This is a custom module and state for SaltStack to support Teleport.
It comes with basic user management, absent and present, and the ability to generate a token to join a node using publish.publish!
This feature allows a minion to use the publish.publish
feature to request an authentication token from another minion (the teleport auth server) and then populate the teleport.yaml config. From there the service can be started and will register with the teleport auth service.
There are a few checks the node_authentication_token
function does. First it checks to see if /var/lib/teleport/auth_token
exists and if the token in there has expired yet. It also checks to see if /var/lib/teleport/node.key
is present. If the node.key is missing it is assumed that the node has not registered itself with the auth service.
If it determines that it is not authenticated, the module function will run publish.publish to get the token and you can use it to populate a config and trigger any other actions necessary.
Copy the _modules
and the _states
to your base
file roots or gitfs repo, then make sure you run salt '*' saltutil.sync_all
Template File
teleport:
token: {{ token }}
ssh_service:
enabled: yes
auth_service:
enabled: no
proxy_service:
enabled: no
SLS File
teleport-config:
file.managed:
- name: /etc/teleport.yaml
- source: salt://config.tmpl
- template: jinja
- defaults:
token: {{ salt['teleport.node_authentication_token']('role:teleport-auth', expr_form='grain') }}