Skip to content

feat: gateway enrollment token flow#183

Merged
bernie-g merged 20 commits intomainfrom
feat/gateway-enrollment-tokens
Apr 16, 2026
Merged

feat: gateway enrollment token flow#183
bernie-g merged 20 commits intomainfrom
feat/gateway-enrollment-tokens

Conversation

@bernie-g
Copy link
Copy Markdown
Contributor

Description 📣

CLI support for enrollment token-based gateway registration. Gateways can now enroll and start in a single command using a one-time token from the UI, without requiring a machine identity.

  • gateway start --enroll-method=static --token=<token> enrolls and starts in one step
  • Gateway name as positional arg: gateway start my-gateway --token=<token>
  • --name flag kept as deprecated alias for backwards compatibility
  • Stored access token and domain persistence in gateway.conf
  • gateway systemd install supports enrollment token flow
  • Explicit --token/--auth-method flags override stored token

Type ✨

  • New feature

Tests 🛠️

# Enrollment flow
./infisical gateway start my-gateway --enroll-method=static --token=<token> --domain=http://localhost:8080

# Stored token flow (after enrollment)
./infisical gateway start my-gateway

# Legacy identity flow (unchanged)
./infisical gateway start my-gateway --token=<identity-token>

# Systemd install
sudo infisical gateway systemd install my-gateway --enroll-method=static --token=<token> --domain=<url>

Add enrollment token-based gateway registration. The CLI can now enroll
and start a gateway in a single command using a one-time enrollment
token, without requiring a pre-configured machine identity.

- Add enroll.go with token persistence (access token, domain)
- Add CallEnrollGateway API + EnrollGatewayRequest/Response types
- gateway start --enroll-method=static enrolls and starts in one step
- gateway install supports enrollment token flow for systemd
- Stored token path loads domain from config
- Explicit --token/--auth-method overrides stored token
- Add omitempty to optional fields in register/enroll request types
- gateway start and systemd install accept name as positional arg
- --name flag kept as deprecated alias for backwards compatibility
- Name is required for both enrollment and identity flows
- Priority: positional arg > --name flag > env var
Comment thread packages/cmd/gateway.go
@bernie-g bernie-g marked this pull request as ready for review April 14, 2026 00:17
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fe2bc6292e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread packages/cmd/gateway.go Outdated
Comment thread packages/cmd/gateway.go Outdated
Comment thread packages/gateway-v2/enroll.go Outdated
Comment thread packages/gateway-v2/enroll.go Outdated
Comment thread packages/cmd/gateway.go Outdated
Store the enrollment token in gateway.conf after successful enrollment.
On subsequent runs with the same token, skip enrollment and start the
gateway directly using the stored access token. This lets users re-run
the same command (e.g., up-arrow) without hitting "token already used"
or "token expired" errors.
Comment thread packages/cmd/gateway.go
Comment thread packages/cmd/gateway.go Outdated
Comment thread packages/cmd/gateway.go Outdated
Comment thread packages/cmd/gateway.go
Comment thread packages/cmd/gateway.go Outdated
Comment thread packages/gateway-v2/enroll.go Outdated
Config files are now stored at ~/.infisical/gateways/<name>.conf
(or /etc/infisical/gateways/<name>.conf for root). This allows
multiple gateways to run on the same machine without conflicting.
All load/save functions now take a gateway name parameter.
@bernie-g
Copy link
Copy Markdown
Contributor Author

@claude review this

Comment thread packages/gateway-v2/systemd.go
Comment thread packages/cmd/gateway.go
Comment thread packages/cmd/gateway.go
Comment thread packages/gateway-v2/systemd.go
Comment thread packages/cmd/gateway.go
@bernie-g
Copy link
Copy Markdown
Contributor Author

@claude stop

Comment thread packages/cmd/gateway.go
Comment thread packages/gateway-v2/enroll.go
Comment thread packages/cmd/gateway.go
Comment thread packages/cmd/gateway.go Outdated
Comment thread packages/gateway-v2/systemd.go
Comment thread packages/cmd/gateway.go
Comment thread packages/cmd/gateway.go
Comment thread packages/cmd/gateway.go Outdated
…teway

Enrollment-flow gateways now use POST /api/v3/gateways/connect for cert
refresh instead of POST /api/v2/gateways. Identity-based gateways
continue using V2. Added UseV3Connect flag to GatewayConfig.
Comment thread packages/cmd/gateway.go
Comment thread packages/gateway-v2/systemd.go
Comment thread packages/api/api.go
Comment thread packages/api/api.go
Comment thread packages/api/api.go
Comment thread packages/cmd/gateway.go Outdated
Comment thread packages/cmd/gateway.go
@bernie-g bernie-g merged commit 04bf737 into main Apr 16, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants