feat: Disable auto-enroll via environment variable #47679
Conversation
|
This one is a bit experimental, but I think it could help if a customer wants to automatically exclude a certain category of machines from auto-enroll. |
For these kinds of things we've been using TELEPORT_UNSTABLE_FOO |
It's not experimental in that sense, it was more in that I was still looking for confirmation on whether it would be useful. The answer is "yes" so I think the proposed env var is better. |
|
One of the other reasons the TELEPORT_UNSTABLE prefix has been used is to prevent people from relying on the environment variables longterm. Is this going to be a thing in perpetuity or do you plan on removing this in favor of another mechanism in the future? If the latter I think the TELEPORT_UNSTABLE prefix should be used here. |
No plans to remove it, seems like an useful toggle to have. The cost is just a handful of lines of relatively straightforward production code. |
There was a problem hiding this comment.
Thanks for the addition context @codingllama. I just wanted to ensure we were being consistent with environment variable naming.
codingllama
force-pushed
the
codingllama/autoenroll-offswitch
branch
from
1fa2a9b
to
5bae9f9
Compare
|
Conflicts solved, no code changes. PTAL @rudream @ryanclark. |
public-teleport-github-review-bot
bot
removed the request for review
from rudream
|
@codingllama See the table below for backport results.
|
Users or remote admins can now set TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1 to disable auto-enroll in their machine, regardless of cluster setting.
Changelog: Auto-enroll may be locally disabled using the TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1 environment variable