Add agent support to Teleport AMIs for use with Terraform (gravitatio…

…nal#8387) * Initial commit adding agent mode * Disable auth_service and proxy_service for agents Also explicitly start the Teleport service when the config job has run * Remove kubernetes support from agent Preferred deployment method is in-cluster using the Helm chart * Handle difference between labels and static_labels * Don't override local hostname for agents
vladlosev · Oct 18, 2021 · f922089 · f922089
1 parent eb41be4
commit f922089
Show file tree

Hide file tree

Showing 12 changed files with 511 additions and 0 deletions.
diff --git a/assets/aws/files/bin/teleport-generate-config b/assets/aws/files/bin/teleport-generate-config
@@ -704,6 +704,116 @@ if [[ "${TELEPORT_ROLE}" == "auth" || "${TELEPORT_ROLE}" == "node" || "${TELEPOR
 EOF
     systemctl_wrap enable telegraf.service
     systemctl_wrap restart telegraf.service
+# handle configuration for agent mode
+elif [[ "${TELEPORT_ROLE}" == "agent" ]]; then
+    echo "agent" > ${USE_CONFD_DIR}/role.agent
+    cat >${USE_CONFIG_PATH} <<EOF
+teleport:
+  log:
+    output: stderr
+    severity: INFO
+  data_dir: /var/lib/teleport
+  auth_token: ${TELEPORT_JOIN_TOKEN}
+  auth_servers: ['${TELEPORT_PROXY_SERVER_LB}']
+
+auth_service:
+  enabled: no
+proxy_service:
+  enabled: no
+EOF
+
+  # enable SSH service
+  if [[ "${TELEPORT_AGENT_SSH_ENABLED}" == "true" ]]; then
+    cat >>${USE_CONFIG_PATH} <<EOF
+ssh_service:
+  enabled: yes
+EOF
+    # add SSH labels
+    if [[ "${TELEPORT_AGENT_SSH_LABELS}" != "" ]]; then
+      # replace | with a literal newline and space
+      TELEPORT_AGENT_SSH_LABELS_EXPANDED="${TELEPORT_AGENT_SSH_LABELS//|/
+    }"
+      cat >>${USE_CONFIG_PATH} <<EOF
+  labels:
+    ${TELEPORT_AGENT_SSH_LABELS_EXPANDED}
+EOF
+    fi
+  else
+    # we have to explicitly disable the SSH service if it's not being used, as it historically defaults to enabled
+    cat >>${USE_CONFIG_PATH} <<EOF
+  ssh_service:
+    enabled: no
+EOF
+  fi
+
+  # enable database service
+  if [[ "${TELEPORT_AGENT_DB_ENABLED}" == "true" ]]; then
+    cat >>${USE_CONFIG_PATH} <<EOF
+db_service:
+  enabled: yes
+  databases:
+  - name: ${TELEPORT_AGENT_DB_NAME}
+    description: "${TELEPORT_AGENT_DB_DESCRIPTION:-""}"
+    protocol: ${TELEPORT_AGENT_DB_PROTOCOL}
+    uri: "${TELEPORT_AGENT_DB_URI}"
+    aws:
+      region: ${TELEPORT_AGENT_DB_REGION:-$EC2_REGION}
+EOF
+    # add Redshift-specific config
+    if [[ "${TELEPORT_AGENT_DB_REDSHIFT_CLUSTER_ID}" != "" ]]; then
+          cat >>${USE_CONFIG_PATH} <<EOF
+      redshift:
+        cluster_id: "${TELEPORT_AGENT_DB_REDSHIFT_CLUSTER_ID}"
+EOF
+    fi
+    # add Database labels
+    if [[ "${TELEPORT_AGENT_DB_LABELS}" != "" ]]; then
+      # replace | with a literal newline and space
+      TELEPORT_AGENT_DB_LABELS_EXPANDED="${TELEPORT_AGENT_DB_LABELS//|/
+      }"
+      cat >>${USE_CONFIG_PATH} <<EOF
