feat(providers): support SPIFFE-backed token grants#1784
Draft
TaylorMutch wants to merge 2 commits into
Draft
Conversation
|
Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually. Contributors can view more details about this message here. |
|
🌿 Preview your docs: https://nvidia-preview-pr-1784.docs.buildwithfern.com/openshell |
7 tasks
Add provider profile token_grant metadata and expand endpoint-specific dynamic credentials so sandbox supervisors can request SPIFFE JWT-SVIDs, exchange them with an OAuth-style token endpoint, cache returned access tokens, and inject bearer tokens into matching HTTP requests. Wire Kubernetes and Helm deployments to mount the provider SPIFFE Workload API socket into sandbox pods for token grant exchange. Signed-off-by: Taylor Mutch <taylormutch@gmail.com> Signed-off-by: Gordon Sim <gsim@redhat.com>
Add a reusable alpha/beta demo that deploys a SPIFFE-verifying token issuer and protected services, imports a token-grant provider profile, creates a sandbox, and verifies endpoint-specific bearer tokens. The script leaves Kubernetes workloads in place, deletes sandboxes through openshell unless KEEP_SANDBOX=1, and prints protected service logs as proof of life. Signed-off-by: Taylor Mutch <taylormutch@gmail.com>
TaylorMutch
force-pushed
the
spiffe-token-provider-v2/tmutch
branch
from
003f466 to
a552447
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add SPIFFE-backed dynamic provider token grants so sandbox workloads can receive short-lived, endpoint-specific bearer tokens on demand.
This draft is intended for feedback. It incorporates and adapts the provider token grant material from #1781, then adds a runnable alpha/beta demo to validate the flow end to end.
Related Issue
Related/original material: #1781
Changes
token_grantmetadata for SPIFFE JWT-SVID client assertion token exchange.examples/spiffe-token-grant-demo, which deploys a mock token issuer plus alpha/beta protected services and validates endpoint-specific tokens.Demo
The demo requires the Helm dev environment with SPIRE enabled.
Run the demo and delete the sandbox on exit:
Run the demo and keep the sandbox for inspection:
Expected output includes
alphareceivingaud: alpha/scope: alpha profile email,betareceivingaud: beta/scope: beta profile email, and alpha/beta pod logs showing accepted requests with the sandbox SPIFFE ID.Clean up the demo workloads:
Testing
mise run pre-commitpassescargo clippy -p openshell-sandbox --all-targets -- -D warningspassesenv KUBECONFIG=kubeconfig KEEP_SANDBOX=1 bash examples/spiffe-token-grant-demo/demo.shChecklist