Fixes to make 'teleport configure' output tidier

lib/config/configuration_test.go

@@ -100,18 +100,19 @@ func (s *ConfigTestSuite) SetUpTest(c *check.C) {
 
 func (s *ConfigTestSuite) TestSampleConfig(c *check.C) {
 	// generate sample config and write it into a temp file:
-	sfc := MakeSampleFileConfig()
+	sfc, err := MakeSampleFileConfig()
+	c.Assert(err, check.IsNil)
 	c.Assert(sfc, check.NotNil)
 	fn := filepath.Join(c.MkDir(), "default-config.yaml")
-	err := ioutil.WriteFile(fn, []byte(sfc.DebugDumpToYAML()), 0660)
+	err = ioutil.WriteFile(fn, []byte(sfc.DebugDumpToYAML()), 0660)
 	c.Assert(err, check.IsNil)
 
 	// make sure it could be parsed:
 	fc, err := ReadFromFile(fn)
 	c.Assert(err, check.IsNil)
 
 	// validate a couple of values:
-	c.Assert(fc.Limits.MaxUsers, check.Equals, defaults.LimiterMaxConcurrentUsers)
+	c.Assert(fc.AuthServers, check.DeepEquals, []string{fmt.Sprintf("%s:%d", defaults.Localhost, defaults.AuthListenPort)})
 	c.Assert(fc.Global.DataDir, check.Equals, defaults.DataDir)
 	c.Assert(fc.Logger.Severity, check.Equals, "INFO")
 

lib/config/fileconf.go

@@ -42,6 +42,11 @@ import (
 	"gopkg.in/yaml.v2"
 )
 
+const (
+	// randomTokenLenBytes is the length of random token generated for the example config
+	randomTokenLenBytes = 24
+)
+
 var (
 	// all possible valid YAML config keys
 	// true  = has sub-keys
@@ -243,20 +248,24 @@ func ReadConfig(reader io.Reader) (*FileConfig, error) {
 
 // MakeSampleFileConfig returns a sample config structure populated by defaults,
 // useful to generate sample configuration files
-func MakeSampleFileConfig() (fc *FileConfig) {
+func MakeSampleFileConfig() (fc *FileConfig, err error) {
 	conf := service.MakeDefaultConfig()
 
+	// generate a secure random token
+	randomJoinToken, err := utils.CryptoRandomHex(randomTokenLenBytes)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
 	// sample global config:
 	var g Global
 	g.NodeName = conf.Hostname
-	g.AuthToken = "cluster-join-token"
+	g.AuthToken = randomJoinToken
+	g.CAPin = "sha256:ca-pin-hash-goes-here"
 	g.Logger.Output = "stderr"
 	g.Logger.Severity = "INFO"
-	g.AuthServers = []string{defaults.AuthListenAddr().Addr}
-	g.Limits.MaxConnections = defaults.LimiterMaxConnections
-	g.Limits.MaxUsers = defaults.LimiterMaxConcurrentUsers
+	g.AuthServers = []string{fmt.Sprintf("%s:%d", defaults.Localhost, defaults.AuthListenPort)}
 	g.DataDir = defaults.DataDir
-	g.PIDFile = "/var/run/teleport.pid"
 
 	// sample SSH config:
 	var s SSH
@@ -283,25 +292,23 @@ func MakeSampleFileConfig() (fc *FileConfig) {
 	var a Auth
 	a.ListenAddress = conf.Auth.SSHAddr.Addr
 	a.EnabledFlag = "yes"
-	a.StaticTokens = []StaticToken{"proxy,node:cluster-join-token"}
-	a.SessionRecording = services.RecordAtNode
+	a.StaticTokens = []StaticToken{StaticToken(fmt.Sprintf("proxy,node:%s", randomJoinToken))}
+	a.LicenseFile = "/path/to/license-if-using-teleport-enterprise.pem"
 
