teleport configure --token redacted generates an invalid configuration

[strideynet]

I first noticed this as the instructions provided under "Add Application" in the webapp generate an invalid configuration.

The instructions provide the following command to generate the configuration:

teleport configure --output=$HOME/.config/app_config.yaml --app-name=[example-app] --app-uri=http://localhost/ --roles=app --token=redacted --auth-server=teleport.local.noahstride.co.uk:443 --data-dir=$HOME/.config

This produces a configuration block that looks like:

teleport:
  nodename: Noahs-MacBook-Pro-2.local
  data_dir: /Users/noahstride/.config
  join_params:
    token_name: redacted
    method: ""
...

Running with this configuration produces:

ERROR: unknown value for join_params.method: "", expected one of [ec2 iam]

This is because the config file loader expects that the teleport.auth_token field is used when providing a token, and not that the token_name field is used to provide this value. This regression was introduced by #13097 , as previously teleport configure used the teleport.auth_token field.

I think the best solution here would be to allow the teleport.join_params.token_name field to be used to provide the token as well as continuing to support the teleport.auth_token field (until a later configuration schema version where we can remove the auth_token field). We should probably also adjust teleport configure to explicitly set the join params method to "token" when only --token is provided with no method. This seems like the best solution, as it brings Teleport in line with the behaviour described in the documentation.

The other solution would be to adjust teleport configure to use the teleport.auth_token field again with the value of --token. This solution has the least effect on the current behaviour of Teleport, but we would also need to update the documentation as that is currently incorrect.