diff --git a/docs/pages/reference/cli/teleport.mdx b/docs/pages/reference/cli/teleport.mdx index 73d6a97b8dbea..c80540de551b9 100644 --- a/docs/pages/reference/cli/teleport.mdx +++ b/docs/pages/reference/cli/teleport.mdx @@ -58,7 +58,7 @@ we recommend using a [configuration file](../config.mdx) in production. | `--ca-pin` | none | **string** `sha256:` | set CA pin to validate the Auth Server. Generated by `tctl status` | | `--nodename` | value returned by the `hostname` command on the machine | **string** | assigns an alternative name for the node which can be used by clients to log in. | | `-c, --config` | `/etc/teleport.yaml` | **string** `.yaml` filepath | starts services with config specified in the YAML file, overrides CLI flags if set | -| `--apply-on-startup` | none | **string** `.yaml` filepath | On startup, always apply resources described in the file at the given path. Only supports the following types: `token`. | +| `--apply-on-startup` | none | **string** `.yaml` filepath | On startup, always apply resources described in the file at the given path. Only supports the following kinds: `token`, `cluster-auth-preference`, `cluster-networking-config`. | | `--bootstrap` | none | **string** `.yaml` filepath | bootstrap configured YAML resources {/* TODO link how to configure this file */} | | `--labels` | none | **string** comma-separated list | assigns a set of labels to a node, for example env=dev,app=web. See the explanation of labeling mechanism in the [Labeling Nodes](../../management/admin/labels.mdx) section. | | `--insecure` | none | none | disable certificate validation on Proxy Service, validation still occurs on Auth Service. | diff --git a/lib/auth/init.go b/lib/auth/init.go index 9e52d2107cd5c..b95982207fe0a 100644 --- a/lib/auth/init.go +++ b/lib/auth/init.go @@ -1368,6 +1368,10 @@ func applyResources(ctx context.Context, service *Services, resources []types.Re switch r := resource.(type) { case types.ProvisionToken: err = service.Provisioner.UpsertToken(ctx, r) + case types.ClusterNetworkingConfig: + err = service.ClusterConfiguration.SetClusterNetworkingConfig(ctx, r) + case types.AuthPreference: + err = service.ClusterConfiguration.SetAuthPreference(ctx, r) default: return trace.NotImplemented("cannot apply resource of type %T", resource) } diff --git a/lib/auth/init_test.go b/lib/auth/init_test.go index 4119d020ce5d4..6562ac5108048 100644 --- a/lib/auth/init_test.go +++ b/lib/auth/init_test.go @@ -1286,6 +1286,22 @@ spec: github: allow: - repository: gravitational/example` + clusterNetworkingConfYAML = ` +kind: cluster_networking_config +metadata: + name: cluster-networking-config +spec: + proxy_listener_mode: 1 +` + authPrefYAML = ` +kind: cluster_auth_preference +metadata: + name: cluster-auth-preference +spec: + second_factor: off + type: local +version: v2 +` ) func TestInit_ApplyOnStartup(t *testing.T) { @@ -1293,6 +1309,8 @@ func TestInit_ApplyOnStartup(t *testing.T) { user := resourceFromYAML(t, userYAML).(types.User) token := resourceFromYAML(t, tokenYAML).(types.ProvisionToken) + clusterNetworkingConfig := resourceFromYAML(t, clusterNetworkingConfYAML).(types.ClusterNetworkingConfig) + authPref := resourceFromYAML(t, authPrefYAML).(types.AuthPreference) tests := []struct { name string @@ -1313,6 +1331,20 @@ func TestInit_ApplyOnStartup(t *testing.T) { }, assertError: require.NoError, }, + { + name: "Apply ClusterNetworkingConfig", + modifyConfig: func(cfg *InitConfig) { + cfg.ApplyOnStartupResources = append(cfg.ApplyOnStartupResources, clusterNetworkingConfig) + }, + assertError: require.NoError, + }, + { + name: "Apply AuthPreference", + modifyConfig: func(cfg *InitConfig) { + cfg.ApplyOnStartupResources = append(cfg.ApplyOnStartupResources, authPref) + }, + assertError: require.NoError, + }, } for _, test := range tests { t.Run(test.name, func(t *testing.T) { diff --git a/tool/teleport/common/teleport.go b/tool/teleport/common/teleport.go index e329d4d445f53..234c94b272f48 100644 --- a/tool/teleport/common/teleport.go +++ b/tool/teleport/common/teleport.go @@ -137,7 +137,7 @@ func Run(options Options) (app *kingpin.Application, executedCommand string, con fmt.Sprintf("Path to a configuration file [%v]", defaults.ConfigFilePath)). Short('c').ExistingFileVar(&ccf.ConfigFile) start.Flag("apply-on-startup", - fmt.Sprintf("Path to a non-empty YAML file containing resources to apply on startup. Works on initialized clusters, unlike --bootstrap. Only supports the following types: %s.", types.KindToken)). + fmt.Sprintf("Path to a non-empty YAML file containing resources to apply on startup. Works on initialized clusters, unlike --bootstrap. Only supports the following types: %s, %s, %s.", types.KindToken, types.KindClusterNetworkingConfig, types.KindClusterAuthPreference)). ExistingFileVar(&ccf.ApplyOnStartupFile) start.Flag("bootstrap", "Path to a non-empty YAML file containing bootstrap resources (ignored if already initialized)").ExistingFileVar(&ccf.BootstrapFile)