Deploy teleport-cluster instance

I won't use it atm because it requires an external account, and it
doesn't play well with my understanding of self-hosting and indie
culture.

common/environments.yaml

@@ -22,6 +22,8 @@ environments:
           enabled: true
       - istio:
           enabled: false
+      - teleport:
+          enabled: true
   etersoft:
     kubeContext: etersoft
     values:
@@ -45,6 +47,8 @@ environments:
           enabled: true
       - istio:
           enabled: false
+      - teleport:
+          enabled: false
   xray-1:
     kubeContext: xray-1
     values:
@@ -68,6 +72,8 @@ environments:
           enabled: false
       - istio:
           enabled: false
+      - teleport:
+          enabled: false
   xray-2:
     kubeContext: xray-2
     values:
@@ -91,3 +97,5 @@ environments:
           enabled: false
       - istio:
           enabled: false
+      - teleport:
+          enabled: false

installations/monitoring/helmfile.yaml

@@ -28,7 +28,7 @@ releases:
   - name: loki
     chart: grafana/loki
     namespace: observability
-    version: 6.21.0
+    version: 6.19.0
     inherit:
       - template: default-env-values
       - template: ext-secret

installations/pipelines/helmfile.yaml

@@ -20,14 +20,14 @@ releases:
   - name: renovate-gitea
     chart: renovate/renovate
     namespace: pipelines
-    version: 39.25.4
+    version: 39.18.2
     inherit:
       - template: default-env-values
       - template: default-env-secrets
   - name: renovate-github
     chart: renovate/renovate
     namespace: pipelines
-    version: 39.25.4
+    version: 39.18.2
     inherit:
       - template: default-env-values
       - template: default-env-secrets

installations/platform/helmfile.yaml

@@ -23,6 +23,8 @@ repositories:
     url: https://kubernetes-sigs.github.io/external-dns/
   - name: keel
     url: https://keel-hq.github.io/keel/
+  - name: teleport
+    url: https://charts.releases.teleport.dev
 
 releases:
   - name: db-operator
@@ -53,7 +55,7 @@ releases:
 
   - name: authentik
     chart: goauthentik/authentik
-    version: 2024.10.4
+    version: 2024.10.2
     namespace: platform
     createNamespace: false
     condition: workload.enabled
@@ -112,3 +114,12 @@ releases:
     version: 1.0.4
     namespace: platform
     condition: workload.enabled
+
+  - name: teleport-cluster
+    installed: true
+    version: 16.4.2
+    chart: teleport/teleport-cluster
+    namespace: teleport-cluster
+    condition: teleport.enabled
+    inherit:
+      - template: default-env-values

installations/system/helmfile.yaml

@@ -75,7 +75,7 @@ releases:
 
   - name: cert-manager
     chart: jetstack/cert-manager
-    version: v1.16.2
+    version: v1.16.1
     namespace: kube-system
     condition: base.enabled
     missingFileHandler: Warn

values/badhouseplants/values.namespaces.yaml

@@ -8,3 +8,6 @@ namespaces:
   - name: games
   - name: pipelines
   - name: public-xray
+  - name: teleport-cluster
+    labels:
+      pod-security.kubernetes.io/enforce: baseline

values/badhouseplants/values.teleport-cluster.yaml

@@ -0,0 +1,24 @@
+validateConfigOnDeploy: false
+clusterName: teleport.badhouseplants.net
+proxyListenerMode: multiplex
+acme: false
+acmeEmail: allanger@badhouseplants.net
+service:
+  type: ClusterIP
+ingress:
+  enabled: true
+  suppressAutomaticWildcards: true
+proxy:
+  annotations:
+    ingress:
+      kubernetes.io/tls-acme: "true"
+      kubernetes.io/ingress.allow-http: "false"
+      kubernetes.io/ingress.global-static-ip-name: ""
+      cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
+      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+      #tls:
+    #existingSecretName: teleport.badhouseplants.net
+    #publicAddr:
+    #  - teleport.badhouseplants.net:443
+tls:
+  existingSecretName: teleport.badhouseplants.net