Introduce config v3, add auth_server and proxy_server, remove auth_addresses

api/types/installers/installer.sh.tmpl

@@ -33,7 +33,7 @@
   # token is read as a parameter from the AWS ssm script run and
   # passed as the first argument to the script
   sudo /usr/local/bin/teleport node configure \
-    --auth-server="{{ .PublicProxyAddr }}" \
+    --proxy="{{ .PublicProxyAddr }}" \
     --join-method=iam \
     --token="$1" \
     --output=file \

api/types/provisioning.go

@@ -21,6 +21,7 @@ import (
 	"time"
 
 	"github.com/gravitational/teleport/api/defaults"
+	apiutils "github.com/gravitational/teleport/api/utils"
 
 	"github.com/gravitational/trace"
 )
@@ -39,6 +40,21 @@ const (
 	JoinMethodIAM JoinMethod = "iam"
 )
 
+var JoinMethods = []JoinMethod{
+	JoinMethodToken,
+	JoinMethodEC2,
+	JoinMethodIAM,
+}
+
+func ValidateJoinMethod(method JoinMethod) error {
+	hasJoinMethod := apiutils.SliceContainsStr(JoinMethods, method)
+	if !hasJoinMethod {
+		return trace.BadParameter("join method must be one of %s", apiutils.JoinStrings(JoinMethods, ", "))
+	}
+
+	return nil
+}
+
 // ProvisionToken is a provisioning token
 type ProvisionToken interface {
 	Resource

api/utils/slices.go

@@ -16,6 +16,10 @@ limitations under the License.
 
 package utils
 
+import (
+	"strings"
+)
+
 // CopyByteSlice returns a copy of the byte slice.
 func CopyByteSlice(in []byte) []byte {
 	if in == nil {
@@ -52,7 +56,7 @@ func StringSlicesEqual(a, b []string) bool {
 }
 
 // SliceContainsStr returns 'true' if the slice contains the given value
-func SliceContainsStr(slice []string, value string) bool {
+func SliceContainsStr[T ~string](slice []T, value T) bool {
 	for i := range slice {
 		if slice[i] == value {
 			return true
@@ -61,6 +65,31 @@ func SliceContainsStr(slice []string, value string) bool {
 	return false
 }
 
+// JoinStrings returns a string that is all the elements in the slice `T[]` joined by `sep`
+// This being generic allows for the usage of custom string times, without having to convert
+// the elements to a string to be passed into `strings.Join`.
+func JoinStrings[T ~string](elems []T, sep string) T {
+	switch len(elems) {
+	case 0:
+		return ""
+	case 1:
+		return elems[0]
+	}
+	n := len(sep) * (len(elems) - 1)
+	for i := 0; i < len(elems); i++ {
+		n += len(elems[i])
+	}
+
+	var b strings.Builder
+	b.Grow(n)
+	b.WriteString(string(elems[0]))
+	for _, s := range elems[1:] {
+		b.WriteString(sep)
+		b.WriteString(string(s))
+	}
+	return T(b.String())
+}
+
 // Deduplicate deduplicates list of strings
 func Deduplicate(in []string) []string {
 	if len(in) == 0 {

assets/aws/files/bin/teleport-generate-config

@@ -307,6 +307,7 @@ elif [[ "${TELEPORT_ROLE}" == "proxy" ]]; then
     # Teleport proxy proxies and optionally records
     # SSH sessions
     cat >${USE_CONFIG_PATH} <<EOF
+version: v3
 teleport:
   auth_token: /var/lib/teleport/token
   ca_pin: CA_PIN_HASH_PLACEHOLDER
@@ -324,8 +325,7 @@ teleport:
   storage:
     type: dir
     path: /var/lib/teleport/backend
-  auth_servers:
-    - ${TELEPORT_AUTH_SERVER_LB}:3025
+  auth_server: ${TELEPORT_AUTH_SERVER_LB}:3025
 
 auth_service:
   enabled: no
@@ -348,7 +348,7 @@ EOF
     if [[ "${USE_ACM}" != "true" ]]; then
         write_https_keypairs_section
     fi
-    
+
     # set up the database listeners
     write_database_section TELEPORT_DOMAIN_NAME
 
