From 0ade5f38ad9e4cf3bc31c82fe41c4fde11851615 Mon Sep 17 00:00:00 2001
From: Rafael Garcia <raf@kernel.sh>
Date: Thu, 23 Apr 2026 14:26:33 -0400
Subject: [PATCH 1/2] Prefer KERNEL_INSTANCE_JWT in browser images.

Normalize the generic instance JWT env var into Envoy bootstrap rendering and the kernel-images API process while keeping XDS_JWT as a compatibility fallback during the migration.
---
 .../supervisor/services/kernel-images-api.conf       |  2 +-
 .../image/supervisor/services/kernel-images-api.conf |  2 +-
 shared/envoy/bootstrap.yaml                          |  5 +++--
 shared/envoy/init-envoy.sh                           | 12 ++++++++----
 4 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/images/chromium-headful/supervisor/services/kernel-images-api.conf b/images/chromium-headful/supervisor/services/kernel-images-api.conf
index e57d30a8..9e4f5bd4 100644
--- a/images/chromium-headful/supervisor/services/kernel-images-api.conf
+++ b/images/chromium-headful/supervisor/services/kernel-images-api.conf
@@ -1,5 +1,5 @@
 [program:kernel-images-api]
-command=/bin/bash -lc 'mkdir -p "${KERNEL_IMAGES_API_OUTPUT_DIR:-/recordings}" && PORT="${KERNEL_IMAGES_API_PORT:-10001}" FRAME_RATE="${KERNEL_IMAGES_API_FRAME_RATE:-10}" DISPLAY_NUM="${KERNEL_IMAGES_API_DISPLAY_NUM:-${DISPLAY_NUM:-1}}" MAX_SIZE_MB="${KERNEL_IMAGES_API_MAX_SIZE_MB:-500}" OUTPUT_DIR="${KERNEL_IMAGES_API_OUTPUT_DIR:-/recordings}" LOG_CDP_MESSAGES="${LOG_CDP_MESSAGES:-false}" exec /usr/local/bin/kernel-images-api'
+command=/bin/bash -lc 'mkdir -p "${KERNEL_IMAGES_API_OUTPUT_DIR:-/recordings}" && PORT="${KERNEL_IMAGES_API_PORT:-10001}" FRAME_RATE="${KERNEL_IMAGES_API_FRAME_RATE:-10}" DISPLAY_NUM="${KERNEL_IMAGES_API_DISPLAY_NUM:-${DISPLAY_NUM:-1}}" MAX_SIZE_MB="${KERNEL_IMAGES_API_MAX_SIZE_MB:-500}" OUTPUT_DIR="${KERNEL_IMAGES_API_OUTPUT_DIR:-/recordings}" LOG_CDP_MESSAGES="${LOG_CDP_MESSAGES:-false}" KERNEL_INSTANCE_JWT="${KERNEL_INSTANCE_JWT:-${XDS_JWT:-}}" XDS_JWT="${XDS_JWT:-${KERNEL_INSTANCE_JWT:-}}" exec /usr/local/bin/kernel-images-api'
 autostart=false
 autorestart=true
 startsecs=2
diff --git a/images/chromium-headless/image/supervisor/services/kernel-images-api.conf b/images/chromium-headless/image/supervisor/services/kernel-images-api.conf
index e57d30a8..9e4f5bd4 100644
--- a/images/chromium-headless/image/supervisor/services/kernel-images-api.conf
+++ b/images/chromium-headless/image/supervisor/services/kernel-images-api.conf
@@ -1,5 +1,5 @@
 [program:kernel-images-api]
-command=/bin/bash -lc 'mkdir -p "${KERNEL_IMAGES_API_OUTPUT_DIR:-/recordings}" && PORT="${KERNEL_IMAGES_API_PORT:-10001}" FRAME_RATE="${KERNEL_IMAGES_API_FRAME_RATE:-10}" DISPLAY_NUM="${KERNEL_IMAGES_API_DISPLAY_NUM:-${DISPLAY_NUM:-1}}" MAX_SIZE_MB="${KERNEL_IMAGES_API_MAX_SIZE_MB:-500}" OUTPUT_DIR="${KERNEL_IMAGES_API_OUTPUT_DIR:-/recordings}" LOG_CDP_MESSAGES="${LOG_CDP_MESSAGES:-false}" exec /usr/local/bin/kernel-images-api'
+command=/bin/bash -lc 'mkdir -p "${KERNEL_IMAGES_API_OUTPUT_DIR:-/recordings}" && PORT="${KERNEL_IMAGES_API_PORT:-10001}" FRAME_RATE="${KERNEL_IMAGES_API_FRAME_RATE:-10}" DISPLAY_NUM="${KERNEL_IMAGES_API_DISPLAY_NUM:-${DISPLAY_NUM:-1}}" MAX_SIZE_MB="${KERNEL_IMAGES_API_MAX_SIZE_MB:-500}" OUTPUT_DIR="${KERNEL_IMAGES_API_OUTPUT_DIR:-/recordings}" LOG_CDP_MESSAGES="${LOG_CDP_MESSAGES:-false}" KERNEL_INSTANCE_JWT="${KERNEL_INSTANCE_JWT:-${XDS_JWT:-}}" XDS_JWT="${XDS_JWT:-${KERNEL_INSTANCE_JWT:-}}" exec /usr/local/bin/kernel-images-api'
 autostart=false
 autorestart=true
 startsecs=2
diff --git a/shared/envoy/bootstrap.yaml b/shared/envoy/bootstrap.yaml
index 0807649b..9f07821f 100644
--- a/shared/envoy/bootstrap.yaml
+++ b/shared/envoy/bootstrap.yaml
@@ -1,6 +1,7 @@
 # Envoy bootstrap configuration for xDS-managed proxy
 # This config connects to a control plane for dynamic configuration management
-# Requires: INST_NAME, METRO_NAME, XDS_SERVER, XDS_JWT environment variables
+# Requires: INST_NAME, METRO_NAME, XDS_SERVER, and KERNEL_INSTANCE_JWT
+# (or legacy XDS_JWT, normalized by init-envoy.sh) environment variables
 
