gravitational · nklaassen · Nov 13, 2025 · Oct 10, 2025 · Oct 15, 2025 · Oct 15, 2025
diff --git a/integration/proxy/proxy_helpers.go b/integration/proxy/proxy_helpers.go
@@ -52,10 +52,10 @@ import (
 	"github.com/gravitational/teleport/api/utils/retryutils"
 	"github.com/gravitational/teleport/integration/helpers"
 	"github.com/gravitational/teleport/lib"
-	"github.com/gravitational/teleport/lib/auth/join"
 	"github.com/gravitational/teleport/lib/auth/state"
 	"github.com/gravitational/teleport/lib/client"
 	"github.com/gravitational/teleport/lib/defaults"
+	"github.com/gravitational/teleport/lib/join/joinclient"
 	"github.com/gravitational/teleport/lib/kube/kubeconfig"
 	testingkubemock "github.com/gravitational/teleport/lib/kube/proxy/testing/kube_server"
 	"github.com/gravitational/teleport/lib/reversetunnelclient"
@@ -653,11 +653,10 @@ func mustRegisterUsingIAMMethod(t *testing.T, proxyAddr utils.NetAddr, token str
 	t.Setenv("AWS_REGION", "us-west-2")
 
 	node := uuid.NewString()
-	_, err = join.Register(context.TODO(), join.RegisterParams{
+	_, err = joinclient.Join(t.Context(), joinclient.JoinParams{
 		Token: token,
 		ID: state.IdentityID{
-			Role:     types.RoleNode,
-			HostUUID: node,
+			Role:     types.RoleInstance,
 			NodeName: node,
 		},
 		ProxyServer: proxyAddr,

diff --git a/lib/auth/bot_test.go b/lib/auth/bot_test.go
@@ -60,7 +60,6 @@ import (
 	"github.com/gravitational/teleport/lib/auth"
 	"github.com/gravitational/teleport/lib/auth/authclient"
 	"github.com/gravitational/teleport/lib/auth/authtest"
-	"github.com/gravitational/teleport/lib/auth/join"
 	"github.com/gravitational/teleport/lib/auth/machineid/machineidv1"
 	"github.com/gravitational/teleport/lib/auth/state"
 	"github.com/gravitational/teleport/lib/auth/testauthority"
@@ -69,6 +68,7 @@ import (
 	"github.com/gravitational/teleport/lib/events/eventstest"
 	"github.com/gravitational/teleport/lib/fixtures"
 	"github.com/gravitational/teleport/lib/join/iamjoin"
+	"github.com/gravitational/teleport/lib/join/joinclient"
 	"github.com/gravitational/teleport/lib/kube/token"
 	"github.com/gravitational/teleport/lib/oidc/fakeissuer"
 	"github.com/gravitational/teleport/lib/reversetunnelclient"
@@ -158,7 +158,7 @@ func TestRegisterBotCertificateGenerationCheck(t *testing.T) {
 	require.NoError(t, err)
 	require.NoError(t, client.CreateToken(ctx, token))
 
-	result, err := join.Register(ctx, join.RegisterParams{
+	result, err := joinclient.Join(ctx, joinclient.JoinParams{
 		Token: token.GetName(),
 		ID: state.IdentityID{
 			Role: types.RoleBot,
@@ -298,7 +298,7 @@ func TestBotJoinAttrs_Kubernetes(t *testing.T) {
 	require.NoError(t, err)
 	require.NoError(t, client.CreateToken(ctx, tok))
 
-	result, err := join.Register(ctx, join.RegisterParams{
+	result, err := joinclient.Join(ctx, joinclient.JoinParams{
 		Token:      tok.GetName(),
 		JoinMethod: types.JoinMethodKubernetes,
 		ID: state.IdentityID{
@@ -410,7 +410,7 @@ func TestRegisterBotInstance(t *testing.T) {
 	require.NoError(t, err)
 	require.NoError(t, client.CreateToken(ctx, token))
 
