diff --git a/docs/pages/reference/cli/teleport.mdx b/docs/pages/reference/cli/teleport.mdx index 60f242402478d..f7a55c8444640 100644 --- a/docs/pages/reference/cli/teleport.mdx +++ b/docs/pages/reference/cli/teleport.mdx @@ -58,7 +58,7 @@ we recommend using a [configuration file](../config.mdx) in production. | `--ca-pin` | none | **string** `sha256:` | set CA pin to validate the Auth Server. Generated by `tctl status` | | `--nodename` | value returned by the `hostname` command on the machine | **string** | assigns an alternative name for the node which can be used by clients to log in. | | `-c, --config` | `/etc/teleport.yaml` | **string** `.yaml` filepath | starts services with config specified in the YAML file, overrides CLI flags if set | -| `--apply-on-startup` | none | **string** `.yaml` filepath | On startup, always apply resources described in the file at the given path. Only supports the following kinds: `token`, `role`, `user`. | +| `--apply-on-startup` | none | **string** `.yaml` filepath | On startup, always apply resources described in the file at the given path. Only supports the following kinds: `token`, `role`, `user`, `cluster-auth-preference`, `cluster-networking-config`. | | `--bootstrap` | none | **string** `.yaml` filepath | bootstrap configured YAML resources {/* TODO link how to configure this file */} | | `--labels` | none | **string** comma-separated list | assigns a set of labels to a node, for example env=dev,app=web. See the explanation of labeling mechanism in the [Labeling Nodes](../../management/admin/labels.mdx) section. | | `--insecure` | none | none | disable certificate validation on Proxy Service, validation still occurs on Auth Service. | diff --git a/lib/auth/init.go b/lib/auth/init.go index f37a557cbd179..3c944a5c423e5 100644 --- a/lib/auth/init.go +++ b/lib/auth/init.go @@ -1365,9 +1365,11 @@ func migrateRemoteClusters(ctx context.Context, asrv *Server) error { // to avoid consistency issues. A lower priority means the resource is applied // before. var ResourceApplyPriority = map[string]int{ - types.KindRole: 1, - types.KindUser: 2, // Users must be applied after Roles - types.KindToken: 3, + types.KindRole: 1, + types.KindUser: 2, // Users must be applied after Roles + types.KindToken: 3, + types.KindClusterNetworkingConfig: 3, + types.KindClusterAuthPreference: 3, } // Unlike when resources are loaded via --bootstrap, we're inserting elements via their service. @@ -1392,6 +1394,10 @@ func applyResources(ctx context.Context, service *Services, resources []types.Re _, err = service.Identity.UpsertUser(ctx, r) case types.Role: _, err = service.Access.UpsertRole(ctx, r) + case types.ClusterNetworkingConfig: + err = service.ClusterConfiguration.SetClusterNetworkingConfig(ctx, r) + case types.AuthPreference: + err = service.ClusterConfiguration.SetAuthPreference(ctx, r) default: return trace.NotImplemented("cannot apply resource of type %T", resource) } diff --git a/lib/auth/init_test.go b/lib/auth/init_test.go index 2a6f010b61cc2..d0ebf56e7ad63 100644 --- a/lib/auth/init_test.go +++ b/lib/auth/init_test.go @@ -1326,6 +1326,22 @@ spec: created_by: Admin target: user: myuser +` + clusterNetworkingConfYAML = ` +kind: cluster_networking_config +metadata: + name: cluster-networking-config +spec: + proxy_listener_mode: 1 +` + authPrefYAML = ` +kind: cluster_auth_preference +metadata: + name: cluster-auth-preference +spec: + second_factor: off + type: local +version: v2 ` ) @@ -1336,6 +1352,8 @@ func TestInit_ApplyOnStartup(t *testing.T) { token := resourceFromYAML(t, tokenYAML).(types.ProvisionToken) role := resourceFromYAML(t, roleYAML).(types.Role) lock := resourceFromYAML(t, lockYAML).(types.Lock) + clusterNetworkingConfig := resourceFromYAML(t, clusterNetworkingConfYAML).(types.ClusterNetworkingConfig) + authPref := resourceFromYAML(t, authPrefYAML).(types.AuthPreference) tests := []struct { name string @@ -1390,6 +1408,20 @@ func TestInit_ApplyOnStartup(t *testing.T) { }, assertError: require.NoError, }, + { + name: "Apply ClusterNetworkingConfig", + modifyConfig: func(cfg *InitConfig) { + cfg.ApplyOnStartupResources = append(cfg.ApplyOnStartupResources, clusterNetworkingConfig) + }, + assertError: require.NoError, + }, + { + name: "Apply AuthPreference", + modifyConfig: func(cfg *InitConfig) { + cfg.ApplyOnStartupResources = append(cfg.ApplyOnStartupResources, authPref) + }, + assertError: require.NoError, + }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) {