Introduce config version v3, allow proxy_addresses to be given in the config

docs/pages/setup/reference/config.mdx

@@ -65,8 +65,8 @@ By default, it is stored in `/etc/teleport.yaml`.
 ```yaml
 # By default, this file should be stored in /etc/teleport.yaml
 
-# Configuration file version. The current version is "v2".
-version: v2
+# Configuration file version. The current version is "v3".
+version: v3
 
 # This section of the configuration file applies to all teleport
 # services.
@@ -131,12 +131,16 @@ teleport:
     # Auth Server address and port to connect to. If you enable the Teleport
     # Auth Server to run in High Availability configuration, the address should
     # point to a Load Balancer.
-    # If adding a node located behind NAT, use the Proxy URL. e.g.
-    #  auth_servers:
-    #     - teleport-proxy.example.com:443
+    # If adding a node located behind NAT, specify `proxy_servers` instead
     auth_servers:
         - 10.1.0.5:3025
 
+    # Proxy Server address and port to connect to. If you enable the Teleport
+    # Proxy Server to run in High Availability configuration, the address should
+    # point to a Load Balancer.
+    proxy_servers:
+        - teleport-proxy.example.com:443
+
     # cache:
     #  # The cache is enabled by default, it can be disabled with this flag
     #  enabled: true

integration/ec2_test.go

@@ -71,7 +71,7 @@ func newNodeConfig(t *testing.T, authAddr utils.NetAddr, tokenName string, joinM
 
 func newProxyConfig(t *testing.T, authAddr utils.NetAddr, tokenName string, joinMethod types.JoinMethod) *service.Config {
 	config := service.MakeDefaultConfig()
-	config.Version = defaults.TeleportConfigVersionV2
+	config.Version = defaults.TeleportConfigVersionV3
 	config.SetToken(tokenName)
 	config.JoinMethod = joinMethod
 	config.SSH.Enabled = false

integration/proxy_test.go

@@ -363,10 +363,10 @@ func TestALPNSNIProxyKubeV2Leaf(t *testing.T) {
 	suite := newProxySuite(t,
 		withRootClusterConfig(rootClusterStandardConfig(t), func(config *service.Config) {
 			config.Proxy.Kube.Enabled = true
-			config.Version = defaults.TeleportConfigVersionV2
+			config.Version = defaults.TeleportConfigVersionV3
 		}),
 		withLeafClusterConfig(leafClusterStandardConfig(t), func(config *service.Config) {
-			config.Version = defaults.TeleportConfigVersionV2
+			config.Version = defaults.TeleportConfigVersionV3
 			config.Proxy.Kube.Enabled = true
 
 			config.Kube.Enabled = true

lib/config/configuration.go

@@ -68,6 +68,8 @@ type CommandLineFlags struct {
 	NodeName string
 	// --auth-server flag
 	AuthServerAddr []string
+	// --proxy-server flag
+	ProxyServerAddr []string
 	// --token flag
 	AuthToken string
 	// CAPins are the SKPI hashes of the CAs used to verify the Auth Server.
@@ -268,6 +270,22 @@ func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error {
 		}
 	}
 
+	// config file has auth servers in there?
+	if len(fc.ProxyServers) > 0 {
+		cfg.ProxyServers = make([]utils.NetAddr, 0, len(fc.ProxyServers))
+		for _, as := range fc.ProxyServers {
+			addr, err := utils.ParseHostPortAddr(as, defaults.AuthListenPort)
+			if err != nil {
+				return trace.Wrap(err)
+			}
+
+			if err != nil {
+				return trace.Errorf("cannot parse proxy server address: '%v'", as)
+			}
+			cfg.ProxyServers = append(cfg.ProxyServers, *addr)
+		}
+	}
+
 	if err := applyTokenConfig(fc, cfg); err != nil {
 		return trace.Wrap(err)
 	}
@@ -855,8 +873,8 @@ func applyProxyConfig(fc *FileConfig, cfg *service.Config) error {
 	case legacyKube && newKube:
 		return trace.BadParameter("proxy_service should either set kube_listen_addr/kube_public_addr or kubernetes.enabled, not both; keep kubernetes.enabled if you don't enable kubernetes_service, or keep kube_listen_addr otherwise")
 	case !legacyKube && !newKube:
-		if fc.Version == defaults.TeleportConfigVersionV2 {
-			// Always enable kube service if using config V2 (TLS routing is supported)
+		if fc.Version != defaults.TeleportConfigVersionV1 {
+			// Always enable kube service if using config version 2 onwards (TLS routing is supported)
 			cfg.Proxy.Kube.Enabled = true
 		}
 	}
@@ -953,8 +971,8 @@ func getPostgresDefaultPort(cfg *service.Config) int {
 }
 
 func applyDefaultProxyListenerAddresses(cfg *service.Config) {
-	if cfg.Version == defaults.TeleportConfigVersionV2 {
-		// For v2 configuration if an address is not provided don't fallback to the default values.