-	result, err := join.Register(ctx, join.RegisterParams{
+	result, err := joinclient.Join(ctx, joinclient.JoinParams{
 		Token: token.GetName(),
 		ID: state.IdentityID{
 			Role: types.RoleBot,
@@ -556,7 +556,7 @@ func TestRegisterBotCertificateGenerationStolen(t *testing.T) {
 	require.NoError(t, err)
 	require.NoError(t, client.CreateToken(ctx, token))
 
-	result, err := join.Register(ctx, join.RegisterParams{
+	result, err := joinclient.Join(ctx, joinclient.JoinParams{
 		Token: token.GetName(),
 		ID: state.IdentityID{
 			Role: types.RoleBot,
@@ -632,7 +632,7 @@ func TestRegisterBotCertificateExtensions(t *testing.T) {
 	require.NoError(t, err)
 	require.NoError(t, client.CreateToken(ctx, token))
 
-	result, err := join.Register(ctx, join.RegisterParams{
+	result, err := joinclient.Join(ctx, joinclient.JoinParams{
 		Token: token.GetName(),
 		ID: state.IdentityID{
 			Role: types.RoleBot,
@@ -875,8 +875,8 @@ func defaultIdentityRequestTemplateInput(challenge string) identityRequestTempla
 }
 
 // authClientForRegisterResult is a test helper that creats an auth client for
-// the given [*join.RegisterResult].
-func authClientForRegisterResult(t *testing.T, ctx context.Context, addr *utils.NetAddr, result *join.RegisterResult) *authclient.Client {
+// the given [*joinclient.JoinResult].
+func authClientForRegisterResult(t *testing.T, ctx context.Context, addr *utils.NetAddr, result *joinclient.JoinResult) *authclient.Client {
 	privateKeyPEM, err := keys.MarshalPrivateKey(result.PrivateKey)
 	require.NoError(t, err)
 	sshPub, err := ssh.NewPublicKey(result.PrivateKey.Public())
@@ -947,14 +947,14 @@ func instanceIDFromCerts(t *testing.T, certs *proto.Certs) (string, uint64) {
 	return ident.BotInstanceID, ident.Generation
 }
 
-// registerHelper calls `join.Register` with the given token, prefilling params
+// registerHelper calls `joinclient.Join` with the given token, prefilling params
 // where possible. Overrides may be applied with `fns`.
 func registerHelper(
 	ctx context.Context, token types.ProvisionToken,
 	addr *utils.NetAddr,
-	fns ...func(*join.RegisterParams),
-) (*join.RegisterResult, error) {
-	params := join.RegisterParams{
+	fns ...func(*joinclient.JoinParams),
+) (*joinclient.JoinResult, error) {
+	params := joinclient.JoinParams{
 		JoinMethod: token.GetJoinMethod(),
 		Token:      token.GetName(),
 		ID: state.IdentityID{
@@ -970,7 +970,7 @@ func registerHelper(
 		fn(&params)
 	}
 
-	result, err := join.Register(ctx, params)
+	result, err := joinclient.Join(ctx, params)
 	return result, trace.Wrap(err)
 }
 
@@ -1067,7 +1067,7 @@ func TestRegisterBot_BotInstanceRejoin(t *testing.T) {
 	require.NoError(t, a.UpsertToken(ctx, awsToken))
 
 	// Join as a "bot" with both token types.
-	k8sResult, err := registerHelper(ctx, k8sToken, addr, func(p *join.RegisterParams) {
+	k8sResult, err := registerHelper(ctx, k8sToken, addr, func(p *joinclient.JoinParams) {
 		p.KubernetesReadFileFunc = k8sReadFileFunc
 	})
 	require.NoError(t, err)
@@ -1087,7 +1087,7 @@ func TestRegisterBot_BotInstanceRejoin(t *testing.T) {
 	// Rejoin using the k8s client and make sure we're issued certs with the
 	// same instance ID.
 	k8sClient := authClientForRegisterResult(t, ctx, addr, k8sResult)
-	rejoinedK8sResult, err := registerHelper(ctx, k8sToken, addr, func(p *join.RegisterParams) {
+	rejoinedK8sResult, err := registerHelper(ctx, k8sToken, addr, func(p *joinclient.JoinParams) {
 		p.KubernetesReadFileFunc = k8sReadFileFunc
 		p.AuthClient = k8sClient
 	})
@@ -1101,7 +1101,7 @@ func TestRegisterBot_BotInstanceRejoin(t *testing.T) {
 	// join service, the instance ID must be provided to auth by the proxy as
 	// part of the `RegisterUsingTokenRequest`.
 	iamClient := authClientForRegisterResult(t, ctx, addr, awsResult)
-	rejoinedAWSResult, err := registerHelper(ctx, awsToken, addr, func(p *join.RegisterParams) {
+	rejoinedAWSResult, err := registerHelper(ctx, awsToken, addr, func(p *joinclient.JoinParams) {
 		p.AuthClient = iamClient
 	})
 	require.NoError(t, err)
@@ -1281,7 +1281,7 @@ func TestRegisterBotMultipleTokens(t *testing.T) {
 	require.NoError(t, err)
 	require.NoError(t, client.CreateToken(ctx, tokenB))
 
