NodeJoin script: fix when no labels are provided

[marcoandredinis]

Recently we added a way to add labels on newly added nodes based on the
token.
#15114
Each token now has a list of SuggestedLabels, which are used to feed
that list.

However, if that list is empty, the generated script would trigger the
following error when running the teleport node configure ... command:
teleport: error: unexpected

This happens because the command is generating an empty argument ""
when running the teleport node configure ... command.
So it looks like this:

${TELEPORT_BINARY_DIR}/teleport node configure \
      --token token \
      joinmethod \
      --ca-pin pin \
      --auth-server host:port \
      "" \
      --output someport

That empty argument breaks things.

So, in order to fix it, we are going to change the default value when no
labels are provided.
Instead of an empty string, we'll use an empty array.

Demo (teleport node configure message removed for brev
No label

$ LABELS_FLAG=(); f=$(mktemp -d)/node.yaml; teleport node configure --auth-server w:1 "${LABELS_FLAG[@]}" --output $f && yq .s
sh_service.labels $f

enabled: "yes"
commands:
  - name: hostname
    command: [hostname]
    period: 1m0s

Single label

$ LABELS_FLAG=(--labels x=y); f=$(mktemp -d)/node.yaml; teleport node configure --auth-server w:1 "${LABELS_FLAG[@]}" --output $f && yq .ssh_service $f

enabled: "yes"
labels:
  x: "y"
commands:
  - name: hostname
    command: [hostname]
    period: 1m0s

Multiple labels

$ LABELS_FLAG=(--labels x=y,dev=prod); f=$(mktemp -d)/node.yaml; teleport node configure --auth-server w:1 "${LABELS_FLAG[@]}" --output $f && yq .ssh_service $f

enabled: "yes"
labels:
  dev: prod
  x: "y"
commands:
  - name: hostname
    command: [hostname]
    period: 1m0s

[zmb3]

Are these labels user-controlled? If so, we need to protect against code injection.

What happens if someone specifies labels of x=y && rm -rf /?

Seems it might be safer for us to generate a file with the desired labels, and update teleport node configure to point it at a file rather than put user-controlled input in the script itself.

[marcoandredinis]

SuggestedLabels is a new field and not exposed anywhere client side.
The only place that writes to it is here

teleport/lib/web/join_tokens.go

Lines 123 to 135 in c3a7a37

	// If using the automatic method to add a Node, the `install.sh` will add the token's suggested labels
	// as part of the initial Labels configuration for that Node
	// Script install-node.sh:
	// ...
	// $ teleport configure ... --labels <suggested_label=value>,<suggested_label=value> ...
	// ...
	//
	// We create an ID and return it as part of the Token, so the UI can use this ID to query the Node that joined using this token
	// WebUI can then query the resources by this id and answer the question:
	// - Which Node joined the cluster from this token Y?
	req.SuggestedLabels = types.Labels{
	types.InternalResourceIDLabel: apiutils.Strings{uuid.NewString()},
	}

Should not be an issue:

• we don't receive those from the (web) client
• we don't set them based on some other input
• the only injected label is a static key and a random uuid value

[github-actions]

@marcoandredinis See the table below for backport results.

Branch	Result
branch/v10	Create PR