@@ -374,6 +374,7 @@ elif [[ "${TELEPORT_ROLE}" == "node" ]]; then
     echo "node" > ${USE_CONFD_DIR}/role.node
     # Teleport node handles incoming connections
     cat >${USE_CONFIG_PATH} <<EOF
+version: v3
 teleport:
   auth_token: /var/lib/teleport/token
   ca_pin: CA_PIN_HASH_PLACEHOLDER
@@ -386,8 +387,7 @@ teleport:
   storage:
     type: dir
     path: /var/lib/teleport/backend
-  auth_servers:
-    - ${TELEPORT_AUTH_SERVER_LB}:3025
+  auth_server: ${TELEPORT_AUTH_SERVER_LB}:443
 
 auth_service:
   enabled: no
@@ -506,7 +506,7 @@ EOF
 
             # set up the database listeners
             write_database_section TELEPORT_EXTERNAL_HOSTNAME
-    
+
             # set up the kubernetes listener
             write_kubernetes_section TELEPORT_EXTERNAL_HOSTNAME
 
@@ -527,7 +527,7 @@ EOF
 
         # set up the database listeners
         write_database_section TELEPORT_EXTERNAL_HOSTNAME
-            
+
         # set up the kubernetes listener
         write_kubernetes_section TELEPORT_EXTERNAL_HOSTNAME
 
@@ -588,7 +588,7 @@ EOF
 
     # write ssh/tunnel config
     write_ssh_and_tunnel_section 3080
-    
+
     # set up the database listeners
     write_database_section TELEPORT_EXTERNAL_HOSTNAME
 
@@ -767,13 +767,14 @@ EOF
 elif [[ "${TELEPORT_ROLE}" == "agent" ]]; then
     echo "agent" > ${USE_CONFD_DIR}/role.agent
     cat >${USE_CONFIG_PATH} <<EOF
+version: v3
 teleport:
   log:
     output: stderr
     severity: INFO
   data_dir: /var/lib/teleport
   auth_token: ${TELEPORT_JOIN_TOKEN}
-  auth_servers: ['${TELEPORT_PROXY_SERVER_LB}']
+  proxy_server: ${TELEPORT_PROXY_SERVER_LB}
 
 auth_service:
   enabled: no

assets/aws/files/tests/agent-app.bats

@@ -18,10 +18,10 @@ load fixtures/common
     [ ${GENERATE_EXIT_CODE?} -eq 0 ]
 }
 
-@test "[${TEST_SUITE?}] teleport.auth_servers is set correctly" {
+@test "[${TEST_SUITE?}] teleport.proxy_server is set correctly" {
     load ${TELEPORT_CONFD_DIR?}/conf
     cat "${TELEPORT_CONFIG_PATH?}"
-    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  auth_servers:" -A1 | grep -q "${TELEPORT_PROXY_SERVER_LB?}"
+    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  proxy_server:" -A1 | grep -q "${TELEPORT_PROXY_SERVER_LB?}"
 }
 
 @test "[${TEST_SUITE?}] teleport.auth_token is set correctly" {

assets/aws/files/tests/agent-db.bats

@@ -20,10 +20,10 @@ load fixtures/common
     [ ${GENERATE_EXIT_CODE?} -eq 0 ]
 }
 
-@test "[${TEST_SUITE?}] teleport.auth_servers is set correctly" {
+@test "[${TEST_SUITE?}] teleport.proxy_server is set correctly" {
     load ${TELEPORT_CONFD_DIR?}/conf
     cat "${TELEPORT_CONFIG_PATH?}"
-    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  auth_servers:" -A1 | grep -q "${TELEPORT_PROXY_SERVER_LB?}"
+    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  proxy_server:" -A1 | grep -q "${TELEPORT_PROXY_SERVER_LB?}"
 }
 
