Merge pull request #13 from seven-beep/develop

Apt installation method, version autodetection, more detailed configuration template

Author: mdsketch

LICENSE

@@ -1,6 +1,7 @@
 The MIT License (MIT)
 
 Copyright (c) 2021 KPM Power
+Copyright (c) 2024 seven-beep <ebn@entreparentheses.xyz>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of
 this software and associated documentation files (the "Software"), to deal in

README.md

@@ -4,7 +4,7 @@
 [![Ansible Lint](https://github.com/mdsketch/ansible-teleport/actions/workflows/lint.yml/badge.svg)](https://github.com/mdsketch/ansible-teleport/actions/workflows/lint.yml)
 [![molecule_tests](https://github.com/mdsketch/ansible-teleport/actions/workflows/molecule.yml/badge.svg)](https://github.com/mdsketch/ansible-teleport/actions/workflows/molecule.yml)
 
-An ansible role to install or update the teleport node service and teleport config on Debian based systems.
+An ansible role to install or update the teleport node service and teleport config on Linux based systems.
 
 Works with any architecture that teleport has a binary for, see available [teleport downloads](https://goteleport.com/teleport/download/).
 
@@ -15,7 +15,6 @@ Please Check the teleport config file [documentation](https://goteleport.com/doc
 ## TODO:
 - add idempotence tests to verify teleport is updated correctly (config, service and binary)
 - add tests for variable templating
-- lock down the versions of the linting tools
 - investigate if installing teleport in a docker container is useful (currently not supported)
 
 ## Requirements
@@ -24,16 +23,26 @@ A running teleport cluster so that you can provide the following information:
 
 - auth token (dynamic or static). Ex: `tctl nodes add --ttl=5m --roles=node | grep "invite token:" | grep -Eo "[0-9a-z]{32}"`
 - CA pin
-- address of the authentication server
+- address of the authentication or proxy server
 
 ## Role Variables
 
 These are the default variables with their default values as defined in `defaults/main.yml`
 
+```
+teleport_nodename: ""
+```
+The nodename to apply in the configuration.  Keep it as an empty string to let teleport use the hostname of the machine.
+
+```
+teleport_autodetect_version: false
+```
+Whether or not try to autodetect the server version by querying its API.
+
 ```
 teleport_version
 ```
-The version of teleport to install. See [teleport downloads](https://goteleport.com/teleport/download/) for available versions.
+The version of teleport to install. See [teleport downloads](https://goteleport.com/teleport/download/) for available versions. Keep it as an empty string if you want the role to autodetect the server version.
 
 ```
 teleport_architecture
@@ -45,6 +54,21 @@ Change `teleport_architecture` any of the following:
 - `amd64-bin` if you are running on x86_64/AMD64 based devices.
 - `386-bin` if you are running on i386/Intel based devices.
 
+```
+teleport_install_method: "tar"
+```
+The method used for installation, currently supported by the role:
+- `tar` Download an archive.
+- `apt` Install gravitational keyring and the packages requested via apt.
+
+```
+teleport_edition: "oss"
+```
+This is only used with teleport_install_method: "apt":
+- `oss` if you are using the community edition.
+- `enterprise` if you are using the self-hosted edition.
+- `cloud` if you are using the cloud edition.
+
 ```
 teleport_config_template
 ```
@@ -53,24 +77,29 @@ The template to use for the teleport configuration file. The default is `templat
 There are many [options available](https://goteleport.com/docs/setup/reference/config/) and you can substitute in your own template and add any variables you want.
 
 ```
-teleport_service_template
+teleport_ssh_labels
 ```
-The template to use for the teleport service file. The default is `templates/default_teleport.service.j2`. You can substitute in your own template and add any variables you want.
+A list of list of key and values to template into the default teleport_config_template. Examples are shown as defaults above.
+
+```
+teleport_ssh_commands
+```
+A list of dictionaries to template into the default teleport_config_template. Examples are shown as defaults above.
 
 ```
 teleport_ca_pin
 ```
 The CA pin to use for the teleport configuration. This is optional, but [recommended](https://goteleport.com/docs/setup/admin/adding-nodes/#untrusted-auth-servers).
 