+	if cfg.Version != defaults.TeleportConfigVersionV1 {
+		// From v2 onwards, if an address is not provided don't fallback to the default values.
 		return
 	}
 

lib/config/configuration_test.go

@@ -1753,6 +1753,15 @@ func TestProxyKube(t *testing.T) {
 			},
 			checkErr: require.NoError,
 		},
+		{
+			desc:    "v3 kube service should be enabled by default",
+			version: defaults.TeleportConfigVersionV3,
+			cfg:     Proxy{},
+			want: service.KubeProxyConfig{
+				Enabled: true,
+			},
+			checkErr: require.NoError,
+		},
 		{
 			desc:    "v2 kube service should be enabled by default",
 			version: defaults.TeleportConfigVersionV2,
@@ -1788,9 +1797,9 @@ func TestProxyConfigurationVersion(t *testing.T) {
 		checkErr require.ErrorAssertionFunc
 	}{
 		{
-			desc: "v2 config with default web address",
+			desc: "v3 config with default web address",
 			fc: FileConfig{
-				Version: defaults.TeleportConfigVersionV2,
+				Version: defaults.TeleportConfigVersionV3,
 				Proxy: Proxy{
 					Service: Service{
 						defaultEnabled: true,
@@ -1811,6 +1820,31 @@ func TestProxyConfigurationVersion(t *testing.T) {
 			},
 			checkErr: require.NoError,
 		},
+		{
+			desc: "v3 config with custom web address",
+			fc: FileConfig{
+				Version: defaults.TeleportConfigVersionV3,
+				Proxy: Proxy{
+					Service: Service{
+						defaultEnabled: true,
+					},
+					WebAddr: "0.0.0.0:9999",
+				},
+			},
+			want: service.ProxyConfig{
+				Enabled:             true,
+				EnableProxyProtocol: true,
+				WebAddr:             *utils.MustParseAddr("0.0.0.0:9999"),
+				Kube: service.KubeProxyConfig{
+					Enabled: true,
+				},
+				Limiter: limiter.Config{
+					MaxConnections:   defaults.LimiterMaxConnections,
+					MaxNumberOfUsers: 250,
+				},
+			},
+			checkErr: require.NoError,
+		},
 		{
 			desc: "v2 config with custom web address",
 			fc: FileConfig{

lib/config/fileconf.go

@@ -155,6 +155,8 @@ type SampleFlags struct {
 	Roles string
 	// AuthServer is the address of the auth server
 	AuthServer string
+	// ProxyServer is the address of the proxy server
+	ProxyServer string
 	// AppName is the name of the application to start
 	AppName string
 	// AppURI is the internal address of the application to proxy
@@ -217,6 +219,10 @@ func MakeSampleFileConfig(flags SampleFlags) (fc *FileConfig, err error) {
 		g.AuthServers = []string{flags.AuthServer}
 	}
 
+	if flags.ProxyServer != "" {
+		g.ProxyServers = []string{flags.ProxyServer}
+	}
+
 	g.CAPin = strings.Split(flags.CAPin, ",")
 
 	roles := roleMapFromFlags(flags)
@@ -306,7 +312,7 @@ func makeSampleAuthConfig(conf *service.Config, flags SampleFlags, enabled bool)
 			a.LicenseFile = flags.LicensePath
 		}
 
-		if flags.Version == defaults.TeleportConfigVersionV2 {
+		if flags.Version != defaults.TeleportConfigVersionV1 {
 			a.ProxyListenerMode = types.ProxyListenerMode_Multiplex
 		}
 	} else {
@@ -559,15 +565,16 @@ type Global struct {
 	// AuthToken is the old way of configuring the token to be used by the
 	// node to join the Teleport cluster. `JoinParams.TokenName` should be
 	// used instead with `JoinParams.JoinMethod = types.JoinMethodToken`.
