From db3e731709d5f76e02f335486f269212f9d0ba72 Mon Sep 17 00:00:00 2001
From: Nikolai Rodionov <allanger@badhouseplants.net>
Date: Tue, 15 Oct 2024 17:11:34 +0200
Subject: [PATCH] Deploy teleport-cluster instance

I won't use it atm because it requires an external account, and it
doesn't play well with my understanding of self-hosting and indie
culture.
---
 common/environments.yaml                      |  8 +++++++
 installations/platform/helmfile.yaml          | 11 +++++++++
 values/badhouseplants/values.namespaces.yaml  |  3 +++
 .../values.teleport-cluster.yaml              | 24 +++++++++++++++++++
 4 files changed, 46 insertions(+)
 create mode 100644 values/badhouseplants/values.teleport-cluster.yaml

diff --git a/common/environments.yaml b/common/environments.yaml
index 7d653be..a0a9300 100644
--- a/common/environments.yaml
+++ b/common/environments.yaml
@@ -22,6 +22,8 @@ environments:
           enabled: true
       - istio:
           enabled: false
+      - teleport:
+          enabled: true
   etersoft:
     kubeContext: etersoft
     values:
@@ -45,6 +47,8 @@ environments:
           enabled: true
       - istio:
           enabled: false
+      - teleport:
+          enabled: false
   xray-1:
     kubeContext: xray-1
     values:
@@ -68,6 +72,8 @@ environments:
           enabled: false
       - istio:
           enabled: false
+      - teleport:
+          enabled: false
   xray-2:
     kubeContext: xray-2
     values:
@@ -91,3 +97,5 @@ environments:
           enabled: false
       - istio:
           enabled: false
+      - teleport:
+          enabled: false
diff --git a/installations/platform/helmfile.yaml b/installations/platform/helmfile.yaml
index b7c005d..0c0d14c 100644
--- a/installations/platform/helmfile.yaml
+++ b/installations/platform/helmfile.yaml
@@ -23,6 +23,8 @@ repositories:
     url: https://kubernetes-sigs.github.io/external-dns/
   - name: keel
     url: https://keel-hq.github.io/keel/
+  - name: teleport
+    url: https://charts.releases.teleport.dev
 
 releases:
   - name: db-operator
@@ -112,3 +114,12 @@ releases:
     version: 1.0.4
     namespace: platform
     condition: workload.enabled
+
+  - name: teleport-cluster
+    installed: true
+    version: 16.4.2
+    chart: teleport/teleport-cluster
+    namespace: teleport-cluster
+    condition: teleport.enabled
+    inherit:
+      - template: default-env-values
diff --git a/values/badhouseplants/values.namespaces.yaml b/values/badhouseplants/values.namespaces.yaml
index 00a79dd..1454f2c 100644
--- a/values/badhouseplants/values.namespaces.yaml
+++ b/values/badhouseplants/values.namespaces.yaml
@@ -8,3 +8,6 @@ namespaces:
   - name: games
   - name: pipelines
   - name: public-xray
+  - name: teleport-cluster
+    labels:
+      pod-security.kubernetes.io/enforce: baseline
diff --git a/values/badhouseplants/values.teleport-cluster.yaml b/values/badhouseplants/values.teleport-cluster.yaml
new file mode 100644
index 0000000..8a80c48
--- /dev/null
+++ b/values/badhouseplants/values.teleport-cluster.yaml
@@ -0,0 +1,24 @@
+validateConfigOnDeploy: false
+clusterName: teleport.badhouseplants.net
+proxyListenerMode: multiplex
+acme: false
+acmeEmail: allanger@badhouseplants.net
+service:
+  type: ClusterIP
+ingress:
+  enabled: true
+  suppressAutomaticWildcards: true
+proxy:
+  annotations:
+    ingress:
+      kubernetes.io/tls-acme: "true"
+      kubernetes.io/ingress.allow-http: "false"
+      kubernetes.io/ingress.global-static-ip-name: ""
+      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+      #tls:
+    #existingSecretName: teleport.badhouseplants.net
+    #publicAddr:
+    #  - teleport.badhouseplants.net:443
+tls:
+  existingSecretName: teleport.badhouseplants.net