 ```
-teleport_config_path
+teleport_auth_server
 ```
-The path to the teleport configuration file. The default is `/etc/teleport.yaml`.
+The authentication server to use for the teleport configuration. Examples are shown as defaults above.
 
 ```
-teleport_auth_servers
+teleport_proxy_server
 ```
-The list of authentication servers to use for the teleport configuration. Examples are shown as defaults above.
+The proxy server to user for the teleport configuration. Examples are shown as defaults above.
 
 ```
 backup_teleport_config
@@ -89,7 +118,9 @@ Default `yes`. Controls if this role modifies the teleport config file.
 
 ## Upgrading Teleport
 
-When the role is run, it checks if the installed version matches the version specified in `teleport_version`. If different then it will download the latest version and install it.
+For `tar` installation method, when the role is run, it checks if the installed version matches the version specified in `teleport_version`. If different then it will download the latest version and install it.
+
+For `apt` installation method, the role will update the packages from the repository.
 
 When performing an upgrade, a backup of the current configuration file in `teleport_config_path` will be created and a new configuration file templated in its place. When doing this a `teleport_auth_token` and `teleport_ca_pin` do not need to be provided, as they are pulled from the existing configuration file, and then templated into the new configuration file.
 
@@ -116,10 +147,22 @@ For example to install teleport on a node:
     teleport_ssh_labels:
       - k: "label_key"
         v: "label_value"
+    teleport_ssh_commands:
+      - name: hostname
+        command: [hostname]
+        period: 60m0s
+      - name: uptime
+        command: [uptime, -p]
+        period: 5m0s
+      - name: version
+        command: [teleport, version]
+        period: 60m0s
+      - name: ip-address
+        command: ["/bin/sh","-c", "hostname -I | awk '{print $1}'"]
+        period: 60m0s
     teleport_auth_token: "super secret auth token"
     teleport_ca_pin: "not as secret ca pin"
     teleport_auth_server: "auth server"
-    teleport_proxy_server: "proxy server"
 ```
 
 *Created Teleport Config to `/etc/teleport.yaml`*
@@ -131,7 +174,6 @@ teleport:
   auth_token: "super secret auth token"
   ca_pin: "not as secret ca pin"
   auth_server: auth server
-  proxy_server: proxy server
   log:
     output: stderr
     severity: INFO
@@ -143,15 +185,18 @@ ssh_service:
   labels:
     label_key: label_value
   commands:
-  - name: hostname
-    command: [hostname]
-    period: 60m0s
-  - name: uptime
-    command: [uptime, -p]
-    period: 5m0s
-  - name: version
-    command: [teleport, version]
-    period: 60m0s
+    - name: hostname
+      command: [hostname]