 @test "[${TEST_SUITE?}] teleport.auth_token is set correctly" {

assets/aws/files/tests/agent-ssh.bats

@@ -15,10 +15,10 @@ load fixtures/common
     [ ${GENERATE_EXIT_CODE?} -eq 0 ]
 }
 
-@test "[${TEST_SUITE?}] teleport.auth_servers is set correctly" {
+@test "[${TEST_SUITE?}] teleport.proxy_server is set correctly" {
     load ${TELEPORT_CONFD_DIR?}/conf
     cat "${TELEPORT_CONFIG_PATH?}"
-    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  auth_servers:" -A1 | grep -q "${TELEPORT_PROXY_SERVER_LB?}"
+    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  proxy_server:" -A1 | grep -q "${TELEPORT_PROXY_SERVER_LB?}"
 }
 
 @test "[${TEST_SUITE?}] teleport.auth_token is set correctly" {

assets/aws/files/tests/ha-node.bats

@@ -15,9 +15,9 @@ load fixtures/common
     [ ${GENERATE_EXIT_CODE?} -eq 0 ]
 }
 
-@test "[${TEST_SUITE?}] teleport.auth_servers is set correctly" {
+@test "[${TEST_SUITE?}] teleport.auth_server is set correctly" {
     load ${TELEPORT_CONFD_DIR?}/conf
-    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  auth_servers:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
+    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  auth_server:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
 }
 
 # in each test, we echo the block so that if the test fails, the block is outputted

assets/aws/files/tests/ha-proxy-acm-alias.bats

@@ -22,10 +22,10 @@ load fixtures/common
     [ ${GENERATE_EXIT_CODE?} -eq 0 ]
 }
 
-@test "[${TEST_SUITE?}] teleport.auth_servers is set correctly" {
+@test "[${TEST_SUITE?}] teleport.auth_server is set correctly" {
     load ${TELEPORT_CONFD_DIR?}/conf
     cat "${TELEPORT_CONFIG_PATH?}"
-    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  auth_servers:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
+    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  auth_server:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
 }
 
 # in each test, we echo the block so that if the test fails, the block is outputted

assets/aws/files/tests/ha-proxy-acm.bats

@@ -21,10 +21,10 @@ load fixtures/common
     [ ${GENERATE_EXIT_CODE?} -eq 0 ]
 }
 
-@test "[${TEST_SUITE?}] teleport.auth_servers is set correctly" {
+@test "[${TEST_SUITE?}] teleport.auth_server is set correctly" {
     load ${TELEPORT_CONFD_DIR?}/conf
     cat "${TELEPORT_CONFIG_PATH?}"
-    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  auth_servers:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
+    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  auth_server:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
 }
 
 # in each test, we echo the block so that if the test fails, the block is outputted

assets/aws/files/tests/ha-proxy-mysql.bats

@@ -22,10 +22,10 @@ load fixtures/common
     [ ${GENERATE_EXIT_CODE?} -eq 0 ]
 }
 
-@test "[${TEST_SUITE?}] teleport.auth_servers is set correctly" {
+@test "[${TEST_SUITE?}] teleport.auth_server is set correctly" {
     load ${TELEPORT_CONFD_DIR?}/conf
     cat "${TELEPORT_CONFIG_PATH?}"
-    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  auth_servers:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
+    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  auth_server:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
 }
 
 # in each test, we echo the block so that if the test fails, the block is outputted

assets/aws/files/tests/ha-proxy-no-db.bats

@@ -22,10 +22,10 @@ load fixtures/common
     [ ${GENERATE_EXIT_CODE?} -eq 0 ]
 }
 
