Skip to content

Commit 702cbc4

Browse files
authored
feat(providers): support SPIFFE-backed token grants (#1784)
* feat(providers): support SPIFFE-backed token grants Add provider profile token_grant metadata and expand endpoint-specific dynamic credentials so sandbox supervisors can request SPIFFE JWT-SVIDs, exchange them with an OAuth-style token endpoint, cache returned access tokens, and inject bearer tokens into matching HTTP requests. Wire Kubernetes and Helm deployments to mount the provider SPIFFE Workload API socket into sandbox pods for token grant exchange. Signed-off-by: Taylor Mutch <taylormutch@gmail.com> Signed-off-by: Gordon Sim <gsim@redhat.com> * test(examples): add SPIFFE token grant demo Add a reusable alpha/beta demo that deploys a SPIFFE-verifying token issuer and protected services, imports a token-grant provider profile, creates a sandbox, and verifies endpoint-specific bearer tokens. The script leaves Kubernetes workloads in place, deletes sandboxes through openshell unless KEEP_SANDBOX=1, and prints protected service logs as proof of life. Signed-off-by: Taylor Mutch <taylormutch@gmail.com> * fix(providers): harden SPIFFE token grants * fix(providers): harden dynamic token grants Signed-off-by: Taylor Mutch <taylormutch@gmail.com> * fix(providers): harden token grant handling --------- Signed-off-by: Taylor Mutch <taylormutch@gmail.com> Signed-off-by: Gordon Sim <gsim@redhat.com>
1 parent c1d3b43 commit 702cbc4

60 files changed

Lines changed: 6926 additions & 354 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.agents/skills/debug-openshell-cluster/SKILL.md

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -173,6 +173,24 @@ If the gateway exits with `failed to read sandbox JWT signing key from
173173
`sandbox-jwt` secret at `/etc/openshell-jwt`. The sandbox JWT mount is required
174174
even when local Helm values disable TLS.
175175

176+
If `server.providerTokenGrants.spiffe.enabled=true`, the gateway should still
177+
render `[openshell.gateway.gateway_jwt]` and mount the `sandbox-jwt` Secret.
178+
SPIRE is used only by sandbox pods for dynamic provider token grants. Verify
179+
that SPIRE is installed, the CSI driver is available, and the Kubernetes driver
180+
config includes `provider_spiffe_workload_api_socket_path`:
181+
182+
```bash
183+
helm -n openshell get values openshell | grep -E 'providerTokenGrants|workloadApiSocketPath'
184+
kubectl get pods -A | grep -E 'spire|spiffe'
185+
kubectl -n openshell get configmap openshell-config -o yaml | grep provider_spiffe_workload_api_socket_path
186+
```
187+
188+
Sandbox pods using provider token grants should have an
189+
`openshell.io/sandbox-id` annotation, an `openshell.ai/managed-by=openshell`
190+
label, supervisor env vars `OPENSHELL_K8S_SA_TOKEN_FILE` and
191+
`OPENSHELL_PROVIDER_SPIFFE_WORKLOAD_API_SOCKET`, plus both the projected
192+
`openshell-sa-token` volume and the `spiffe-workload-api` CSI volume.
193+
176194
Check the image references currently used by the gateway deployment:
177195

178196
```bash

.agents/skills/helm-dev-environment/SKILL.md

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -178,6 +178,23 @@ To remove Keycloak:
178178
mise run keycloak:k8s:teardown
179179
```
180180

181+
### SPIRE / SPIFFE Provider Token Grants
182+
183+
Skaffold can install SPIRE with the SPIFFE hardened Helm charts. To activate
184+
SPIFFE JWT-SVIDs for dynamic provider token grants:
185+
186+
1. Uncomment the `spire-crds` and `spire` releases in `deploy/helm/openshell/skaffold.yaml`
187+
2. Uncomment `#- ci/values-spire.yaml` in the OpenShell release values files
188+
3. Redeploy: `mise run helm:skaffold:run`
189+
190+
`ci/values-spire-stack.yaml` configures the local SPIRE trust domain as
191+
`openshell.local` and adds a `ClusterSPIFFEID` that maps sandbox pod
192+
annotations to `spiffe://openshell.local/openshell/sandbox/<sandbox-id>`.
193+
OpenShell mounts the SPIFFE CSI Workload API socket at
194+
`/spiffe-workload-api/spire-agent.sock` into sandbox pods for provider token
195+
grants. Supervisor-to-gateway authentication remains on the Kubernetes
196+
ServiceAccount bootstrap and gateway-minted sandbox JWT path.
197+
181198
---
182199

183200
## Cluster Lifecycle (suspend/resume)
@@ -206,6 +223,8 @@ mise run helm:k3s:status
206223
| `deploy/helm/openshell/ci/values-gateway.yaml` | Envoy Gateway GRPCRoute + Gateway overlay |
207224
| `deploy/helm/openshell/ci/values-high-availability.yaml` | HA test overlay (`replicaCount: 2` with external PostgreSQL Secret) |
208225
| `deploy/helm/openshell/ci/values-keycloak.yaml` | Keycloak OIDC overlay |
226+
| `deploy/helm/openshell/ci/values-spire.yaml` | SPIFFE/SPIRE provider token grant overlay |
227+
| `deploy/helm/openshell/ci/values-spire-stack.yaml` | SPIRE hardened chart values for local dev |
209228
| `deploy/helm/openshell/ci/values-tls-disabled.yaml` | Lint-only: TLS + auth disabled (reverse-proxy edge termination) |
210229
| `deploy/kube/manifests/envoy-gateway-openshell.yaml` | GatewayClass for Envoy Gateway (`mise run helm:gateway:apply`) |
211230
| `tasks/scripts/helm-k3s-local.sh` | k3d cluster create/delete/start/stop/status |

0 commit comments

Comments
 (0)