 	// sample proxy config:
 	var p Proxy
 	p.EnabledFlag = "yes"
 	p.ListenAddress = conf.Proxy.SSHAddr.Addr
 	p.WebAddr = conf.Proxy.WebAddr.Addr
 	p.TunAddr = conf.Proxy.ReverseTunnelListenAddr.Addr
-	p.CertFile = "/var/lib/teleport/webproxy_cert.pem"
-	p.KeyFile = "/var/lib/teleport/webproxy_key.pem"
 
 	fc = &FileConfig{
 		Global: g,
 		Proxy:  p,
 		SSH:    s,
 		Auth:   a,
 	}
-	return fc
+	return fc, nil
 }
 
 // DebugDumpToYAML allows for quick YAML dumping of the config
@@ -506,7 +513,7 @@ type Auth struct {
 	Authentication *AuthenticationConfig `yaml:"authentication,omitempty"`
 
 	// SessionRecording determines where the session is recorded: node, proxy, or off.
-	SessionRecording string `yaml:"session_recording"`
+	SessionRecording string `yaml:"session_recording,omitempty"`
 
 	// ProxyChecksHostKeys is used when the proxy is in recording mode and
 	// determines if the proxy will check the host key of the client or not.
@@ -548,11 +555,11 @@ type Auth struct {
 	PublicAddr utils.Strings `yaml:"public_addr,omitempty"`
 
 	// ClientIdleTimeout sets global cluster default setting for client idle timeouts
-	ClientIdleTimeout services.Duration `yaml:"client_idle_timeout"`
+	ClientIdleTimeout services.Duration `yaml:"client_idle_timeout,omitempty"`
 
 	// DisconnectExpiredCert provides disconnect expired certificate setting -
 	// if true, connections with expired client certificates will get disconnected
-	DisconnectExpiredCert services.Bool `yaml:"disconnect_expired_cert"`
+	DisconnectExpiredCert services.Bool `yaml:"disconnect_expired_cert,omitempty"`
 
 	// KubeconfigFile is an optional path to kubeconfig file,
 	// if specified, teleport will use API server address and
@@ -565,7 +572,7 @@ type Auth struct {
 
 	// KeepAliveCountMax set the number of keep-alive messages that can be
 	// missed before the server disconnects the client.
-	KeepAliveCountMax int64 `yaml:"keep_alive_count_max"`
+	KeepAliveCountMax int64 `yaml:"keep_alive_count_max,omitempty"`
 }
 
 // TrustedCluster struct holds configuration values under "trusted_clusters" key

tool/teleport/common/teleport.go

@@ -169,7 +169,7 @@ func Run(options Options) (executedCommand string, conf *service.Config) {
 	case status.FullCommand():
 		err = onStatus()
 	case dump.FullCommand():
-		onConfigDump()
+		err = onConfigDump()
 	case exec.FullCommand():
 		err = onExec()
 	case forward.FullCommand():
@@ -213,9 +213,13 @@ func onStatus() error {
 }
 
 // onConfigDump is the handler for "configure" CLI command
-func onConfigDump() {
-	sfc := config.MakeSampleFileConfig()
+func onConfigDump() error {
+	sfc, err := config.MakeSampleFileConfig()
+	if err != nil {
+		return trace.Wrap(err)
+	}
 	fmt.Printf("%s\n%s\n", sampleConfComment, sfc.DebugDumpToYAML())
+	return nil
 }
 
 // onSCP implements handling of 'scp' requests on the server side. When the teleport SSH daemon

tool/teleport/common/usage.go

@@ -29,6 +29,13 @@ Examples:
   to using that label in addition to its name.`
 
 	sampleConfComment = `#
-# Sample Teleport configuration file.
+# Sample Teleport configuration file
+# Creates a single proxy, auth and node server.
+#
+# Things to update:
+#  1. ca_pin: Obtain the CA pin hash for joining more nodes by running 'tctl status'
+#     on the auth server once Teleport is running.
+#  2. license-if-using-teleport-enterprise.pem: If you are an Enterprise customer,
+#     obtain this from https://dashboard.gravitational.com/web/
 #`
 )