-	resultA, err := join.Register(ctx, join.RegisterParams{
+	resultA, err := joinclient.Join(ctx, joinclient.JoinParams{
 		Token: tokenA.GetName(),
 		ID: state.IdentityID{
 			Role: types.RoleBot,
@@ -1294,7 +1294,7 @@ func TestRegisterBotMultipleTokens(t *testing.T) {
 	initialInstanceA, _ := instanceIDFromCerts(t, certsA)
 	require.NotEmpty(t, initialInstanceA)
 
-	resultB, err := join.Register(ctx, join.RegisterParams{
+	resultB, err := joinclient.Join(ctx, joinclient.JoinParams{
 		Token: tokenB.GetName(),
 		ID: state.IdentityID{
 			Role: types.RoleBot,

diff --git a/lib/auth/join/join.go b/lib/auth/join/join.go
@@ -275,6 +275,10 @@ type RegisterResult struct {
 // running on a different host than the auth server. This method requires a
 // provision token that will be used to authenticate as an identity that should
 // be allowed to join the cluster.
+//
+// Deprecated: this function is superceded by lib/join/joinclient.Join
+//
+// TODO(nklaassen): DELETE IN 20
 func Register(ctx context.Context, params RegisterParams) (result *RegisterResult, err error) {
 	ctx, span := tracer.Start(ctx, "Register")
 	defer func() { tracing.EndSpan(span, err) }()

diff --git a/lib/auth/join_test.go b/lib/auth/join_test.go
@@ -36,12 +36,12 @@ import (
 	"github.com/gravitational/teleport/api/utils/sshutils"
 	"github.com/gravitational/teleport/lib/auth"
 	"github.com/gravitational/teleport/lib/auth/authtest"
-	"github.com/gravitational/teleport/lib/auth/join"
 	"github.com/gravitational/teleport/lib/auth/machineid/machineidv1"
 	"github.com/gravitational/teleport/lib/auth/state"
 	"github.com/gravitational/teleport/lib/auth/testauthority"
 	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/events"
+	"github.com/gravitational/teleport/lib/join/joinclient"
 	"github.com/gravitational/teleport/lib/tlsca"
 	"github.com/gravitational/teleport/lib/utils"
 )
@@ -299,9 +299,9 @@ func newBotToken(t *testing.T, tokenName, botName string, role types.SystemRole,
 	return token
 }
 
-// TestRegister_Bot tests that a provision token can be used to generate
+// TestJoin_Bot tests that a provision token can be used to generate
 // renewable certificates for a non-interactive user.
-func TestRegister_Bot(t *testing.T) {
+func TestJoin_Bot(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
 
@@ -369,7 +369,7 @@ func TestRegister_Bot(t *testing.T) {
 	} {
 		t.Run(test.desc, func(t *testing.T) {
 			start := srv.Clock().Now()
-			result, err := join.Register(ctx, join.RegisterParams{
+			result, err := joinclient.Join(ctx, joinclient.JoinParams{
 				Token: test.token.GetName(),
 				ID: state.IdentityID{
 					Role: types.RoleBot,
@@ -413,9 +413,9 @@ func TestRegister_Bot(t *testing.T) {
 	}
 }
 