+    static_labels:
+      ${TELEPORT_AGENT_DB_LABELS_EXPANDED}
+EOF
+    fi
+  fi
+
+# enable app service
+  if [[ "${TELEPORT_AGENT_APP_ENABLED}" == "true" ]]; then
+    cat >>${USE_CONFIG_PATH} <<EOF
+app_service:
+  enabled: yes
+  apps:
+  - name: ${TELEPORT_AGENT_APP_NAME}
+    description: "${TELEPORT_AGENT_APP_DESCRIPTION:-""}"
+    uri: "${TELEPORT_AGENT_APP_URI}"
+EOF
+    # add public_addr if set
+    if [[ "${TELEPORT_AGENT_APP_PUBLIC_ADDR}" != "" ]]; then
+      cat >>${USE_CONFIG_PATH} <<EOF
+    public_addr: "${TELEPORT_AGENT_APP_PUBLIC_ADDR}"
+EOF
+    fi
+    # add insecure_skip_verify if set
+    if [[ "${TELEPORT_AGENT_APP_INSECURE_SKIP_VERIFY}" == "true" ]]; then
+      cat >>${USE_CONFIG_PATH} <<EOF
+    insecure_skip_verify: true
+EOF
+    fi
+    # add app labels
+    if [[ "${TELEPORT_AGENT_APP_LABELS}" != "" ]]; then
+      # replace | with a literal newline and space
+      TELEPORT_AGENT_APP_LABELS_EXPANDED="${TELEPORT_AGENT_APP_LABELS//|/
+      }"
+      cat >>${USE_CONFIG_PATH} <<EOF
+    labels:
+      ${TELEPORT_AGENT_APP_LABELS_EXPANDED}
+EOF
+    fi
+  fi
+
+  # enable service
+  systemctl_wrap start --no-block teleport.service
 fi
 
 # make sure config file can be edited by pre-start commands running later (assuming it exists)

diff --git a/assets/aws/files/tests/agent-app-blank-description.bats b/assets/aws/files/tests/agent-app-blank-description.bats
@@ -0,0 +1,24 @@
+write_confd_file() {
+    cat << EOF > ${TELEPORT_CONFD_DIR?}/conf
+TELEPORT_ROLE=agent
+EC2_REGION=us-west-2
+TELEPORT_AGENT_APP_ENABLED=true
+TELEPORT_AGENT_APP_LABELS="env: prod|app: grafana"
+TELEPORT_AGENT_APP_NAME=grafana-prod
+TELEPORT_AGENT_APP_URI=grafana001.mycluster.hosting:3000
+TELEPORT_JOIN_TOKEN=example-auth-token-for-tests
+TELEPORT_PROXY_SERVER_LB=gus-tftestkube4-proxy-bc9ba568645c3d80.elb.us-east-1.amazonaws.com
+EOF
+}
+
+load fixtures/common
+
+@test "[${TEST_SUITE?}] config file was generated without error" {
+    [ ${GENERATE_EXIT_CODE?} -eq 0 ]
+}
+
+@test "[${TEST_SUITE?}] app_service.apps.description is blank" {
+    load ${TELEPORT_CONFD_DIR?}/conf
+    echo "${APP_APPS_BLOCK?}"
+    echo "${APP_APPS_BLOCK?}" | grep -qE "^    description: \"\""
+}
diff --git a/assets/aws/files/tests/agent-app-insecure-skip-verify.bats b/assets/aws/files/tests/agent-app-insecure-skip-verify.bats
@@ -0,0 +1,25 @@
+write_confd_file() {
+    cat << EOF > ${TELEPORT_CONFD_DIR?}/conf
+TELEPORT_ROLE=agent
+EC2_REGION=us-west-2
+TELEPORT_AGENT_APP_ENABLED=true
+TELEPORT_AGENT_APP_LABELS="env: prod|app: grafana"
+TELEPORT_AGENT_APP_NAME=grafana-prod
+TELEPORT_AGENT_APP_URI=grafana001.mycluster.hosting:3000
+TELEPORT_AGENT_APP_INSECURE_SKIP_VERIFY=true
+TELEPORT_JOIN_TOKEN=example-auth-token-for-tests
+TELEPORT_PROXY_SERVER_LB=gus-tftestkube4-proxy-bc9ba568645c3d80.elb.us-east-1.amazonaws.com
+EOF
+}
+
+load fixtures/common
+
+@test "[${TEST_SUITE?}] config file was generated without error" {
