Remove feature flags for new WorkloadIdentity UX

lib/auth/machineid/workloadidentityv1/issuer_service.go

@@ -39,7 +39,6 @@ import (
 	"github.com/gravitational/teleport/api/observability/tracing"
 	"github.com/gravitational/teleport/api/types"
 	apievents "github.com/gravitational/teleport/api/types/events"
-	"github.com/gravitational/teleport/lib/auth/machineid/workloadidentityv1/experiment"
 	"github.com/gravitational/teleport/lib/authz"
 	"github.com/gravitational/teleport/lib/events"
 	"github.com/gravitational/teleport/lib/jwt"
@@ -147,10 +146,6 @@ func (s *IssuanceService) IssueWorkloadIdentity(
 	ctx context.Context,
 	req *workloadidentityv1pb.IssueWorkloadIdentityRequest,
 ) (*workloadidentityv1pb.IssueWorkloadIdentityResponse, error) {
-	if !experiment.Enabled() {
-		return nil, trace.AccessDenied("workload identity issuance experiment is disabled")
-	}
-
 	switch {
 	case req.GetName() == "":
 		return nil, trace.BadParameter("name: is required")
@@ -240,10 +235,6 @@ func (s *IssuanceService) IssueWorkloadIdentities(
 	ctx context.Context,
 	req *workloadidentityv1pb.IssueWorkloadIdentitiesRequest,
 ) (*workloadidentityv1pb.IssueWorkloadIdentitiesResponse, error) {
-	if !experiment.Enabled() {
-		return nil, trace.AccessDenied("workload identity issuance experiment is disabled")
-	}
-
 	switch {
 	case len(req.LabelSelectors) == 0:
 		return nil, trace.BadParameter("label_selectors: at least one label selector must be specified")

lib/auth/machineid/workloadidentityv1/workloadidentityv1_test.go

@@ -52,7 +52,6 @@ import (
 	"github.com/gravitational/teleport/lib/auth"
 	"github.com/gravitational/teleport/lib/auth/authclient"
 	"github.com/gravitational/teleport/lib/auth/join"
-	"github.com/gravitational/teleport/lib/auth/machineid/workloadidentityv1/experiment"
 	"github.com/gravitational/teleport/lib/auth/state"
 	"github.com/gravitational/teleport/lib/cryptosuites"
 	libevents "github.com/gravitational/teleport/lib/events"
@@ -152,9 +151,7 @@ func newIssuanceTestPack(t *testing.T, ctx context.Context) *issuanceTestPack {
 // APIs necessary for a bot to join and then issue a workload identity are
 // functioning correctly.
 func TestIssueWorkloadIdentityE2E(t *testing.T) {
-	experimentStatus := experiment.Enabled()
-	defer experiment.SetEnabled(experimentStatus)
-	experiment.SetEnabled(true)
+	t.Parallel()
 
 	ctx := context.Background()
 	tp := newIssuanceTestPack(t, ctx)
@@ -339,9 +336,7 @@ func TestIssueWorkloadIdentityE2E(t *testing.T) {
 }
 
 func TestIssueWorkloadIdentity(t *testing.T) {
-	experimentStatus := experiment.Enabled()
-	defer experiment.SetEnabled(experimentStatus)
-	experiment.SetEnabled(true)
+	t.Parallel()
 
 	ctx := context.Background()
 	tp := newIssuanceTestPack(t, ctx)
@@ -729,9 +724,7 @@ func TestIssueWorkloadIdentity(t *testing.T) {
 }
 
 func TestIssueWorkloadIdentities(t *testing.T) {
-	experimentStatus := experiment.Enabled()
-	defer experiment.SetEnabled(experimentStatus)
-	experiment.SetEnabled(true)
+	t.Parallel()
 
 	ctx := context.Background()
 	tp := newIssuanceTestPack(t, ctx)

lib/tbot/cli/start_workload_identity_api.go

@@ -52,7 +52,7 @@ func NewWorkloadIdentityAPICommand(parentCmd *kingpin.CmdClause, action MutatorA
 	cmd := parentCmd.Command(
 		"workload-identity-api",
 		fmt.Sprintf("%s tbot with a workload identity API listener. Compatible with the SPIFFE Workload API and Envoy SDS.", mode),
-	).Hidden()
+	)
 
 	c := &WorkloadIdentityAPICommand{}
 	c.sharedStartArgs = newSharedStartArgs(cmd)

lib/tbot/cli/start_workload_identity_jwt.go

@@ -50,7 +50,7 @@ type WorkloadIdentityJWTCommand struct {
 // result.
 func NewWorkloadIdentityJWTCommand(parentCmd *kingpin.CmdClause, action MutatorAction, mode CommandMode) *WorkloadIdentityJWTCommand {
 	// TODO(noah): Unhide this command when feature flag removed
-	cmd := parentCmd.Command("workload-identity-jwt", fmt.Sprintf("%s tbot with a SPIFFE-compatible JWT SVID output.", mode)).Hidden()
+	cmd := parentCmd.Command("workload-identity-jwt", fmt.Sprintf("%s tbot with a SPIFFE-compatible JWT SVID output.", mode))
 