-// TestRegister_Bot_Expiry checks that bot certificate expiry can be set, and
+// TestJoin_Bot_Expiry checks that bot certificate expiry can be set, and
 // does not exceed the limit.
-func TestRegister_Bot_Expiry(t *testing.T) {
+func TestJoin_Bot_Expiry(t *testing.T) {
 	t.Parallel()
 	ctx := context.Background()
 
@@ -465,7 +465,7 @@ func TestRegister_Bot_Expiry(t *testing.T) {
 			tok := newBotToken(t, uuid.NewString(), botName, types.RoleBot, srv.Clock().Now().Add(time.Hour))
 			require.NoError(t, srv.Auth().UpsertToken(ctx, tok))
 
-			result, err := join.Register(ctx, join.RegisterParams{
+			result, err := joinclient.Join(ctx, joinclient.JoinParams{
 				Token: tok.GetName(),
 				ID: state.IdentityID{
 					Role: types.RoleBot,

diff --git a/lib/auth/machineid/workloadidentityv1/workloadidentityv1_test.go b/lib/auth/machineid/workloadidentityv1/workloadidentityv1_test.go
@@ -56,12 +56,12 @@ import (
 	"github.com/gravitational/teleport/api/utils/keys"
 	"github.com/gravitational/teleport/lib/auth/authclient"
 	"github.com/gravitational/teleport/lib/auth/authtest"
-	"github.com/gravitational/teleport/lib/auth/join"
 	"github.com/gravitational/teleport/lib/auth/machineid/workloadidentityv1"
 	"github.com/gravitational/teleport/lib/auth/state"
 	"github.com/gravitational/teleport/lib/cryptosuites"
 	libevents "github.com/gravitational/teleport/lib/events"
 	"github.com/gravitational/teleport/lib/events/eventstest"
+	"github.com/gravitational/teleport/lib/join/joinclient"
 	libjwt "github.com/gravitational/teleport/lib/jwt"
 	"github.com/gravitational/teleport/lib/modules"
 	"github.com/gravitational/teleport/lib/oidc/fakeissuer"
@@ -298,7 +298,7 @@ func TestIssueWorkloadIdentityE2E(t *testing.T) {
 	require.NoError(t, err)
 
 	// With the basic setup complete, we can now "fake" a join.
-	botCerts, err := join.Register(ctx, join.RegisterParams{
+	botCerts, err := joinclient.Join(ctx, joinclient.JoinParams{
 		Token:      token.GetName(),
 		JoinMethod: types.JoinMethodKubernetes,
 		ID: state.IdentityID{

diff --git a/lib/auth/storage/storage.go b/lib/auth/storage/storage.go
@@ -382,6 +382,31 @@ func readHostIDFromStorages(ctx context.Context, dataDir string, kubeBackend sta
 	return hostID, trace.Wrap(err)
 }
 
+// PersistAssignedHostID writes an assigned host ID to state storage and the
+// host_uuid file. This should not be called in the same process as
+// ReadOrGenerateHostID, it is intended to persist a host UUID assigned by the
+// Auth service that was not generated locally. With the new auth-assigned host
+// persisted to storage to maintain compatibility with any other processes that
+// UUID flow the agent doesn't even need to read the host ID, it is only
+// may read it.
+func (p *ProcessStorage) PersistAssignedHostID(ctx context.Context, cfg *servicecfg.Config, hostID string) error {
+	if p.stateStorage != nil {
+		if _, err := p.stateStorage.Put(
+			ctx,
+			backend.Item{
+				Key:   backend.NewKey(hostid.FileName),
+				Value: []byte(hostID),
+			},
+		); err != nil {
+			return trace.Wrap(err, "persisting host ID to state storage")
+		}
+	}
+	if err := hostid.WriteFile(cfg.DataDir, hostID); err != nil {
+		return trace.Wrap(err, "persisting host ID to file")
+	}
+	return nil
+}
+
 // persistHostIDToStorages writes the host ID to local data and to
 // Kubernetes Secret if this process is running on a Kubernetes Cluster.
 func persistHostIDToStorages(ctx context.Context, cfg *servicecfg.Config, hostID string, kubeBackend stateBackend) error {