 # Node identity sent to xDS server for configuration targeting, authenticated by JWT
 node:
@@ -21,7 +22,7 @@ dynamic_resources:
       # Send JWT authentication for all xDS requests
       initial_metadata:
       - key: "authorization"
-        value: "Bearer {XDS_JWT}"
+        value: "Bearer {KERNEL_INSTANCE_JWT}"
   
   # Listener Discovery Service and Cluster Discovery Service use ADS
   lds_config:
diff --git a/shared/envoy/init-envoy.sh b/shared/envoy/init-envoy.sh
index 2fd34b89..fbaa6e2d 100644
--- a/shared/envoy/init-envoy.sh
+++ b/shared/envoy/init-envoy.sh
@@ -2,8 +2,12 @@
 
 set -o pipefail -o errexit -o nounset
 
+# Prefer the generic instance JWT env var, but keep XDS_JWT fallback during
+# the migration window so older control-plane deployments continue to work.
+INSTANCE_JWT="${KERNEL_INSTANCE_JWT:-${XDS_JWT:-}}"
+
 # Check for required environment variables, to see if envoy is enabled
-if [[ -z "${INST_NAME:-}" || -z "${METRO_NAME:-}" || -z "${XDS_SERVER:-}" || -z "${XDS_JWT:-}" ]]; then
+if [[ -z "${INST_NAME:-}" || -z "${METRO_NAME:-}" || -z "${XDS_SERVER:-}" || -z "${INSTANCE_JWT:-}" ]]; then
   echo "[envoy-init] Required environment variables not set. Skipping Envoy initialization."
   exit 0
 fi
@@ -55,15 +59,15 @@ else
 fi
 
