Summary
The schmutz-join client is open-source, but the enrollment controller that powers the /api/register, /api/enroll, and /api/config endpoints is still private. Without the controller, users can't self-host their own enrollment infrastructure.
What the controller does
- Registration — validates hardware fingerprint, checks OS against catalog, creates Ziti identity
- Enrollment proxy — enrolls machines via the Ziti controller (which is never exposed publicly)
- Config API — returns /etc/hosts entries, tunnel version, profile data, application blueprints
- Discovery — matches returning devices by fingerprint, machine ID, hostname, or MAC
- Trusted enrollment — validates AppRole credentials against the secrets engine, skips quarantine
What needs to happen
Notes
The controller is intentionally thin — it proxies to Ziti and the secrets engine. The real intelligence is in the catalog data, not the code. Making it public would let anyone run the full stack end-to-end.
Summary
The
schmutz-joinclient is open-source, but the enrollment controller that powers the/api/register,/api/enroll, and/api/configendpoints is still private. Without the controller, users can't self-host their own enrollment infrastructure.What the controller does
What needs to happen
KontangoOSS/schmutz-controlleror include it in this repoNotes
The controller is intentionally thin — it proxies to Ziti and the secrets engine. The real intelligence is in the catalog data, not the code. Making it public would let anyone run the full stack end-to-end.