-	AuthToken   string           `yaml:"auth_token,omitempty"`
-	JoinParams  JoinParams       `yaml:"join_params,omitempty"`
-	AuthServers []string         `yaml:"auth_servers,omitempty"`
-	Limits      ConnectionLimits `yaml:"connection_limits,omitempty"`
-	Logger      Log              `yaml:"log,omitempty"`
-	Storage     backend.Config   `yaml:"storage,omitempty"`
-	AdvertiseIP string           `yaml:"advertise_ip,omitempty"`
-	CachePolicy CachePolicy      `yaml:"cache,omitempty"`
-	SeedConfig  *bool            `yaml:"seed_config,omitempty"`
+	AuthToken    string           `yaml:"auth_token,omitempty"`
+	JoinParams   JoinParams       `yaml:"join_params,omitempty"`
+	AuthServers  []string         `yaml:"auth_servers,omitempty"`
+	ProxyServers []string         `yaml:"proxy_servers,omitempty"`
+	Limits       ConnectionLimits `yaml:"connection_limits,omitempty"`
+	Logger       Log              `yaml:"log,omitempty"`
+	Storage      backend.Config   `yaml:"storage,omitempty"`
+	AdvertiseIP  string           `yaml:"advertise_ip,omitempty"`
+	CachePolicy  CachePolicy      `yaml:"cache,omitempty"`
+	SeedConfig   *bool            `yaml:"seed_config,omitempty"`
 
 	// CipherSuites is a list of TLS ciphersuites that Teleport supports. If
 	// omitted, a Teleport selected list of defaults will be used.

lib/defaults/defaults.go

@@ -764,13 +764,24 @@ func Transport() (*http.Transport, error) {
 	return tr, nil
 }
 
+// When adding a new version, please add it to TeleportVersions below
 const (
 	// TeleportConfigVersionV1 is the teleport proxy configuration v1 version.
 	TeleportConfigVersionV1 string = "v1"
 	// TeleportConfigVersionV2 is the teleport proxy configuration v2 version.
 	TeleportConfigVersionV2 string = "v2"
+	// TeleportConfigVersionV3 is the teleport proxy configuration v3 version.
+	TeleportConfigVersionV3 string = "v3"
 )
 
+// TeleportVersions is an exported slice of the allowed versions in the config file,
+//for convenience (looping through, etc)
+var TeleportVersions = []string{
+	TeleportConfigVersionV1,
+	TeleportConfigVersionV2,
+	TeleportConfigVersionV3,
+}
+
 // Default values for tsh and tctl commands.
 const (
 	TshTctlSessionListLimit = "50"

lib/service/cfg.go

@@ -90,11 +90,15 @@ type Config struct {
 	// JoinMethod is the method the instance will use to join the auth server
 	JoinMethod types.JoinMethod
 
-	// AuthServers is a list of auth servers, proxies and peer auth servers to
-	// connect to. Yes, this is not just auth servers, the field name is
-	// misleading.
+	// AuthServers is a list of auth servers and peer auth servers to
+	// connect to.
+	// Previously, proxy servers could be passed here, but going foward this
+	//should only be auth servers
 	AuthServers []utils.NetAddr
 
+	// ProxyServers is a list of proxies to tunnel to
+	ProxyServers []utils.NetAddr
+
 	// Identities is an optional list of pre-generated key pairs
 	// for teleport roles, this is helpful when server is preconfigured
 	Identities []*auth.Identity