Fix usage of ClusterName from config when starting Auth server (#32682)

gravitational · Sep 27, 2023 · d7bc836 · d7bc836
1 parent 6ef1aee
commit d7bc836
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 5 deletions.
diff --git a/docs/pages/includes/config-reference/auth-service.yaml b/docs/pages/includes/config-reference/auth-service.yaml
@@ -110,6 +110,7 @@ auth_service:
     # Turns 'auth' role on. Default is 'yes'
     enabled: yes
 
+    # cluster_name is the name used to initiate a new cluster.
     # A cluster name is used as part of a signature in certificates
     # generated by this CA.
     #
@@ -118,7 +119,9 @@ auth_service:
     #
     # By default an automatically generated name is used (not recommended)
     #
-    # IMPORTANT: if you change cluster_name, it will invalidate all generated
+    # IMPORTANT: changes to this field won't have an effect on an already created cluster.
+    # To change the name of an existing cluster, you can use
+    # the 'POST /v2/configuration/name' endpoint, but it will invalidate all generated
     # certificates and keys (may need to wipe out /var/lib/teleport directory)
     cluster_name: "main"
 

diff --git a/lib/service/service.go b/lib/service/service.go
@@ -1676,6 +1676,14 @@ func (process *TeleportProcess) initAuthService() error {
 		}
 	}
 	clusterName := cfg.Auth.ClusterName.GetClusterName()
+	ident, err := process.storage.ReadIdentity(auth.IdentityCurrent, types.RoleAdmin)
+	if err != nil && !trace.IsNotFound(err) {
+		return trace.Wrap(err)
+	}
+	if ident != nil {
+		clusterName = ident.ClusterName
+	}
+
 	checkingEmitter, err := events.NewCheckingEmitter(events.CheckingEmitterConfig{
 		Inner:       events.NewMultiEmitter(events.NewLoggingEmitter(), emitter),
 		Clock:       process.Clock,
@@ -1714,7 +1722,12 @@ func (process *TeleportProcess) initAuthService() error {
 	}
 
 	embeddingsRetriever := ai.NewSimpleRetriever()
-
+	cn, err := services.NewClusterNameWithRandomID(types.ClusterNameSpecV2{
+		ClusterName: clusterName,
+	})
+	if err != nil {
+		return trace.Wrap(err)
+	}
 	// first, create the AuthServer
 	authServer, err := auth.Init(
 		process.ExitContext(),
@@ -1725,7 +1738,7 @@ func (process *TeleportProcess) initAuthService() error {
 			ClusterAuditConfig:      cfg.Auth.AuditConfig,
 			ClusterNetworkingConfig: cfg.Auth.NetworkingConfig,
 			SessionRecordingConfig:  cfg.Auth.SessionRecordingConfig,
-			ClusterName:             cfg.Auth.ClusterName,
+			ClusterName:             cn,
 			AuthServiceName:         cfg.Hostname,
 			DataDir:                 cfg.DataDir,
 			HostUUID:                cfg.HostUUID,

diff --git a/lib/service/servicecfg/config.go b/lib/service/servicecfg/config.go
@@ -136,7 +136,7 @@ type Config struct {
 	// PidFile is a full path of the PID file for teleport daemon
 	PIDFile string
 
-	// Trust is a service that manages users and credentials
+	// Trust is a service that manages certificate authorities
 	Trust services.Trust
 
 	// Presence service is a discovery and heartbeat tracker
@@ -148,7 +148,7 @@ type Config struct {
 	// Provisioner is a service that keeps track of provisioning tokens
 	Provisioner services.Provisioner
 
-	// Trust is a service that manages users and credentials
+	// Identity is a service that manages users and credentials
 	Identity services.Identity
 
 	// Access is a service that controls access