vfarcic/173-teleport.sh Secret

## 173-teleport.sh
# Source: https://gist.github.com/64a97079dd4bf7965d928820b8f0ef88

########################################################################
# Authentication, Authorization, Audit, And Connectivity With Teleport #
# https://youtu.be/zVEbml1IAOQ                                         #
########################################################################

# Additional Info:
# - Teleport: https://www.goteleport.com/devopstoolkit

#########
# Setup #
#########

# Create a Kubernetes cluster.
# The demo was tested on GKE and should work on any "real" cluster.
# If using local Kubernetes (e.g., minikube, Rancher Desktop), some commands might need to be changed.

git clone https://github.com/vfarcic/teleport-demo

cd teleport-demo

# Sign in to Teleport Cloud from https://teleport.sh

# Replace `[...]` with the address of the Teleport cluster (e.g., devops-toolkit.teleport.sh:443)
export TELEPORT_CLUSTER_ADDR=[...]

# Replace `[...]` with the Teleport user (email)
export TELEPORT_USER=[...]

# Download and install CLIs from https://goteleport.com/docs/cloud/downloads/

tsh login \
    --proxy=$TELEPORT_CLUSTER_ADDR \
    --user $TELEPORT_USER

tctl nodes add \
    --roles kube,db,app \
    --ttl 8760h

# # Replace `[...]` with `the invite token` from the output
export TELEPORT_TOKEN=[...]

cat orig/values.yaml \
    | sed -e "s@proxyAddr: .*@proxyAddr: $TELEPORT_CLUSTER_ADDR@g" \
    | sed -e "s@authToken: .*@authToken: $TELEPORT_TOKEN@g" \
    | tee values.yaml

cat orig/values-apps.yaml \
    | sed -e "s@proxyAddr: .*@proxyAddr: $TELEPORT_CLUSTER_ADDR@g" \
    | sed -e "s@authToken: .*@authToken: $TELEPORT_TOKEN@g" \
    | tee values-apps.yaml

# Install `kubectx` using the instructions from https://github.com/ahmetb/kubectx#installation

kubectl ctx

# Choose the context of the Kubernetes cluster that will be used for this demo

############################
# Manage Kubernetes Access #
############################

echo "https://$TELEPORT_CLUSTER_ADDR"

# Open it in a browser

helm upgrade --install \
    teleport-kube-agent \
    teleport/teleport-kube-agent \
    --namespace teleport \
    --create-namespace \
    --values values.yaml \
    --wait

tsh kube ls

# Create a new role
# Change the `metadata.name` entry to `kubernetes-admin`

echo "
    kubernetes_groups:
    - admin
    - '{{internal.kubernetes_groups}}'
    - system:masters
    kubernetes_labels:
      '*': '*'
    kubernetes_users:
    - '{{internal.kubernetes_users}}'
"

# Add the output to `spec.allow`

# Open `https://goteleport.com/docs/access-controls/reference`

kubectl ctx

kubectl get nodes

kubectl get namespaces

kubectl get pods --all-namespaces

###################################
# Limiting Access To Applications #
###################################

helm repo add prometheus \
    https://prometheus-community.github.io/helm-charts

helm repo update

helm upgrade --install \
    prometheus prometheus/prometheus \
    --namespace monitoring \
    --create-namespace \
    --wait

kubectl --namespace monitoring \
    get services,ingresses

kubectl --namespace monitoring \
    port-forward \
    service/prometheus-server \
    8080:80

# Open `http://localhost:8080` in a browser

# Stop port forwarding with `ctrl+c`

export PROM_ADDR=http://$(kubectl \
    --namespace monitoring \
    get service prometheus-server \
    --output jsonpath="{.spec.clusterIP}")

cat values-apps.yaml \
    | sed -e "s@INSERT_HERE@$PROM_ADDR@g" \
    | tee values-apps.yaml

helm upgrade --install \
    teleport-kube-agent \
    teleport/teleport-kube-agent \
    --namespace teleport \
    --create-namespace \
    --values values-apps.yaml \
    --wait

