Web: Discover flows should allow to set resource labels (single enrollments)

[r0mant]

Some of the resource-adding Discover flows do not allow to provide resource labels. This was intentionally omitted when we were originally implementing them but one consistent piece of feedback from SE team is that this leads to high friction during PoV's and is one of the main reasons they don't recommend these flows. Without ability to set resource labels, users have to resort to CLI to edit service config file to update the labels after having deployed it via Discover.

• server, single eks, single rds, kubernetes WebDiscover: allow custom labels for single resource enroll (server, kube, eks, rds) #50606
• web app WebDiscover: Allow setting labels when enrolling single web application #50853
• saml app https://github.com/gravitational/teleport.e/pull/5810
• aws app WebDiscover: allow setting labels when enrolling aws app #50976

[zmb3]

See also:

• Enable Teleport to set pre-defined labels to auto-discovered applications in kubernetes #43103
• Allow suggested_labels to be set via web UI and passed onto nodes joining via script #34528
• Support labels in "add application" magic link #23096
• Allow labels to be set by configuration when automatically enrolling EC2 instances #20676
• Ability to add labels during resource joining #10342
• Allow add server magic link to configure labels, and other node settings #5054

[marcoandredinis]

For SSH Server enrollments
The UI must be changed to have an optional list of labels that should be applied to the teleport.yaml configuration.

If the user adds anything there, the UI must update the token to include those labels as suggestedLabels
Endpoint:

teleport/lib/web/apiserver.go

Line 866 in 95b8489

h.PUT("/webapi/tokens", h.WithAuth(h.upsertTokenHandle))

When the installer script is fetched, it will include all the suggestedLabels in the teleport.yaml.

Note: the token already has one suggested label teleport.internal/resource-id. It must not be removed because it allows the UI to detect when the agent joins the cluster.
We should probably hide it from the UI.

For database enrollments
The UI must be changed to have an optional list of labels when the user adds a database.
This is valid for self-hosted and RDS databases.

The UI calls this endpoint

teleport/lib/web/apiserver.go

Line 889 in 95b8489

h.POST("/webapi/sites/:site/databases", h.WithClusterAuth(h.handleDatabaseCreateOrOverwrite))

Which already has the Labels field

teleport/lib/web/databases.go

Line 55 in 6614832

Labels []ui.Label `json:"labels,omitempty"`

For EKS Clusters
Backend PR: #49420
The frontend must be changed to allow users to send extra labels to the resource that will be created

teleport/lib/web/integrations_awsoidc.go

Line 535 in 02354f8

response, err := clt.IntegrationAWSOIDCClient().EnrollEKSClusters(ctx, &integrationv1.EnrollEKSClustersRequest{

For self-hosted Kube Clusters
The frontend must be changed to allow the user to optionally include the extra labels