 # Render template with provided environment variables
-echo "[envoy-init] Rendering template with INST_NAME=${INST_NAME}, METRO_NAME=${METRO_NAME}, XDS_SERVER=${XDS_SERVER}, XDS_JWT=***"
+echo "[envoy-init] Rendering template with INST_NAME=${INST_NAME}, METRO_NAME=${METRO_NAME}, XDS_SERVER=${XDS_SERVER}, KERNEL_INSTANCE_JWT=***"
 inst_esc=$(printf '%s' "$INST_NAME" | sed -e 's/[\/&]/\\&/g')
 metro_esc=$(printf '%s' "$METRO_NAME" | sed -e 's/[\/&]/\\&/g')
 xds_esc=$(printf '%s' "$XDS_SERVER" | sed -e 's/[\/&]/\\&/g')
-jwt_esc=$(printf '%s' "$XDS_JWT" | sed -e 's/[\/&]/\\&/g')
+jwt_esc=$(printf '%s' "$INSTANCE_JWT" | sed -e 's/[\/&]/\\&/g')
 sed -e "s|{INST_NAME}|$inst_esc|g" \
     -e "s|{METRO_NAME}|$metro_esc|g" \
     -e "s|{XDS_SERVER}|$xds_esc|g" \
-    -e "s|{XDS_JWT}|$jwt_esc|g" \
+    -e "s|{KERNEL_INSTANCE_JWT}|$jwt_esc|g" \
     /etc/envoy/templates/bootstrap.yaml > /etc/envoy/bootstrap.yaml
 
 echo "[envoy-init] Starting Envoy via supervisord"

From 3d1737caf15eac13fb8c853d4ae1cb2d07a854d1 Mon Sep 17 00:00:00 2001
From: Rafael Garcia <raf@kernel.sh>
Date: Thu, 23 Apr 2026 14:57:30 -0400
Subject: [PATCH 2/2] Remove XDS_JWT references from browser images.