###########
# Destroy #
###########

# Destroy or reset the cluster
	# Source: https://gist.github.com/64a97079dd4bf7965d928820b8f0ef88

	########################################################################
	# Authentication, Authorization, Audit, And Connectivity With Teleport #
	# https://youtu.be/zVEbml1IAOQ #
	########################################################################

	# Additional Info:
	# - Teleport: https://www.goteleport.com/devopstoolkit

	#########
	# Setup #
	#########

	# Create a Kubernetes cluster.
	# The demo was tested on GKE and should work on any "real" cluster.
	# If using local Kubernetes (e.g., minikube, Rancher Desktop), some commands might need to be changed.

	git clone https://github.com/vfarcic/teleport-demo

	cd teleport-demo

	# Sign in to Teleport Cloud from https://teleport.sh

	# Replace `[...]` with the address of the Teleport cluster (e.g., devops-toolkit.teleport.sh:443)
	export TELEPORT_CLUSTER_ADDR=[...]

	# Replace `[...]` with the Teleport user (email)
	export TELEPORT_USER=[...]

	# Download and install CLIs from https://goteleport.com/docs/cloud/downloads/

	tsh login \
	--proxy=$TELEPORT_CLUSTER_ADDR \
	--user $TELEPORT_USER

	tctl nodes add \
	--roles kube,db,app \
	--ttl 8760h

	# # Replace `[...]` with `the invite token` from the output
	export TELEPORT_TOKEN=[...]

	cat orig/values.yaml \
	\| sed -e "s@proxyAddr: .*@proxyAddr: $TELEPORT_CLUSTER_ADDR@g" \
	\| sed -e "s@authToken: .*@authToken: $TELEPORT_TOKEN@g" \
	\| tee values.yaml

	cat orig/values-apps.yaml \
	\| sed -e "s@proxyAddr: .*@proxyAddr: $TELEPORT_CLUSTER_ADDR@g" \
	\| sed -e "s@authToken: .*@authToken: $TELEPORT_TOKEN@g" \
	\| tee values-apps.yaml

	# Install `kubectx` using the instructions from https://github.com/ahmetb/kubectx#installation

	kubectl ctx

	# Choose the context of the Kubernetes cluster that will be used for this demo

	############################
	# Manage Kubernetes Access #
	############################

	echo "https://$TELEPORT_CLUSTER_ADDR"

	# Open it in a browser

	helm upgrade --install \
	teleport-kube-agent \
	teleport/teleport-kube-agent \
	--namespace teleport \
	--create-namespace \
	--values values.yaml \
	--wait

	tsh kube ls

	# Create a new role
	# Change the `metadata.name` entry to `kubernetes-admin`

	echo "
	kubernetes_groups:
	- admin
	- '{{internal.kubernetes_groups}}'
	- system:masters
	kubernetes_labels:
	'': ''
	kubernetes_users:
	- '{{internal.kubernetes_users}}'
	"

	# Add the output to `spec.allow`

	# Open `https://goteleport.com/docs/access-controls/reference`

	kubectl ctx

	kubectl get nodes

	kubectl get namespaces

	kubectl get pods --all-namespaces

	###################################
	# Limiting Access To Applications #
	###################################

	helm repo add prometheus \
	https://prometheus-community.github.io/helm-charts

	helm repo update

	helm upgrade --install \
	prometheus prometheus/prometheus \
	--namespace monitoring \
	--create-namespace \
	--wait

	kubectl --namespace monitoring \
	get services,ingresses

	kubectl --namespace monitoring \
	port-forward \
	service/prometheus-server \
	8080:80

	# Open `http://localhost:8080` in a browser

	# Stop port forwarding with `ctrl+c`

	export PROM_ADDR=http://$(kubectl \
	--namespace monitoring \
	get service prometheus-server \
	--output jsonpath="{.spec.clusterIP}")

	cat values-apps.yaml \
	\| sed -e "s@INSERT_HERE@$PROM_ADDR@g" \
	\| tee values-apps.yaml

	helm upgrade --install \
	teleport-kube-agent \
	teleport/teleport-kube-agent \
	--namespace teleport \
	--create-namespace \
	--values values-apps.yaml \
	--wait

	###########
	# Destroy #
	###########

	# Destroy or reset the cluster