+    [ ${GENERATE_EXIT_CODE?} -eq 0 ]
+}
+
+@test "[${TEST_SUITE?}] app_service.apps.insecure_skip_verify is set correctly" {
+    load ${TELEPORT_CONFD_DIR?}/conf
+    echo "${APP_APPS_BLOCK?}"
+    echo "${APP_APPS_BLOCK?}" | grep -qE "^    insecure_skip_verify: true"
+}
diff --git a/assets/aws/files/tests/agent-app-public-addr.bats b/assets/aws/files/tests/agent-app-public-addr.bats
@@ -0,0 +1,25 @@
+write_confd_file() {
+    cat << EOF > ${TELEPORT_CONFD_DIR?}/conf
+TELEPORT_ROLE=agent
+EC2_REGION=us-west-2
+TELEPORT_AGENT_APP_ENABLED=true
+TELEPORT_AGENT_APP_LABELS="env: prod|app: grafana"
+TELEPORT_AGENT_APP_NAME=grafana-prod
+TELEPORT_AGENT_APP_PUBLIC_ADDR="grafana-prod.teleport.example.com"
+TELEPORT_AGENT_APP_URI=grafana001.mycluster.hosting:3000
+TELEPORT_JOIN_TOKEN=example-auth-token-for-tests
+TELEPORT_PROXY_SERVER_LB=gus-tftestkube4-proxy-bc9ba568645c3d80.elb.us-east-1.amazonaws.com
+EOF
+}
+
+load fixtures/common
+
+@test "[${TEST_SUITE?}] config file was generated without error" {
+    [ ${GENERATE_EXIT_CODE?} -eq 0 ]
+}
+
+@test "[${TEST_SUITE?}] app_service.apps.public_addr is set correctly" {
+    load ${TELEPORT_CONFD_DIR?}/conf
+    echo "${APP_APPS_BLOCK?}"
+    echo "${APP_APPS_BLOCK?}" | grep -qE "^    public_addr: \"${TELEPORT_AGENT_APP_PUBLIC_ADDR}\""
+}
diff --git a/assets/aws/files/tests/agent-app.bats b/assets/aws/files/tests/agent-app.bats
@@ -0,0 +1,75 @@
+write_confd_file() {
+    cat << EOF > ${TELEPORT_CONFD_DIR?}/conf
+TELEPORT_ROLE=agent
+EC2_REGION=us-west-2
+TELEPORT_AGENT_APP_DESCRIPTION="Production Grafana instance"
+TELEPORT_AGENT_APP_ENABLED=true
+TELEPORT_AGENT_APP_LABELS="env: prod|app: grafana"
+TELEPORT_AGENT_APP_NAME=grafana-prod
+TELEPORT_AGENT_APP_URI=grafana001.mycluster.hosting:3000
+TELEPORT_JOIN_TOKEN=example-auth-token-for-tests
+TELEPORT_PROXY_SERVER_LB=gus-tftestkube4-proxy-bc9ba568645c3d80.elb.us-east-1.amazonaws.com
+EOF
+}
+
+load fixtures/common
+
+@test "[${TEST_SUITE?}] config file was generated without error" {
+    [ ${GENERATE_EXIT_CODE?} -eq 0 ]
+}
+
+@test "[${TEST_SUITE?}] teleport.auth_servers is set correctly" {
+    load ${TELEPORT_CONFD_DIR?}/conf
+    cat "${TELEPORT_CONFIG_PATH?}"
+    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  auth_servers:" -A1 | grep -q "${TELEPORT_PROXY_SERVER_LB?}"
+}
+
+@test "[${TEST_SUITE?}] teleport.auth_token is set correctly" {
+    load ${TELEPORT_CONFD_DIR?}/conf
+    cat "${TELEPORT_CONFIG_PATH?}"
+    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  auth_token:" -A1 | grep -q "${TELEPORT_JOIN_TOKEN?}"
+}
+
+@test "[${TEST_SUITE?}] auth_service is not enabled" {
+    load ${TELEPORT_CONFD_DIR?}/conf
+    echo "${AUTH_BLOCK?}"
+    echo "${AUTH_BLOCK?}" | grep -E "^  enabled: no"
+}
+
+@test "[${TEST_SUITE?}] proxy_service is not enabled" {
+    load ${TELEPORT_CONFD_DIR?}/conf
+    echo "${PROXY_BLOCK?}"