 	c := &WorkloadIdentityJWTCommand{}
 	c.sharedStartArgs = newSharedStartArgs(cmd)

lib/tbot/cli/start_workload_identity_x509.go

@@ -48,7 +48,7 @@ type WorkloadIdentityX509Command struct {
 // result.
 func NewWorkloadIdentityX509Command(parentCmd *kingpin.CmdClause, action MutatorAction, mode CommandMode) *WorkloadIdentityX509Command {
 	// TODO(noah): Unhide this command when feature flag removed
-	cmd := parentCmd.Command("workload-identity-x509", fmt.Sprintf("%s tbot with a SPIFFE-compatible SVID output.", mode)).Hidden()
+	cmd := parentCmd.Command("workload-identity-x509", fmt.Sprintf("%s tbot with a SPIFFE-compatible SVID output.", mode))
 
 	c := &WorkloadIdentityX509Command{}
 	c.sharedStartArgs = newSharedStartArgs(cmd)

lib/tbot/service_workload_identity_api_test.go

@@ -35,16 +35,13 @@ import (
 	workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1"
 	"github.com/gravitational/teleport/api/types"
 	apiutils "github.com/gravitational/teleport/api/utils"
-	"github.com/gravitational/teleport/lib/auth/machineid/workloadidentityv1/experiment"
 	"github.com/gravitational/teleport/lib/tbot/config"
 	"github.com/gravitational/teleport/lib/utils"
 	"github.com/gravitational/teleport/tool/teleport/testenv"
 )
 
 func TestBotWorkloadIdentityAPI(t *testing.T) {
-	experimentStatus := experiment.Enabled()
-	defer experiment.SetEnabled(experimentStatus)
-	experiment.SetEnabled(true)
+	t.Parallel()
 
 	ctx := context.Background()
 	log := utils.NewSlogLoggerForTests()

lib/tbot/service_workload_identity_jwt_test.go

@@ -30,16 +30,13 @@ import (
 	workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1"
 	"github.com/gravitational/teleport/api/types"
 	apiutils "github.com/gravitational/teleport/api/utils"
-	"github.com/gravitational/teleport/lib/auth/machineid/workloadidentityv1/experiment"
 	"github.com/gravitational/teleport/lib/tbot/config"
 	"github.com/gravitational/teleport/lib/utils"
 	"github.com/gravitational/teleport/tool/teleport/testenv"
 )
 
 func TestBotWorkloadIdentityJWT(t *testing.T) {
-	experimentStatus := experiment.Enabled()
-	defer experiment.SetEnabled(experimentStatus)
-	experiment.SetEnabled(true)
+	t.Parallel()
 
 	ctx := context.Background()
 	log := utils.NewSlogLoggerForTests()

lib/tbot/service_workload_identity_x509_test.go

@@ -32,16 +32,13 @@ import (
 	workloadidentityv1pb "github.com/gravitational/teleport/api/gen/proto/go/teleport/workloadidentity/v1"
 	"github.com/gravitational/teleport/api/types"
 	apiutils "github.com/gravitational/teleport/api/utils"
-	"github.com/gravitational/teleport/lib/auth/machineid/workloadidentityv1/experiment"
 	"github.com/gravitational/teleport/lib/tbot/config"
 	"github.com/gravitational/teleport/lib/utils"
 	"github.com/gravitational/teleport/tool/teleport/testenv"
 )
 
 func TestBotWorkloadIdentityX509(t *testing.T) {
-	experimentStatus := experiment.Enabled()
-	defer experiment.SetEnabled(experimentStatus)
-	experiment.SetEnabled(true)
+	t.Parallel()
 
 	ctx := context.Background()
 	log := utils.NewSlogLoggerForTests()

lib/tlsca/ca.go

@@ -31,6 +31,7 @@ import (
 	"fmt"
 	"math/big"
 	"net"
+	"os"
 	"strconv"
 	"time"
 
@@ -905,7 +906,7 @@ func (id *Identity) Subject() (pkix.Name, error) {
 		)
 	}
 
-	if id.JoinAttributes != nil {
+	if id.JoinAttributes != nil && shouldPersistJoinAttrs() {
 		encoded, err := protojson.MarshalOptions{
 			// Use the proto field names as this is what we use in the
 			// templating engine and this being consistent for any user who
@@ -1353,3 +1354,10 @@ func (ca *CertAuthority) GenerateCertificate(req CertificateRequest) ([]byte, er
 
 	return pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certBytes}), nil
 }
+
+// shouldPersistJoinAttrs returns true if the join attributes should be persisted
+// into the X509 identity. This provides an emergency "off" handle for this
+// new behavior until we are confident it is working as expected.
+func shouldPersistJoinAttrs() bool {
+	return os.Getenv("TELEPORT_UNSTABLE_DISABLE_JOIN_ATTRS") != "yes"
+}