+      period: 60m0s
+    - name: uptime
+      command: [uptime, -p]
+      period: 5m0s
+    - name: version
+      command: [teleport, version]
+      period: 60m0s
+    - name: ip-address
+      command: ["/bin/sh","-c", "hostname -I | awk '{print $1}'"]
+      period: 60m0s
 proxy_service:
   enabled: "no"
   https_keypairs: []

defaults/main.yml

@@ -1,17 +1,32 @@
 ---
-teleport_version: "12.1.1"
+teleport_nodename: ""
+teleport_autodetect_version: false
+teleport_version: "{{ '15.4.11' if not teleport_autodetect_version }}"
 teleport_architecture: "amd64-bin"
-# teleport_architecture: "arm-bin"
+# apt is supported.
+teleport_install_method: "tar"
+# Only used when teleport_install_method is not 'tar'
+teleport_edition: "oss"
 teleport_auth_token: ""
 teleport_ca_pin: ""
-teleport_auth_server: "https://auth.example.com"
+teleport_auth_server: ""
 teleport_url: "https://get.gravitational.com/teleport-v{{ teleport_version }}-linux-{{ teleport_architecture }}.tar.gz"
 teleport_config_path: "/etc/teleport.yaml"
 backup_teleport_config: yes
 teleport_config_template: "default_teleport.yaml.j2"
 teleport_service_template: "default_teleport.service.j2"
 teleport_ssh_labels: []
-teleport_proxy_server: ''
+teleport_ssh_commands:
+  - name: hostname
+    command: [hostname]
+    period: 60m0s
+  - name: uptime
+    command: [uptime, -p]
+    period: 5m0s
+  - name: version
+    command: [teleport, version]
+    period: 60m0s
+teleport_proxy_server: ""
 teleport_control_systemd: yes
 teleport_template_config: yes
 # Default dont change

files/teleport-archive-keyring.asc

@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF+R3LYBEADOEO9i3Dm5rEAiXONchX3M54QzZX0yHArSpYQ5aJDdJRQbqzqT
++e2os8NpSjVDZFNz5ul8xkZsnCLX7pgrAYqq+vsXL4bMWDP96S6PjfVIAyV4ylv0
+DBReMdkaAZb/IoPhkSTT+ayw4eGEtUz/k7mxMpQ9ob7qFtGs8aNVT/An5LfFR1Lx
+9WOlFPPIAJKcHVIyRD+4EoCSn1R1c61UHFIRatbAnwOLs3iz4/GU+w9wdbuWbDuk
+nGdG0Lmlzp42HHxeJJFQlOTed97+trktvAiuzA/0lbQHEcWvxfWAy5//cjORp+H3
+RGLp8fJ+fFRAyA4WP6O3wIC4gAAgsEn8WpVT8wZYlLMRf694SeawBtyUSlcsn9i1
+LuOh5akOY3iQtH01+rMBjOaMkCmpT2nQaUH+HS2iZBddBHdAMMQtj2UolMRbUSxH
++GJczes1t9/WH3vbvh5ESMOy0fH14Tjo+9yQYa4EhFNNloAG10DYFLlCj47fWDdS
+o/++vhZsKaS7yLHDGOLPT+x15ComG2gupmRkbATvUddztlsfF+tD97laT9eaLB1W
+zxszqr8+LxP961wmbS2j+ZBbXyrPr1Fln/TdyFAhkIMJ+J5hZB+NcjRUwUoB7nOd
++FbTxtnyJb2iaJNCJHJQVA85IYzUpXA3CDdgUHF810kVBcBPBtLhZC5ybQARAQAB
+tCtHcmF2aXRhdGlvbmFsLCBJbmMgPGluZm9AZ3Jhdml0YXRpb25hbC5jb20+iQJU
+BBMBCAA+FiEEDF6LpWWOMg0bAxF5yH7VOmKCxBEFAl+R3LYCGwMFCRLMAwAFCwkI
+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQyH7VOmKCxBFfxxAAiXWJm86oZtVdAlp1
+pzpKeV0pwgrnt7Uk8fu5tYpdE/oVMnwcdsDDQucItGtHGfjmzs3Cr8/praekenf1
+9iHSz422OpIGzCI4VfXaFPVfzbV1w7cSOnceY6lPnKUMrRBKKJX5Nw/6LZS40gsQ
+BoeZxe0MXB4tBc4dY30f1MQ44amRYmtTA7wep+ymVRfkPnHNnIrsdYGldbfPsbPO
+PUX8ZnWZiuI0+NgX3oBOl6YY4JehBJj61Ukx1DPHHLhhundHumChYFn+LBIZxD3O
