-
Notifications
You must be signed in to change notification settings - Fork 1.7k
/
installer.sh.tmpl
95 lines (80 loc) · 4.03 KB
/
installer.sh.tmpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#!/bin/sh
set -eu
on_ec2() {
EC2_STATUS=$(curl -o /dev/null -w "%{http_code}" -m5 -sS "http://169.254.169.254/latest/meta-data")
# EC2 metadata sometimes requires token access, so a successful hit may
# return unauthorized/forbidden.
[ "$EC2_STATUS" = "200" ] || [ "$EC2_STATUS" = "401" ] || [ "$EC2_STATUS" = "403" ]
}
on_azure() {
AZURE_STATUS=$(curl -o /dev/null -w "%{http_code}" -m5 -sS -H "Metadata:true" --noproxy "*" "http://169.254.169.254/metadata/versions")
[ "$AZURE_STATUS" = "200" ]
}
(
flock -n 9 || exit 1
if test -f /usr/local/bin/teleport; then
exit 0
fi
. /etc/os-release
# old versions of ubuntu require that keys get added by `apt-key add`, without
# adding the key apt shows a key signing error when installing teleport.
LEGACY_UBUNTU=false
if [ "$VERSION_CODENAME" = "xenial" ] || [ "$VERSION_CODENAME" = "trusty" ]; then
LEGACY_UBUNTU=true
fi
if [ "$ID" = "debian" ] || [ "$ID" = "ubuntu" ]; then
if [ "$LEGACY_UBUNTU" = true ]; then
curl -o /tmp/teleport-pubkey.asc https://deb.releases.teleport.dev/teleport-pubkey.asc
cat /tmp/teleport-pubkey.asc | sudo apt-key add -
echo "deb https://apt.releases.teleport.dev/ubuntu ${VERSION_CODENAME?} {{ .RepoChannel }}" | sudo tee /etc/apt/sources.list.d/teleport.list
rm /tmp/teleport-pubkey.asc
else
sudo curl https://deb.releases.teleport.dev/teleport-pubkey.asc \
-o /usr/share/keyrings/teleport-archive-keyring.asc
echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} {{ .RepoChannel }}" | sudo tee /etc/apt/sources.list.d/teleport.list >/dev/null
fi
sudo apt-get update
sudo apt-get install -y {{ .TeleportPackage }} jq
elif [ "$ID" = "amzn" ] || [ "$ID" = "rhel" ]; then
if [ "$ID" = "rhel" ]; then
VERSION_ID=$(echo "$VERSION_ID" | sed 's/\..*//') # convert version numbers like '7.2' to only include the major version
fi
sudo yum-config-manager --add-repo \
"$(rpm --eval "https://yum.releases.teleport.dev/$ID/$VERSION_ID/Teleport/%{_arch}/{{ .RepoChannel }}/teleport.repo")"
sudo yum install -y {{ .TeleportPackage }} jq
else
echo "Unsupported distro: $ID"
exit 1
fi
if on_azure ; then
API_VERSION=$(curl -m5 -sS -H "Metadata:true" --noproxy "*" "http://169.254.169.254/metadata/versions" | jq -r ".apiVersions[-1]")
INSTANCE_INFO=$(curl -m5 -sS -H "Metadata:true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=$API_VERSION&format=json")
REGION="$(echo "$INSTANCE_INFO" | jq -r .compute.location)"
RESOURCE_GROUP="$(echo "$INSTANCE_INFO" | jq -r .compute.resourceGroupName)"
SUBSCRIPTION_ID="$(echo "$INSTANCE_INFO" | jq -r .compute.subscriptionId)"
VM_ID="$(echo "$INSTANCE_INFO" | jq -r .compute.vmId)"
JOIN_METHOD=azure
LABELS="teleport.internal/vm-id=${VM_ID},teleport.internal/subscription-id=${SUBSCRIPTION_ID},teleport.internal/region=${REGION},teleport.internal/resource-group=${RESOURCE_GROUP}"
elif on_ec2 ; then
IMDS_TOKEN=$(curl -m5 -sS -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 300")
INSTANCE_INFO=$(curl -m5 -sS -H "X-aws-ec2-metadata-token: ${IMDS_TOKEN}" http://169.254.169.254/latest/dynamic/instance-identity/document)
ACCOUNT_ID="$(echo "$INSTANCE_INFO" | jq -r .accountId)"
INSTANCE_ID="$(echo "$INSTANCE_INFO" | jq -r .instanceId)"
JOIN_METHOD=iam
LABELS="teleport.dev/instance-id=${INSTANCE_ID},teleport.dev/account-id=${ACCOUNT_ID}"
else
echo "Could not determine cloud provider"
exit 1
fi
# generate teleport ssh config
# token is read as a parameter from the AWS ssm script run and
# passed as the first argument to the script
sudo /usr/local/bin/teleport node configure \
--proxy="{{ .PublicProxyAddr }}" \
--join-method=${JOIN_METHOD} \
--token="$1" \
--output=file \
--labels="${LABELS}"
# enable and start teleport service
sudo systemctl enable --now teleport
) 9>/var/lock/teleport_install.lock