gravitational · marcoandredinis · Oct 23, 2025 · Oct 22, 2025
diff --git a/lib/service/discovery.go b/lib/service/discovery.go
@@ -75,11 +75,6 @@ func (process *TeleportProcess) initDiscoveryService() error {
 		return trace.Wrap(err, "failed to build access graph configuration")
 	}
 
-	publicProxyAddress, err := process.publicProxyAddr(accessPoint)
-	if err != nil {
-		return trace.Wrap(err, "failed to determine the public proxy address")
-	}
-
 	discoveryService, err := discovery.New(process.ExitContext(), &discovery.Config{
 		IntegrationOnlyCredentials: process.integrationOnlyCredentials(),
 		Matchers: discovery.Matchers{
@@ -89,17 +84,16 @@ func (process *TeleportProcess) initDiscoveryService() error {
 			Kubernetes:  process.Config.Discovery.KubernetesMatchers,
 			AccessGraph: process.Config.Discovery.AccessGraph,
 		},
-		DiscoveryGroup:     process.Config.Discovery.DiscoveryGroup,
-		Emitter:            asyncEmitter,
-		AccessPoint:        accessPoint,
-		ServerID:           conn.HostUUID(),
-		Log:                process.logger,
-		ClusterName:        conn.ClusterName(),
-		ClusterFeatures:    process.GetClusterFeatures,
-		PollInterval:       process.Config.Discovery.PollInterval,
-		GetClientCert:      conn.ClientGetCertificate,
-		AccessGraphConfig:  accessGraphCfg,
-		PublicProxyAddress: publicProxyAddress,
+		DiscoveryGroup:    process.Config.Discovery.DiscoveryGroup,
+		Emitter:           asyncEmitter,
+		AccessPoint:       accessPoint,
+		ServerID:          conn.HostUUID(),
+		Log:               process.logger,
+		ClusterName:       conn.ClusterName(),
+		ClusterFeatures:   process.GetClusterFeatures,
+		PollInterval:      process.Config.Discovery.PollInterval,
+		GetClientCert:     conn.ClientGetCertificate,
+		AccessGraphConfig: accessGraphCfg,
 	})
 	if err != nil {
 		return trace.Wrap(err)
@@ -136,41 +130,6 @@ func (process *TeleportProcess) initDiscoveryService() error {
 	return nil
 }
 
-type proxiesGetter interface {
-	GetProxies() ([]types.Server, error)
-}
-
-func (process *TeleportProcess) publicProxyAddr(accessPoint proxiesGetter) (string, error) {
-	// If the proxy server is explicitly set, use that.
-	if !process.Config.ProxyServer.IsEmpty() {
-		return process.Config.ProxyServer.String(), nil
-	}
-
-	// If DiscoveryService is running alongside a Proxy, use the first
-	// public address of the Proxy.
-	if process.Config.Proxy.Enabled {
-		for _, proxyAddr := range process.Config.Proxy.PublicAddrs {
-			if !proxyAddr.IsEmpty() {
-				return proxyAddr.String(), nil
-			}
-		}
-	}
-
-	proxies, err := accessPoint.GetProxies()
-	if err != nil {
-		return "", trace.Wrap(err)
-	}
-	for _, proxy := range proxies {
-		for _, proxyAddr := range proxy.GetPublicAddrs() {
-			if proxyAddr != "" {
-				return proxyAddr, nil
-			}
-		}
-	}
-
-	return "", trace.NotFound("could not find the public proxy address for server discovery")
-}
-
 // integrationOnlyCredentials indicates whether the DiscoveryService must only use Cloud APIs credentials using an integration.
 //
 // If Auth is running alongside this DiscoveryService and License is Cloud, then this process is running in Teleport's Cloud Infra.