+B9uoRzUzwUIM0N9IUjpGvtkqtm7Vbs6/bDxI4Owgsa7vXpEXZ2qD0AIle7sD0Fjl
+F19o2mXmEeQp9Fl4OrkZCURCQvPq9UCh6Nu0a1+SnbG+qXyyvqszy2tkV4xmcF4w
+Gib0SVT8RR08NeJXkHtBscnecgUA1BTH8J8RnUeQXZhUn51bVJk4JaDnEXp8VEP2
+gNce+oUY2XQtLDVzHysGhexDrWk8ycl/zvwyxKv+kj5QhjXugHkOMnW53mdMe3N/
+gwsV+kJUm6NdtLtTAOkky/GfkIGTWNQPD2/42T+0cA9lTVxihh+wz9tgA1ZbtVOK
+P2DNA10rsCuzGPFn8d6Khymt0o66dgfEloy9Y14leoqUCMPU3ibLP6bYuow2AJUz
+KcvTgmfjP1/ghNXI7E2vgNi8wta5Ag0EX5HctgEQALx4btbP47LwrIqB4loog2sT
+pac7fdbA+YVeqP/9KoLw1ZB+5DeqNKmtUHSau9mRVh8a8g7slpGhH6hxlEHr7ek/
+mA/o91jB4RGo5mfyuWcJQKRyHS4pWciEM/gK+o6lEceTdUwvKI6OrJ4koPd3HZth
+mw+xPyAdGKY3oBmrXeZ6XkuDfME8doRmuwlw/tbmje63/2j97ebiFfQcyWLH32d8
+T+yEpAj+55Qxp6aJZaDOeAuzBtyAopxGRjGsxBUF/VSUwxYb0bmwWgPIhPC77oEk
+AEMPsIsI9LJ8fQY/sOzwhyNNt+b7rgto6AFskz7urezzCuuIwMeupmC78QWGw9jM
+zHFf3R6O1KQ0v8PBYYb6BHkjzho6hTcOZO9Zh+XO4k6uEwlu+Zc0AmyHmQeQ3I8Z
+tAb//LJk9X62yNPE/8wjtEUzXqyzlLpGjRFr6kQv+6nqs8JxyCnS34Q+au2IqOnn
+iFkHj/w79mtmzR4G43wo3x1nGjyz+vTpsurmJ+qFMO0bLcE/HV8aGxs0YeQsByOc
+SU8TK6v+Wkn58LT4cvjIO5G/2UM7kucXl56hqvguvnFTLNqewWtqgS7IRuykcYgK
+HrBYb/iVH+Fb+9Th9VX7bl0ZeoH7O8RbvxKGkd90+DPsurBeIQ7S4zM9w7WnAsAC
+Sgs8owYZpHpyrK8QFD4zABEBAAGJAjwEGAEIACYWIQQMXoulZY4yDRsDEXnIftU6
+YoLEEQUCX5HctgIbDAUJEswDAAAKCRDIftU6YoLEEURID/4oQhZZPindZJHiwQqm
+0a8H1ssgZAz6E8PejoN0gbsblbOrtkGDLU8gvzksvd/9luSLRgPw++m6ut87PeMv
+MKc4UIyRb5oSgh5WE0bW9191Gkfge9DRrIdtUDG8N+oTlIWYHTXC5zlwmfMobtQE
+kFUdPbedhytYx1wgbh8KP8sLXGPXut5VqDy/EgNzqERnI5kLeiDvMsLz0xjdHpGW
+ASfJMNX120GU8Mwqa6gWvP52BB20pU9bC1VQX1qiqD6V1GpxQJ2jACKke6boiqbL
+Bdb0UgmW4XYIp4ZjLC842e0qSyfd8rt3PzYrbK/NPuXAV7f+wAhPSC18v+1Ap5Kh
+KKHRLvyUVGxwaBVedOuuC/OqJwSSLa0cQKytFK+3OJAdTYoHtsh++ScgEL/wOCXs
+gM5xmlI6Pk/6Ev0Hz/kDY5F0w4/VvSEaS/7TSkmf5JvxdueVObf5ry5O+L4J7t7y
+JwdtPhXgHR0PHidnh/02SVn8XIzHdB9OZ2i6Wr12loFZGltWdmJVkQC/cj/HBr5I
+ZizQril+7cXDI/8Hyk04d19rmjSIU49FderpNYYOv38dqaAsosYge6JzYdIzJrJH
+/DIKnSAU/a14sFUrNm+TYJmZto35hSltUxLEzLIWeR9TjpOh6VS1UzdGQh32NP+h
+oq8y1SJMCrfC9Ub5q2/ijiJWUw==
+=+Ne5
+-----END PGP PUBLIC KEY BLOCK-----

tasks/auth_conf.yml

@@ -0,0 +1,50 @@
+---
+- name: "Slurp the precedent configuration."
+  become: yes
+  ansible.builtin.slurp:
+    src: "{{ teleport_config_path }}"
+  register: old_conf_raw
+
+- name: "Set the precedent configuration as a fact."
+  ansible.builtin.set_fact:
+    old_conf: "{{ old_conf_raw['content'] | b64decode | from_yaml }}"
+
+- name: "Set fact teleport_auth_token from precedent configuration" # noqa no-handler
+  ansible.builtin.set_fact:
+    teleport_auth_token: "{{ old_conf.teleport.auth_token }}"
+  when:
+    - old_conf.teleport.auth_token is defined
+    - old_conf.teleport.auth_token | string
+    - not teleport_auth_token | string
+
+- name: "Set fact teleport_ca_pin from precedent configuration"
+  ansible.builtin.set_fact:
+    teleport_ca_pin: "{{ old_conf.teleport.ca_pin }}"
