update license to do logic in teleport configure

[stevenGravy]

Updates teleport configure comments output for:

• not including license install rec unless enterprise build
• not including license install rec if auth service isn't requested
• updating language that the license applies to self-hosted

This provides the following benefit:

• doesn't recommend installing the license when the configure is not related to the auth service
• many ent customers are not self-hosted, rather cloud, so calling this out, to avoid confusion

An example would be if you do a teleport configure --roles=node it gives you a to do for the license when only SSH is enabled. This doesn't apply whether you are a ent customer or not.

Updated outputs:

teleport configure or teleport configure --roles=proxy,node,auth in OSS:

teleport configure
#
# A Sample Teleport configuration file.
#
#
version: v3
teleport:
  nodename: server.home
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: ""
  diag_addr: ""
auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
  proxy_listener_mode: multiplex
ssh_service:
  enabled: "yes"
proxy_service:
  enabled: "yes"
  https_keypairs: []
  https_keypairs_reload_interval: 0s
  acme: {}

teleport configure --roles=node in OSS and ent builds:

#
# A Sample Teleport configuration file.
#
#
version: v3
teleport:
  nodename: Stevens-MBP.fios-router.home
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: ""
  diag_addr: ""
auth_service:
  enabled: "no"
ssh_service:
  enabled: "yes"
proxy_service:
  enabled: "no"
  https_keypairs: []
  https_keypairs_reload_interval: 0s
  acme: {}

License.pem recommended just in ent builds including the auth service on

teleport configure:

#
# A Sample Teleport configuration file.
#
## Things to update:
#  1. license.pem: Retrieve a license from your Teleport account https://teleport.sh
#     if you are a self-hosted Enterprise customer.
#
version: v3
teleport:
  nodename: Stevens-MBP.fios-router.home
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: ""
  diag_addr: ""
auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
  license_file: /var/lib/teleport/license.pem
  proxy_listener_mode: multiplex
ssh_service:
  enabled: "yes"
proxy_service:
  enabled: "yes"
  https_keypairs: []
  https_keypairs_reload_interval: 0s
  acme: {}

[benarent]

Thanks for adding this, teleport configure could do with a bit more love in general and this is a good first step. I agree that always promoting for licence.pem is confusing.

I noticed that we've a few other options and more helpful tools, https://goteleport.com/docs/reference/cli/teleport/ such as teleport node configure vs teleport configure --roles=node. With @thedevelopnik working on #50987 opinionated intro to product , I would also like him to consider these as part of the manual flow for setting this up.

Can you export the final tested output? If we add this logic, I would also add where the license files goes in the YAML config. auth_service: .... license_file: /var/lib/teleport/license.pem

For Reference, I've exported the current teleport configure YAML below.

$ teleport configure 
#
# A Sample Teleport configuration file.
#
# Things to update:
#  1. license.pem: Retrieve a license from your Teleport account https://teleport.sh
#     if you are an Enterprise customer.
#
version: v3
teleport:
  nodename: ip-10-0-0-252
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: ""
  diag_addr: ""
auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
  proxy_listener_mode: multiplex
ssh_service:
  enabled: "yes"
proxy_service:
  enabled: "yes"
  https_keypairs: []
  https_keypairs_reload_interval: 0s
  acme: {}

WARNING: The data directory /var/lib/teleport is not empty and may contain existing cluster state. Running this configuration is likely a mistake. To join a new cluster, specify an alternate --data-dir or clear the /var/lib/teleport directory.

$ teleport configure --roles=node
#
# A Sample Teleport configuration file.
#
# Things to update:
#  1. license.pem: Retrieve a license from your Teleport account https://teleport.sh
#     if you are an Enterprise customer.
#
version: v3
teleport:
  nodename: ip-10-0-0-252
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: ""
  diag_addr: ""
auth_service:
  enabled: "no"
ssh_service:
  enabled: "yes"
proxy_service:
  enabled: "no"
  https_keypairs: []
  https_keypairs_reload_interval: 0s
  acme: {}

WARNING: The data directory /var/lib/teleport is not empty and may contain existing cluster state. Running this configuration is likely a mistake. To join a new cluster, specify an alternate --data-dir or clear the /var/lib/teleport directory.

$ teleport node configure
#
# A Sample Teleport configuration file.
#
# Things to update:
#  1. license.pem: Retrieve a license from your Teleport account https://teleport.sh
#     if you are an Enterprise customer.
#
version: v3
teleport:
  nodename: ip-10-0-0-252
  data_dir: /var/lib/teleport
  join_params:
    token_name: ""
    method: token
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: ""
  diag_addr: ""
auth_service:
  enabled: "no"
ssh_service:
  enabled: "yes"
proxy_service:
  enabled: "no"
  https_keypairs: []
  https_keypairs_reload_interval: 0s
  acme: {}

WARNING: The data directory /var/lib/teleport is not empty and may contain existing cluster state. Running this configuration is likely a mistake. To join a new cluster, specify an alternate --data-dir or clear the /var/lib/teleport directory.

[zmb3]

A couple thoughts:

• When I read the title of the commit message/PR I had no idea what this was doing. Can we come up with a more descriptive title?
• At this point it's probably best to use a YAML template rather than concatenating a string that happens to be YAML.