diff --git a/lib/config/configuration.go b/lib/config/configuration.go index a704da66dd929..206a83ed9ae11 100644 --- a/lib/config/configuration.go +++ b/lib/config/configuration.go @@ -266,6 +266,9 @@ type CommandLineFlags struct { // ProfileSeconds defines the time the pprof will be collected. ProfileSeconds int + + // DisableDebugService disables the debug service. + DisableDebugService bool } // IntegrationConfAccessGraphAWSSync contains the arguments of @@ -462,8 +465,8 @@ func ApplyFileConfig(fc *FileConfig, cfg *servicecfg.Config) error { if fc.WindowsDesktop.Disabled() { cfg.WindowsDesktop.Enabled = false } - if fc.Debug.Enabled() { - cfg.DebugService.Enabled = true + if fc.Debug.Disabled() { + cfg.DebugService.Enabled = false } if fc.AccessGraph.Enabled { @@ -2647,6 +2650,10 @@ func Configure(clf *CommandLineFlags, cfg *servicecfg.Config, legacyAppFlags boo } } + if clf.DisableDebugService { + cfg.DebugService.Enabled = false + } + return nil } diff --git a/lib/config/configuration_test.go b/lib/config/configuration_test.go index 775d91dfe99b8..2560e8e8c5c23 100644 --- a/lib/config/configuration_test.go +++ b/lib/config/configuration_test.go @@ -5003,3 +5003,47 @@ func TestProxyUntrustedCert(t *testing.T) { // - the system root certs are loaded exactly once and cached // - it only works on linux } + +func TestDebugServiceConfig(t *testing.T) { + for name, tc := range map[string]struct { + configFile string + commandLineFlags *CommandLineFlags + expectDebugServiceEnabled bool + }{ + "enabled by default": {configFile: "", expectDebugServiceEnabled: true}, + "disabled by commandline": { + configFile: "", + commandLineFlags: &CommandLineFlags{DisableDebugService: true}, + expectDebugServiceEnabled: false, + }, + "disabled by configuration": { + configFile: ` +debug_service: + enabled: "no" +`, + expectDebugServiceEnabled: false, + }, + "commandline flag has priority over config file": { + configFile: ` +debug_service: + enabled: "yes" +`, + commandLineFlags: &CommandLineFlags{DisableDebugService: true}, + expectDebugServiceEnabled: false, + }, + } { + t.Run(name, func(t *testing.T) { + filePath := filepath.Join(t.TempDir(), "config.yaml") + require.NoError(t, os.WriteFile(filePath, []byte(tc.configFile), 0o777)) + + if tc.commandLineFlags == nil { + tc.commandLineFlags = &CommandLineFlags{} + } + tc.commandLineFlags.ConfigFile = filePath + + conf := servicecfg.MakeDefaultConfig() + require.NoError(t, Configure(tc.commandLineFlags, conf, false)) + require.Equal(t, tc.expectDebugServiceEnabled, conf.DebugService.Enabled) + }) + } +} diff --git a/tool/teleport/common/teleport.go b/tool/teleport/common/teleport.go index 267d839a33665..7168f8f80e898 100644 --- a/tool/teleport/common/teleport.go +++ b/tool/teleport/common/teleport.go @@ -195,6 +195,7 @@ func Run(options Options) (app *kingpin.Application, executedCommand string, con start.Flag("db-aws-region", "AWS region AWS hosted database instance is running in.").Hidden(). StringVar(&ccf.DatabaseAWSRegion) + start.Flag("no-debug-service", "Disables debug service.").BoolVar(&ccf.DisableDebugService) // define start's usage info (we use kingpin's "alias" field for this) start.Alias(usageNotes + usageExamples) @@ -218,6 +219,7 @@ func Run(options Options) (app *kingpin.Application, executedCommand string, con appStartCmd.Flag("diag-addr", "Start diagnostic prometheus and healthz endpoint.").StringVar(&ccf.DiagnosticAddr) appStartCmd.Flag("insecure", "Insecure mode disables certificate validation").BoolVar(&ccf.InsecureMode) appStartCmd.Flag("skip-version-check", "Skip version checking between server and client.").Default("false").BoolVar(&ccf.SkipVersionCheck) + appStartCmd.Flag("no-debug-service", "Disables debug service.").BoolVar(&ccf.DisableDebugService) appStartCmd.Alias(appUsageExamples) // We're using "alias" section to display usage examples. // "teleport db" command and its subcommands @@ -254,6 +256,7 @@ func Run(options Options) (app *kingpin.Application, executedCommand string, con dbStartCmd.Flag("diag-addr", "Start diagnostic prometheus and healthz endpoint.").StringVar(&ccf.DiagnosticAddr) dbStartCmd.Flag("insecure", "Insecure mode disables certificate validation").BoolVar(&ccf.InsecureMode) dbStartCmd.Flag("skip-version-check", "Skip version checking between server and client.").Default("false").BoolVar(&ccf.SkipVersionCheck) + dbStartCmd.Flag("no-debug-service", "Disables debug service.").BoolVar(&ccf.DisableDebugService) dbStartCmd.Alias(dbUsageExamples) // We're using "alias" section to display usage examples. dbConfigure := dbCmd.Command("configure", "Bootstraps database service configuration and cloud permissions.")