+    echo "${PROXY_BLOCK?}" | grep -E "^  enabled: no"
+}
+
+# in each test, we echo the block so that if the test fails, the block is outputted
+@test "[${TEST_SUITE?}] app_service.enabled is set correctly" {
+    load ${TELEPORT_CONFD_DIR?}/conf
+    echo "${APP_BLOCK?}"
+    echo "${APP_BLOCK?}" | grep -E "^  enabled: yes"
+}
+
+@test "[${TEST_SUITE?}] app_service.apps.name is set correctly" {
+    load ${TELEPORT_CONFD_DIR?}/conf
+    echo "${APP_APPS_BLOCK?}"
+    echo "${APP_APPS_BLOCK?}" | grep -E "^  - name: ${TELEPORT_AGENT_APP_NAME}"
+}
+
+@test "[${TEST_SUITE?}] app_service.apps.description is set correctly" {
+    load ${TELEPORT_CONFD_DIR?}/conf
+    echo "${APP_APPS_BLOCK?}"
+    echo "${APP_APPS_BLOCK?}" | grep -E "^    description: \"${TELEPORT_AGENT_APP_DESCRIPTION}\""
+}
+
+@test "[${TEST_SUITE?}] app_service.apps.uri is set correctly" {
+    load ${TELEPORT_CONFD_DIR?}/conf
+    echo "${APP_APPS_BLOCK?}"
+    echo "${APP_APPS_BLOCK?}" | grep -E "^    uri: \"${TELEPORT_AGENT_APP_URI}\""
+}
+
+@test "[${TEST_SUITE?}] app_service.apps.public_addr is not set" {
+    load ${TELEPORT_CONFD_DIR?}/conf
+    echo "${APP_APPS_BLOCK?}"
+    # this test inverts the regular behaviour of grep -q, so only succeeds if the line _isn't_ present
+    echo "${APP_APPS_BLOCK?}" | { ! grep -qE "^    public_addr: "; }
+}
diff --git a/assets/aws/files/tests/agent-db-blank-description.bats b/assets/aws/files/tests/agent-db-blank-description.bats
@@ -0,0 +1,25 @@
+write_confd_file() {
+    cat << EOF > ${TELEPORT_CONFD_DIR?}/conf
+TELEPORT_ROLE=agent
+EC2_REGION=us-west-2
+TELEPORT_JOIN_TOKEN=example-auth-token-for-tests
+TELEPORT_AGENT_DB_ENABLED=true
+TELEPORT_AGENT_DB_LABELS="env: prod|another: test|third: variable-env"
+TELEPORT_AGENT_DB_NAME=postgres-production
+TELEPORT_AGENT_DB_PROTOCOL=postgres
+TELEPORT_AGENT_DB_URI=postgres-prod123.rds.us-west-2.amazonaws.com:5432
+TELEPORT_PROXY_SERVER_LB=gus-tftestkube4-proxy-bc9ba568645c3d80.elb.us-east-1.amazonaws.com
+EOF
+}
+
+load fixtures/common
+
+@test "[${TEST_SUITE?}] config file was generated without error" {
+    [ ${GENERATE_EXIT_CODE?} -eq 0 ]
+}
+
+@test "[${TEST_SUITE?}] db_service.databases.description is blank" {
+    load ${TELEPORT_CONFD_DIR?}/conf
+    echo "${DB_DATABASES_BLOCK?}"
+    echo "${DB_DATABASES_BLOCK?}" | grep -qE "^    description: \"\""
+}
diff --git a/assets/aws/files/tests/agent-db-default-region.bats b/assets/aws/files/tests/agent-db-default-region.bats
@@ -0,0 +1,26 @@
+write_confd_file() {
+    cat << EOF > ${TELEPORT_CONFD_DIR?}/conf
+TELEPORT_ROLE=agent
+EC2_REGION=us-west-2
+TELEPORT_AGENT_DB_DESCRIPTION="Production PostgreSQL database"
+TELEPORT_AGENT_DB_ENABLED=true
+TELEPORT_AGENT_DB_LABELS="env: prod|another: test|third: variable-env"
+TELEPORT_AGENT_DB_NAME=postgres-production
+TELEPORT_AGENT_DB_PROTOCOL=postgres
+TELEPORT_AGENT_DB_URI=postgres-prod123.rds.us-west-2.amazonaws.com:5432
