From 6a4436107cdfbca96969f90a9348bb7b3810eb69 Mon Sep 17 00:00:00 2001
From: Russell Jones <rjones@gravitational.com>
Date: Fri, 13 Nov 2020 02:34:36 +0000
Subject: [PATCH] Updated "teleport start" help message.

---
 lib/defaults/defaults.go      |  2 +-
 tool/teleport/common/usage.go | 25 ++++++++++++++++++++-----
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/lib/defaults/defaults.go b/lib/defaults/defaults.go
index c69d6ef6abd..aa2798906cb 100644
--- a/lib/defaults/defaults.go
+++ b/lib/defaults/defaults.go
@@ -478,7 +478,7 @@ var (
 	DataDir = "/var/lib/teleport"
 
 	// StartRoles is default roles teleport assumes when started via 'start' command
-	StartRoles = []string{RoleProxy, RoleNode, RoleAuthService}
+	StartRoles = []string{RoleProxy, RoleNode, RoleAuthService, RoleApp}
 
 	// ETCDPrefix is default key in ETCD clustered configurations
 	ETCDPrefix = "/teleport"
diff --git a/tool/teleport/common/usage.go b/tool/teleport/common/usage.go
index f54c6f7d2b1..0c079780b9b 100644
--- a/tool/teleport/common/usage.go
+++ b/tool/teleport/common/usage.go
@@ -4,13 +4,15 @@ const (
 	usageNotes = `Notes:
   --roles=node,proxy,auth,app
 
-  This flag tells Teleport which services to run. By default it runs all three. 
-  In a production environment you may want to separate them.
+  This flag tells Teleport which services to run. By default it runs auth,
+  proxy, and node. In a production environment you may want to separate them.
 
   --token=xyz
 
-  This token is needed to connect a node to an auth server. Obtain it by running 
-  "tctl nodes add" on the auth server. It's used once and ignored afterwards.
+  This token is needed to connect a node or web app to an auth server. Get it
+  by running "tctl tokens add --type=node" or "tctl tokens add --type=app" to
+  join an SSH server or web app to your cluster respectively. It's used once
+  and ignored afterwards.
 `
 
 	usageExamples = `
@@ -26,7 +28,20 @@ Examples:
 
 > teleport start --roles=node --auth-server=10.1.0.1 --labels=db=master
   Same as the above, but the node runs with db=master label and can be connected
-  to using that label in addition to its name.`
+  to using that label in addition to its name.
+
+> teleport start --roles=app --token=xyz --auth-server=proxy.example.com:3080 \
+    --app-name="example-app" \
+    --app-uri="http://localhost:8080"
+  Starts an app server that proxies the application "example-app" running at
+  http://localhost:8080.
+
+> teleport start --roles=app --token=xyz --auth-server=proxy.example.com:3080 \
+    --app-name="example-app" \
+    --app-uri="http://localhost:8080" \
+    --labels=group:dev
+  Same as the above, but the app server runs with "group=dev" label which only
+  allows access to users with the role "group=dev".`
 
 	sampleConfComment = `#
 # Sample Teleport configuration file