diff --git a/lib/service/discovery_test.go b/lib/service/discovery_test.go
@@ -27,13 +27,11 @@ import (
 	"github.com/stretchr/testify/require"
 
 	clusterconfigpb "github.com/gravitational/teleport/api/gen/proto/go/teleport/clusterconfig/v1"
-	"github.com/gravitational/teleport/api/types"
 	"github.com/gravitational/teleport/lib/auth/authclient"
 	"github.com/gravitational/teleport/lib/modules"
 	"github.com/gravitational/teleport/lib/modules/modulestest"
 	"github.com/gravitational/teleport/lib/service/servicecfg"
 	"github.com/gravitational/teleport/lib/srv/discovery"
-	"github.com/gravitational/teleport/lib/utils"
 )
 
 func TestTeleportProcessIntegrationsOnly(t *testing.T) {
@@ -167,81 +165,6 @@ func TestTeleportProcess_initDiscoveryService(t *testing.T) {
 		})
 	}
 }
-func TestProcessPublicProxyAddr(t *testing.T) {
-	proxyServerWithPublicAddr := func(addr string) *types.ServerV2 {
-		return &types.ServerV2{
-			Spec: types.ServerSpecV2{
-				PublicAddrs: []string{addr},
-			},
-		}
-	}
-
-	tests := []struct {
-		name        string
-		config      *servicecfg.Config
-		proxyGetter proxiesGetter
-		wantAddr    string
-		errCheck    require.ErrorAssertionFunc
-	}{
-		{
-			name: "proxy server was set in config",
-			config: &servicecfg.Config{
-				ProxyServer: utils.NetAddr{Addr: "proxy.example.com:3080"},
-			},
-			wantAddr: "proxy.example.com:3080",
-			errCheck: require.NoError,
-		},
-		{
-			name: "proxy is running alongside discovery service",
-			config: &servicecfg.Config{
-				Proxy: servicecfg.ProxyConfig{
-					Enabled: true,
-					PublicAddrs: []utils.NetAddr{
-						{Addr: "public.proxy.com:443"},
-					},
-				},
-			},
-			wantAddr: "public.proxy.com:443",
-			errCheck: require.NoError,
-		},
-		{
-			name:   "discovery service is running alongside auth, (no proxy server defined and no proxy service enabled)",
-			config: &servicecfg.Config{},
-			proxyGetter: &mockProxyGetter{
-				servers: []types.Server{proxyServerWithPublicAddr("proxy.example:8080")},
-			},
-			wantAddr: "proxy.example:8080",
-			errCheck: require.NoError,
-		},
-		{
-			name:   "no proxy available",
-			config: &servicecfg.Config{},
-			proxyGetter: &mockProxyGetter{
-				servers: []types.Server{},
-			},
-			errCheck: require.Error,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			process := &TeleportProcess{
-				Config: tt.config,
-			}
-			addr, err := process.publicProxyAddr(tt.proxyGetter)
-			tt.errCheck(t, err)
-			require.Equal(t, tt.wantAddr, addr)
-		})
-	}
-}
-
-type mockProxyGetter struct {
-	servers []types.Server
-}
-
-func (f *mockProxyGetter) GetProxies() ([]types.Server, error) {
-	return f.servers, nil
-}
 
 type fakeClient struct {
 	authclient.ClientI

diff --git a/lib/srv/discovery/config_test.go b/lib/srv/discovery/config_test.go
@@ -112,14 +112,6 @@ func TestConfigCheckAndSetDefaults(t *testing.T) {
 			},
 			postCheckAndSetDefaultsFunc: func(t *testing.T, c *Config) {},
 		},
-		{
-			name:          "missing public proxy address",
-			errAssertFunc: require.Error,
-			cfgChange: func(c *Config) {
-				c.PublicProxyAddress = ""
-			},
-			postCheckAndSetDefaultsFunc: func(t *testing.T, c *Config) {},
-		},
 		{
 			name:          "missing cluster features",
 			errAssertFunc: require.Error,
@@ -145,8 +137,7 @@ func TestConfigCheckAndSetDefaults(t *testing.T) {
 				ClusterFeatures: func() proto.Features {
 					return proto.Features{}
 				},
-				DiscoveryGroup:     "test",
-				PublicProxyAddress: "proxy.example.com",
+				DiscoveryGroup: "test",
 			}
 			tt.cfgChange(cfg)
 			err := cfg.CheckAndSetDefaults()

diff --git a/lib/srv/discovery/discovery.go b/lib/srv/discovery/discovery.go
@@ -118,11 +118,6 @@ type Config struct {
 	// CloudClients is an interface for retrieving cloud clients.
 	CloudClients cloud.Clients
 
