-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
installer.sh.tmpl
121 lines (105 loc) · 5.73 KB
/
installer.sh.tmpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#!/bin/sh
set -eu
on_ec2() {
IMDS_TOKEN=$(curl -m5 -sS -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 300")
[ -z "$IMDS_TOKEN" ] && return 1
EC2_STATUS=$(curl -o /dev/null -w "%{http_code}" -m5 -sS -H "X-aws-ec2-metadata-token: ${IMDS_TOKEN}" "http://169.254.169.254/latest/meta-data")
[ "$EC2_STATUS" = "200" ]
}
on_azure() {
AZURE_STATUS=$(curl -o /dev/null -w "%{http_code}" -m5 -sS -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
[ "$AZURE_STATUS" = "200" ]
}
on_gcp() {
GCP_STATUS=$(curl -o /dev/null -w "%{http_code}" -m5 -sS -H "Metadata-Flavor: Google" "http://metadata.google.internal/")
[ "$GCP_STATUS" = "200" ]
}
(
flock -n 9 || exit 1
if test -f /usr/local/bin/teleport; then
exit 0
fi
# shellcheck disable=SC1091
. /etc/os-release
PACKAGE_LIST="{{ .TeleportPackage }} jq"
# shellcheck disable=SC2050
if [ "{{ .AutomaticUpgrades }}" = "true" ]; then
PACKAGE_LIST="${PACKAGE_LIST} {{ .TeleportPackage }}-updater"
fi
if [ "$ID" = "debian" ] || [ "$ID" = "ubuntu" ]; then
# old versions of ubuntu require that keys get added by `apt-key add`, without
# adding the key apt shows a key signing error when installing teleport.
if [ "$VERSION_CODENAME" = "xenial" ] || [ "$VERSION_CODENAME" = "trusty" ]; then
curl -o /tmp/teleport-pubkey.asc https://apt.releases.teleport.dev/gpg
sudo apt-key add /tmp/teleport-pubkey.asc
echo "deb https://apt.releases.teleport.dev/ubuntu ${VERSION_CODENAME?} {{ .RepoChannel }}" | sudo tee /etc/apt/sources.list.d/teleport.list
rm /tmp/teleport-pubkey.asc
else
sudo curl https://apt.releases.teleport.dev/gpg \
-o /usr/share/keyrings/teleport-archive-keyring.asc
echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} {{ .RepoChannel }}" | sudo tee /etc/apt/sources.list.d/teleport.list >/dev/null
fi
sudo apt-get update
sudo apt-get install -y ${PACKAGE_LIST}
elif [ "$ID" = "amzn" ] || [ "$ID" = "rhel" ]; then
if [ "$ID" = "rhel" ]; then
VERSION_ID=$(echo "$VERSION_ID" | sed 's/\..*//') # convert version numbers like '7.2' to only include the major version
fi
sudo yum-config-manager --add-repo \
"$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/{{ .RepoChannel }}/teleport.repo")"
sudo yum install -y ${PACKAGE_LIST}
elif [ "$ID" = "sles" ] || [ "$ID" = "opensuse-tumbleweed" ] || [ "$ID" = "opensuse-leap" ]; then
if [ "$ID" = "opensuse-tumbleweed" ]; then
VERSION_ID="15" # tumbleweed uses dated VERSION_IDs like 20230702
else
VERSION_ID=$(echo "$VERSION_ID" | sed 's/\..*//') # convert version numbers like '7.2' to only include the major version
fi
sudo rpm --import "https://zypper.releases.teleport.dev/gpg"
sudo zypper --non-interactive addrepo "$(rpm --eval "https://zypper.releases.teleport.dev/sles/$VERSION_ID/Teleport/%{_arch}/{{ .RepoChannel }}/teleport.repo")"
sudo zypper --gpg-auto-import-keys refresh
sudo zypper --non-interactive install ${PACKAGE_LIST}
else
echo "Unsupported distro: $ID"
exit 1
fi
if on_azure; then
API_VERSION=$(curl -m5 -sS -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/versions" | jq -r ".apiVersions[-1]")
INSTANCE_INFO=$(curl -m5 -sS -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=$API_VERSION&format=json")
REGION="$(echo "$INSTANCE_INFO" | jq -r .compute.location)"
RESOURCE_GROUP="$(echo "$INSTANCE_INFO" | jq -r .compute.resourceGroupName)"
SUBSCRIPTION_ID="$(echo "$INSTANCE_INFO" | jq -r .compute.subscriptionId)"
VM_ID="$(echo "$INSTANCE_INFO" | jq -r .compute.vmId)"
JOIN_METHOD=azure
LABELS="teleport.internal/vm-id=${VM_ID},teleport.internal/subscription-id=${SUBSCRIPTION_ID},teleport.internal/region=${REGION},teleport.internal/resource-group=${RESOURCE_GROUP}"
elif on_ec2; then
IMDS_TOKEN=$(curl -m5 -sS -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 300")
INSTANCE_INFO=$(curl -m5 -sS -H "X-aws-ec2-metadata-token: ${IMDS_TOKEN}" "http://169.254.169.254/latest/dynamic/instance-identity/document")
ACCOUNT_ID="$(echo "$INSTANCE_INFO" | jq -r .accountId)"
INSTANCE_ID="$(echo "$INSTANCE_INFO" | jq -r .instanceId)"
JOIN_METHOD=iam
LABELS="teleport.dev/instance-id=${INSTANCE_ID},teleport.dev/account-id=${ACCOUNT_ID}"
elif on_gcp; then
NAME="$(curl -m5 -sS -H "Metadata-Flavor:Google" "http://metadata.google.internal/computeMetadata/v1/instance/name")"
# GCP metadata returns fully qualified zone ("projects/<project-id>/zones/<zone>"), so we need to parse the zone name.
FULL_ZONE="$(curl -m5 -sS -H "Metadata-Flavor:Google" "http://metadata.google.internal/computeMetadata/v1/instance/zone")"
ZONE="$(basename $FULL_ZONE)"
PROJECT_ID=$(curl -m5 -sS -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/project/project-id")
JOIN_METHOD=gcp
LABELS="teleport.internal/name=${NAME},teleport.internal/zone=${ZONE},teleport.internal/project-id=${PROJECT_ID}"
else
echo "Could not determine cloud provider"
exit 1
fi
# generate teleport ssh config
# token is read as a parameter from the AWS ssm script run and
# passed as the first argument to the script
sudo /usr/local/bin/teleport node configure \
--proxy="{{ .PublicProxyAddr }}" \
--join-method=${JOIN_METHOD} \
--azure-client-id="{{ .AzureClientID }}" \
--token="$1" \
--output=file \
--labels="${LABELS}"
# enable and start teleport service
sudo systemctl enable --now teleport
) 9>/var/lock/teleport_install.lock