-@test "[${TEST_SUITE?}] teleport.auth_servers is set correctly" {
+@test "[${TEST_SUITE?}] teleport.auth_server is set correctly" {
     load ${TELEPORT_CONFD_DIR?}/conf
     cat "${TELEPORT_CONFIG_PATH?}"
-    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  auth_servers:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
+    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  auth_server:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
 }
 
 # in each test, we echo the block so that if the test fails, the block is outputted

assets/aws/files/tests/ha-proxy.bats

@@ -22,10 +22,10 @@ load fixtures/common
     [ ${GENERATE_EXIT_CODE?} -eq 0 ]
 }
 
-@test "[${TEST_SUITE?}] teleport.auth_servers is set correctly" {
+@test "[${TEST_SUITE?}] teleport.auth_server is set correctly" {
     load ${TELEPORT_CONFD_DIR?}/conf
     cat "${TELEPORT_CONFIG_PATH?}"
-    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  auth_servers:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
+    cat "${TELEPORT_CONFIG_PATH?}" | grep -E "^  auth_server:" -A1 | grep -q "${TELEPORT_AUTH_SERVER_LB?}"
 }
 
 # in each test, we echo the block so that if the test fails, the block is outputted

assets/loadtest/teleport/teleport-iot-node.yaml

@@ -1,3 +1,4 @@
+version: v3
 teleport:
   data_dir: /var/lib/teleport
   log:
@@ -6,11 +7,11 @@ teleport:
       output: json
   storage:
     type: dir
-  auth_servers: ["${PROXY_HOST}:3080"]
   auth_token: "node-${NODE_TOKEN}"
+  proxy_server: ${PROXY_HOST}:3080
 auth_service:
   enabled: false
 proxy_service:
   enabled: false
 ssh_service:
-  enabled: true
+  enabled: true

assets/loadtest/teleport/teleport-node.yaml

@@ -1,3 +1,4 @@
+version: v3
 teleport:
   data_dir: /var/lib/teleport
   log:
@@ -6,11 +7,11 @@ teleport:
       output: json
   storage:
     type: dir
-  auth_servers: ["auth:3025"]
   auth_token: "node-${NODE_TOKEN}"
+  auth_server: auth:3025
 auth_service:
   enabled: false
 proxy_service:
   enabled: false
 ssh_service:
-  enabled: true
+  enabled: true

assets/loadtest/teleport/teleport-proxy.yaml

@@ -1,11 +1,12 @@
+version: v3
 teleport:
   log:
     severity: DEBUG
     format:
       output: json
 
   data_dir: /var/lib/teleport
-  auth_servers: ["auth:3025"]
+  auth_server: auth:3025
   auth_token: "proxy-${PROXY_TOKEN}"
   cache:
     type: in-memory
@@ -24,4 +25,4 @@ proxy_service:
   https_cert_file: /etc/teleport-tls/tls.crt
   https_key_file: /etc/teleport-tls/tls.key
   public_addr: "${PROXY_HOST}:3080"
-  tunnel_public_addr: "${PROXY_HOST}:3024"
+  tunnel_public_addr: "${PROXY_HOST}:3024"

docker/one-node.yaml

@@ -1,26 +1,27 @@
+version: v3
 teleport:
-  auth_servers: ["one"]
+  auth_server: one
   auth_token: foo
   log:
     output: /var/lib/teleport/teleport.log
     severity: INFO
 
   data_dir: /var/lib/teleport
   storage:
-      path: /var/lib/teleport/backend
-      type: dir
+    path: /var/lib/teleport/backend
+    type: dir
 
 auth_service:
   enabled: no
 
 ssh_service:
   enabled: yes
   labels:
-      cluster: one
+    cluster: one
   commands:
-      - name: kernel
-        command: [/bin/uname, -r]
-        period: 5m
+    - name: kernel
+      command: [ /bin/uname, -r ]
+      period: 5m
 
 proxy_service:
   enabled: no