-	// PublicProxyAddress is the public address of the proxy.
-	// Used to configure installation scripts for Server auto discovery.
-	// Example: proxy.example.com:443 or proxy.example.com
-	PublicProxyAddress string
-
 	// AWSFetchersClients gets the AWS clients for the given region for the fetchers.
 	AWSFetchersClients fetchers.AWSClientGetter
 
@@ -239,10 +234,6 @@ func (c *Config) CheckAndSetDefaults() error {
 		return trace.BadParameter("no AccessPoint configured for discovery")
 	}
 
-	if c.PublicProxyAddress == "" {
-		return trace.BadParameter("no PublicProxyAddress configured for discovery")
-	}
-
 	if len(c.Matchers.Kubernetes) > 0 && c.DiscoveryGroup == "" {
 		return trace.BadParameter(`the DiscoveryGroup name should be set for discovery server if
 kubernetes matchers are present.`)
@@ -569,6 +560,25 @@ func (s *Server) startDynamicMatchersWatcher(ctx context.Context) error {
 	return nil
 }
 
+// publicProxyAddress returns the public proxy address to use for installation scripts.
+// This is only used if the matcher does not specify a ProxyAddress.
+// Example: proxy.example.com:3080 or proxy.example.com
+func (s *Server) publicProxyAddress(ctx context.Context) (string, error) {
+	proxies, err := s.AccessPoint.GetProxies()
+	if err != nil {
+		return "", trace.Wrap(err)
+	}
+	for _, proxy := range proxies {
+		for _, proxyAddr := range proxy.GetPublicAddrs() {
+			if proxyAddr != "" {
+				return proxyAddr, nil
+			}
+		}
+	}
+
+	return "", trace.NotFound("could not find the public proxy address for server discovery")
+}
+
 // initAWSWatchers starts AWS resource watchers based on types provided.
 func (s *Server) initAWSWatchers(matchers []types.AWSMatcher) error {
 	var err error
@@ -578,9 +588,9 @@ func (s *Server) initAWSWatchers(matchers []types.AWSMatcher) error {
 	})
 
 	s.staticServerAWSFetchers, err = server.MatchersToEC2InstanceFetchers(s.ctx, server.MatcherToEC2FetcherParams{
-		Matchers:        ec2Matchers,
-		EC2ClientGetter: s.GetEC2Client,
-		PublicProxyAddr: s.PublicProxyAddress,
+		Matchers:              ec2Matchers,
+		EC2ClientGetter:       s.GetEC2Client,
+		PublicProxyAddrGetter: s.publicProxyAddress,
 	})
 	if err != nil {
 		return trace.Wrap(err)
@@ -701,10 +711,10 @@ func (s *Server) awsServerFetchersFromMatchers(ctx context.Context, matchers []t
 	})
 
 	fetchers, err := server.MatchersToEC2InstanceFetchers(ctx, server.MatcherToEC2FetcherParams{
-		Matchers:            serverMatchers,
-		EC2ClientGetter:     s.GetEC2Client,
-		DiscoveryConfigName: discoveryConfigName,
-		PublicProxyAddr:     s.PublicProxyAddress,
+		Matchers:              serverMatchers,
+		EC2ClientGetter:       s.GetEC2Client,
+		DiscoveryConfigName:   discoveryConfigName,
+		PublicProxyAddrGetter: s.publicProxyAddress,
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)

diff --git a/lib/srv/discovery/discovery_eks_test.go b/lib/srv/discovery/discovery_eks_test.go
@@ -273,13 +273,12 @@ func TestDiscoveryServerEKS(t *testing.T) {
 						AWSConfigProvider: fakeConfigProvider,
 						eksClusters:       tt.eksClusters,
 					},
-					ClusterFeatures:    func() proto.Features { return proto.Features{} },
-					AccessPoint:        mockAccessPoint,
-					Matchers:           Matchers{},
-					Emitter:            tt.emitter,
-					DiscoveryGroup:     defaultDiscoveryGroup,
-					Log:                logtest.NewLogger(),
-					PublicProxyAddress: "proxy.example.com",
+					ClusterFeatures: func() proto.Features { return proto.Features{} },
+					AccessPoint:     mockAccessPoint,
+					Matchers:        Matchers{},
+					Emitter:         tt.emitter,
+					DiscoveryGroup:  defaultDiscoveryGroup,
+					Log:             logtest.NewLogger(),
 				})
 				require.NoError(t, err)