+  when:
+    - old_conf.teleport.ca_pin is defined
+    - old_conf.teleport.ca_pin | string
+    - not teleport_ca_pin | string
+
+- name: "Flush the teleport database when the token or ca_pin has changed."
+  when: >-
+    (
+      old_conf.teleport.auth_token is defined and old_conf.teleport.auth_token | string
+      and teleport_auth_token | string and teleport_auth_token != old_conf.teleport.auth_token
+    ) or (
+      old_conf.teleport.ca_pin and old_conf.teleport.ca_pin | string
+      and teleport_ca_pin | string and teleport_ca_pin != old_conf.teleport.ca_pin
+    )
+  notify: Reload_Teleport
+  become: yes
+  block:
+    - name: "Stop teleport service if enabled"
+      ansible.builtin.systemd:
+        name: "teleport"
+        state: "stopped"
+      when:
+        - not is_container
+
+    - name: "Delete teleport sqlite file"
+      ansible.builtin.file:
+        path: "/var/lib/teleport/proc/sqlite.db"
+        state: absent

tasks/detect_cloud_version.yml

@@ -0,0 +1,14 @@
+---
+- name: "Lookup the server version"
+  ansible.builtin.uri:
+    url: >-
+      {{ "https://" +
+       ( teleport_proxy_server if teleport_proxy_server | string else teleport_auth_server )
+       + "/v1/webapi/automaticupgrades/channel/stable/cloud/version" }}
+    return_content: true
+    status_code: 200
+  register: teleport_server_lookup
+
+- name: "Set the server version as a fact"
+  ansible.builtin.set_fact:
+    teleport_version: "{{ teleport_server_lookup.content | regex_replace('^v', '') }}"

tasks/install_via_apt.yml

@@ -0,0 +1,35 @@
+---
+- name: "Install via apt"
+  become: true
+  block:
+    - name: "Set the teleport_major_version and teleport_pkgs facts"
+      ansible.builtin.set_fact:
+        teleport_major_version: "{{ 'v' + teleport_version | regex_replace('[.].*$', '') }}"
+        teleport_pkgs: >-
+          {% if teleport_edition == "oss" %}teleport{%
+             elif teleport_edition == "enterprise" %}teleport-ent{%
+             else %}teleport-ent=v{{ teleport_version }} teleport-ent-updater{% endif %}
+
+    - name: "Install the pgp keys of info@gravitational.com"
+      ansible.builtin.copy:
+        src: teleport-archive-keyring.asc
+        dest: /usr/share/keyrings/teleport-archive-keyring.asc
+        owner: root
+        group: root
+        mode: "0644"
+
+    - name: "Configure the teleport sources list"
+      ansible.builtin.template:
+        src: teleport.sources.j2
+        dest: /etc/apt/sources.list.d/teleport.sources
+        owner: "root"
+        group: "root"
+        mode: "0644"
+
+    - name: "Install teleport"
+      ansible.builtin.apt:
+        name: "{{ teleport_pkgs }}"
+        state: latest # noqa: package-latest
+        force_apt_get: true
+        update_cache: true
+      notify: Reload_Teleport