Make KERNEL_INSTANCE_JWT the only token contract in the public browser image runtime now that the control-plane release will land first.
---
 .../supervisor/services/kernel-images-api.conf              | 2 +-
 .../image/supervisor/services/kernel-images-api.conf        | 2 +-
 shared/envoy/bootstrap.yaml                                 | 2 +-
 shared/envoy/init-envoy.sh                                  | 6 +++---
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/images/chromium-headful/supervisor/services/kernel-images-api.conf b/images/chromium-headful/supervisor/services/kernel-images-api.conf
index 9e4f5bd4..e57d30a8 100644
--- a/images/chromium-headful/supervisor/services/kernel-images-api.conf
+++ b/images/chromium-headful/supervisor/services/kernel-images-api.conf
@@ -1,5 +1,5 @@
 [program:kernel-images-api]
-command=/bin/bash -lc 'mkdir -p "${KERNEL_IMAGES_API_OUTPUT_DIR:-/recordings}" && PORT="${KERNEL_IMAGES_API_PORT:-10001}" FRAME_RATE="${KERNEL_IMAGES_API_FRAME_RATE:-10}" DISPLAY_NUM="${KERNEL_IMAGES_API_DISPLAY_NUM:-${DISPLAY_NUM:-1}}" MAX_SIZE_MB="${KERNEL_IMAGES_API_MAX_SIZE_MB:-500}" OUTPUT_DIR="${KERNEL_IMAGES_API_OUTPUT_DIR:-/recordings}" LOG_CDP_MESSAGES="${LOG_CDP_MESSAGES:-false}" KERNEL_INSTANCE_JWT="${KERNEL_INSTANCE_JWT:-${XDS_JWT:-}}" XDS_JWT="${XDS_JWT:-${KERNEL_INSTANCE_JWT:-}}" exec /usr/local/bin/kernel-images-api'
+command=/bin/bash -lc 'mkdir -p "${KERNEL_IMAGES_API_OUTPUT_DIR:-/recordings}" && PORT="${KERNEL_IMAGES_API_PORT:-10001}" FRAME_RATE="${KERNEL_IMAGES_API_FRAME_RATE:-10}" DISPLAY_NUM="${KERNEL_IMAGES_API_DISPLAY_NUM:-${DISPLAY_NUM:-1}}" MAX_SIZE_MB="${KERNEL_IMAGES_API_MAX_SIZE_MB:-500}" OUTPUT_DIR="${KERNEL_IMAGES_API_OUTPUT_DIR:-/recordings}" LOG_CDP_MESSAGES="${LOG_CDP_MESSAGES:-false}" exec /usr/local/bin/kernel-images-api'
 autostart=false
 autorestart=true
 startsecs=2
diff --git a/images/chromium-headless/image/supervisor/services/kernel-images-api.conf b/images/chromium-headless/image/supervisor/services/kernel-images-api.conf
index 9e4f5bd4..e57d30a8 100644
--- a/images/chromium-headless/image/supervisor/services/kernel-images-api.conf
+++ b/images/chromium-headless/image/supervisor/services/kernel-images-api.conf
@@ -1,5 +1,5 @@
 [program:kernel-images-api]
-command=/bin/bash -lc 'mkdir -p "${KERNEL_IMAGES_API_OUTPUT_DIR:-/recordings}" && PORT="${KERNEL_IMAGES_API_PORT:-10001}" FRAME_RATE="${KERNEL_IMAGES_API_FRAME_RATE:-10}" DISPLAY_NUM="${KERNEL_IMAGES_API_DISPLAY_NUM:-${DISPLAY_NUM:-1}}" MAX_SIZE_MB="${KERNEL_IMAGES_API_MAX_SIZE_MB:-500}" OUTPUT_DIR="${KERNEL_IMAGES_API_OUTPUT_DIR:-/recordings}" LOG_CDP_MESSAGES="${LOG_CDP_MESSAGES:-false}" KERNEL_INSTANCE_JWT="${KERNEL_INSTANCE_JWT:-${XDS_JWT:-}}" XDS_JWT="${XDS_JWT:-${KERNEL_INSTANCE_JWT:-}}" exec /usr/local/bin/kernel-images-api'
+command=/bin/bash -lc 'mkdir -p "${KERNEL_IMAGES_API_OUTPUT_DIR:-/recordings}" && PORT="${KERNEL_IMAGES_API_PORT:-10001}" FRAME_RATE="${KERNEL_IMAGES_API_FRAME_RATE:-10}" DISPLAY_NUM="${KERNEL_IMAGES_API_DISPLAY_NUM:-${DISPLAY_NUM:-1}}" MAX_SIZE_MB="${KERNEL_IMAGES_API_MAX_SIZE_MB:-500}" OUTPUT_DIR="${KERNEL_IMAGES_API_OUTPUT_DIR:-/recordings}" LOG_CDP_MESSAGES="${LOG_CDP_MESSAGES:-false}" exec /usr/local/bin/kernel-images-api'
 autostart=false
 autorestart=true
 startsecs=2
diff --git a/shared/envoy/bootstrap.yaml b/shared/envoy/bootstrap.yaml
index 9f07821f..67411308 100644
--- a/shared/envoy/bootstrap.yaml
+++ b/shared/envoy/bootstrap.yaml
@@ -1,7 +1,7 @@
 # Envoy bootstrap configuration for xDS-managed proxy
 # This config connects to a control plane for dynamic configuration management
 # Requires: INST_NAME, METRO_NAME, XDS_SERVER, and KERNEL_INSTANCE_JWT
-# (or legacy XDS_JWT, normalized by init-envoy.sh) environment variables
+# environment variables
 
 # Node identity sent to xDS server for configuration targeting, authenticated by JWT
 node:
diff --git a/shared/envoy/init-envoy.sh b/shared/envoy/init-envoy.sh
index fbaa6e2d..c27a3f25 100644
--- a/shared/envoy/init-envoy.sh
+++ b/shared/envoy/init-envoy.sh
@@ -2,9 +2,9 @@
 
 set -o pipefail -o errexit -o nounset
 
-# Prefer the generic instance JWT env var, but keep XDS_JWT fallback during
-# the migration window so older control-plane deployments continue to work.
-INSTANCE_JWT="${KERNEL_INSTANCE_JWT:-${XDS_JWT:-}}"
+# The browser instance JWT is the sole token contract for xDS and host-local
+# services in the image runtime.
+INSTANCE_JWT="${KERNEL_INSTANCE_JWT:-}"
 
 # Check for required environment variables, to see if envoy is enabled
 if [[ -z "${INST_NAME:-}" || -z "${METRO_NAME:-}" || -z "${XDS_SERVER:-}" || -z "${INSTANCE_JWT:-}" ]]; then