-secret.dec.yaml > deploy/app/helm-values-secret.yaml ``` diff --git a/services/teleport-agent/deploy/app/.env.d/.gitignore b/services/teleport-agent/deploy/app/.env.d/.gitignore deleted file mode 100644 index 205c0ac..0000000 --- a/services/teleport-agent/deploy/app/.env.d/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -** -!.gitignore -!**.example.** \ No newline at end of file diff --git a/services/teleport-agent/deploy/app/helm-repo.yaml b/services/teleport-agent/deploy/app/helm-repo.yaml new file mode 100644 index 0000000..a64f86e --- /dev/null +++ b/services/teleport-agent/deploy/app/helm-repo.yaml @@ -0,0 +1,7 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: teleport +spec: + interval: 40h + url: https://charts.releases.teleport.dev \ No newline at end of file diff --git a/services/teleport-agent/deploy/app/helm-values-secret.yaml b/services/teleport-agent/deploy/app/helm-values-secret.yaml new file mode 100644 index 0000000..30c66e0 --- /dev/null +++ b/services/teleport-agent/deploy/app/helm-values-secret.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Secret +metadata: + name: node-red-settings + namespace: default +type: Opaque +stringData: + roles: ENC[AES256_GCM,data:LnMmFa1Nw29i4CZxseiI+Gyd,iv:GEYphwL17N6MbV/cw79IQ0XvaF+os3sqLPcihFkoU/o=,tag:B7XjbSiJRBsTzRaWE7PKpQ==,type:str] + authToken: ENC[AES256_GCM,data:LnK+oJdVJV/1/Y9d4vEGTursMEOLvK5BR7alhk2ZsjE=,iv:h/Y93x8e7gx+cOzeH1GZJknNJk0ZmAUACJDvDKXeKHw=,tag:4gpZJqoLUA3AhaOrsNu6fA==,type:str] + proxyAddr: ENC[AES256_GCM,data:o5GMP1gcO7d+xBnu0TY7KCFYbyFm/CNFUF4FXa7PFA==,iv:byC/YaMiCEIoORHs5yp8hebV46pocrR2TjaFGN4SNJ8=,tag:0k9C5JqCSwMlnmcQNGKr0w==,type:str] + kubeClusterName: ENC[AES256_GCM,data:1laDtQ==,iv:oh7BITQ/E07WHraLSnMlalsmfUA3UOVT18h7Z9W4Gxs=,tag:drua4LT1kVdtd6AsvFTllg==,type:str] + labels: + teleport.internal/resource-id: ENC[AES256_GCM,data:JKPmeKERfekLvw5t1OKOvEZ2Pj3PRMFuauxHrv+tomJ0DJif,iv:50hzLHJBnT8/HECXshhnsINY1GMO5xB4zUyKDsMJLng=,tag:kKujkCp2bd2cvtPeuXnJbQ==,type:str] +sops: + age: + - enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkU01YcEZ0YUQ1UEE5djh1 + L09jTitrRjFMRU1Rem9XVW1BYjlZaHl0WkhrClhwenU1eFpMaTRMYm5NUmFrbUN5 + MVFacnM2ak1OTU9qMWlJUlZGQTdEeUEKLS0tIForTTFReTZMWGt1cDV5ZUx0UXNB + WEczQjBad3Z4WVFhZTdBOENBZmMyOWsKIxJmYshgSE+TAPXOVMgibmhgBxk6cZMo + GGfau043oYzsTclKRiZ4Nqvm4xPoK6ROrOtLlwqD3cT5+n024bv/ZQ== + -----END AGE ENCRYPTED FILE----- + recipient: age1f9e4pvp5y8gzuk8mz2s5xm85dd7znxhk56tcpuxqwn78qfjwja0qekwlju + encrypted_regex: ^(data|stringData)$ + lastmodified: "2026-06-07T14:23:19Z" + mac: ENC[AES256_GCM,data:MhTqEKu1mLpcsIzN9UY7ltXPUsqsyb+/oWgi3bwcp6VScERP4tIYeqZyCAzQFw+oOvsR2Ii/PCDPRY536MrkPCQeacrsnneuemYn/FIZfwezZQMPBSGjInncs6IvoUDi8y/0TtL92voYqGqlVv0WuOvcNol83Baj/tKUa7QT8tA=,iv:IZxuNcDOlm+7F1SPILqXtQA8+wQBPv5/C6CWRSn2sxs=,tag:CxveRc4Vp71IXeCk8zJNMw==,type:str] + version: 3.13.1 diff --git a/services/teleport-agent/deploy/app/helm-values.yaml b/services/teleport-agent/deploy/app/helm-values.yaml deleted file mode 100644 index 089f73e..0000000 --- a/services/teleport-agent/deploy/app/helm-values.yaml +++ /dev/null @@ -1,6 +0,0 @@ -roles: kube,app,discovery -authToken: "" -proxyAddr: "" -kubeClusterName: casa -labels: - teleport.internal/resource-id: "" diff --git a/services/teleport-agent/deploy/app/kustomization.yaml b/services/teleport-agent/deploy/app/kustomization.yaml new file mode 100644 index 0000000..09a14f7 --- /dev/null +++ b/services/teleport-agent/deploy/app/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: teleport-agent +resources: + - helm-repo.yaml + # - helm-release.yaml +secretGenerator: + - name: teleport-agent-helm-install-values + files: + - values.yaml=helm-values.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/services/teleport-agent/deploy/flux/.env.d/.gitignore b/services/teleport-agent/deploy/flux/.env.d/.gitignore new file mode 100644 index 0000000..d29675e --- /dev/null +++ b/services/teleport-agent/deploy/flux/.env.d/.gitignore @@ -0,0 +1,2 @@ +** +!.gitignore \ No newline at end of file diff --git a/services/teleport-agent/deploy/flux/app-sync.yaml b/services/teleport-agent/deploy/flux/app-sync.yaml new file mode 100644 index 0000000..1d19925 --- /dev/null +++ b/services/teleport-agent/deploy/flux/app-sync.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: teleport-agent +spec: + interval: 1m + sourceRef: + kind: GitRepository + name: casa + namespace: casa-limbosolutions-com + path: services/teleport-agent/deploy/app + prune: true + decryption: + provider: sops + secretRef: + name: flux-sops-age \ No newline at end of file diff --git a/services/teleport-agent/deploy/flux/kustomization.yaml b/services/teleport-agent/deploy/flux/kustomization.yaml new file mode 100644 index 0000000..5ae33f6 --- /dev/null +++ b/services/teleport-agent/deploy/flux/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: teleport-agent +resources: + - app-sync.yaml +secretGenerator: + - name: flux-sops-age + files: + - "age.agekey=./.env.d/age.agekey" +generatorOptions: + disableNameSuffixHash: true \ No newline at end of file diff --git a/services/teleport-agent/ops-scripts/apply-flux.sh b/services/teleport-agent/ops-scripts/apply-flux.sh new file mode 100755 index 0000000..e4f8708 --- /dev/null +++ b/services/teleport-agent/ops-scripts/apply-flux.sh @@ -0,0 +1,4 @@ +#!/bin/bash +set -e + +kubectl kustomize deploy/flux | kubectl apply -f - \ No newline at end of file diff --git a/services/teleport-agent/ops-scripts/apply-infra.sh b/services/teleport-agent/ops-scripts/apply-infra.sh deleted file mode 100755 index e73147a..0000000 --- a/services/teleport-agent/ops-scripts/apply-infra.sh +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/bash -set -e -kubectl create namespace teleport-agent || true \ No newline at end of file