+TELEPORT_JOIN_TOKEN=example-auth-token-for-tests
+TELEPORT_PROXY_SERVER_LB=gus-tftestkube4-proxy-bc9ba568645c3d80.elb.us-east-1.amazonaws.com
+EOF
+}
+
+load fixtures/common
+
+@test "[${TEST_SUITE?}] config file was generated without error" {
+    [ ${GENERATE_EXIT_CODE?} -eq 0 ]
+}
+
+@test "[${TEST_SUITE?}] db_service.databases.aws.region is set correctly [default region]" {
+    load ${TELEPORT_CONFD_DIR?}/conf
+    echo "${DB_DATABASES_BLOCK?}"
+    echo "${DB_DATABASES_BLOCK?}" | grep -E -A1 "^    aws:" | grep -E "^      region: ${EC2_REGION}"
+}
diff --git a/assets/aws/files/tests/agent-db-no-labels.bats b/assets/aws/files/tests/agent-db-no-labels.bats
@@ -0,0 +1,26 @@
+write_confd_file() {
+    cat << EOF > ${TELEPORT_CONFD_DIR?}/conf
+TELEPORT_ROLE=agent
+EC2_REGION=us-west-2
+TELEPORT_AGENT_DB_DESCRIPTION="Production PostgreSQL database"
+TELEPORT_AGENT_DB_ENABLED=true
+TELEPORT_AGENT_DB_NAME=postgres-production
+TELEPORT_AGENT_DB_PROTOCOL=postgres
+TELEPORT_AGENT_DB_URI=postgres-prod123.rds.us-west-2.amazonaws.com:5432
+TELEPORT_JOIN_TOKEN=example-auth-token-for-tests
+TELEPORT_PROXY_SERVER_LB=gus-tftestkube4-proxy-bc9ba568645c3d80.elb.us-east-1.amazonaws.com
+EOF
+}
+
+load fixtures/common
+
+@test "[${TEST_SUITE?}] config file was generated without error" {
+    [ ${GENERATE_EXIT_CODE?} -eq 0 ]
+}
+
+@test "[${TEST_SUITE?}] db_service.databases.static_labels key does not exist when no labels are set" {
+    load ${TELEPORT_CONFD_DIR?}/conf
+    echo "${DB_DATABASES_BLOCK?}"
+    # this test inverts the regular behaviour of grep -q, so only succeeds if the line _isn't_ present
+    echo "${DB_DATABASES_BLOCK?}" | { ! grep -qE "^    static_labels: "; }
+}
diff --git a/assets/aws/files/tests/agent-db-redshift.bats b/assets/aws/files/tests/agent-db-redshift.bats
@@ -0,0 +1,27 @@
+write_confd_file() {
+    cat << EOF > ${TELEPORT_CONFD_DIR?}/conf
+TELEPORT_ROLE=agent
+EC2_REGION=us-west-2
+TELEPORT_AGENT_DB_DESCRIPTION="Production PostgreSQL database"
+TELEPORT_AGENT_DB_ENABLED=true
+TELEPORT_AGENT_DB_LABELS="env: prod|another: test|third: variable-env"
+TELEPORT_AGENT_DB_NAME=postgres-production
+TELEPORT_AGENT_DB_PROTOCOL=postgres
+TELEPORT_AGENT_DB_REDSHIFT_CLUSTER_ID=redshift-cluster-id
+TELEPORT_AGENT_DB_URI=postgres-prod123.rds.us-west-2.amazonaws.com:5432
+TELEPORT_JOIN_TOKEN=example-auth-token-for-tests
+TELEPORT_PROXY_SERVER_LB=gus-tftestkube4-proxy-bc9ba568645c3d80.elb.us-east-1.amazonaws.com
+EOF
+}
+
+load fixtures/common
+
+@test "[${TEST_SUITE?}] config file was generated without error" {
+    [ ${GENERATE_EXIT_CODE?} -eq 0 ]
+}
+
+@test "[${TEST_SUITE?}] db_service.databases.aws.redshift.cluster_id is set correctly" {
+    load ${TELEPORT_CONFD_DIR?}/conf
+    echo "${DB_DATABASES_BLOCK?}"
+    echo "${DB_DATABASES_BLOCK?}" | grep -E -A3 "^    aws:" | grep -E -A1 "^      redshift:" | grep -E "^        cluster_id: \"${TELEPORT_AGENT_DB_REDSHIFT_CLUSTER_ID}\""
+}