Skip to content

feat(spiffe): SPIFFE Agent sidecar + rep socket wiring (RFC UAA-SPIFFE-001)#1161

Draft
rkoster wants to merge 14 commits into
cloudfoundry:developfrom
rkoster:spiffe-agent
Draft

feat(spiffe): SPIFFE Agent sidecar + rep socket wiring (RFC UAA-SPIFFE-001)#1161
rkoster wants to merge 14 commits into
cloudfoundry:developfrom
rkoster:spiffe-agent

Conversation

@rkoster

@rkoster rkoster commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Summary

Integrates the SPIFFE Agent sidecar (Plan B1) into diego-release and wires
rep/executor so CF app containers can obtain UAA-signed JWT-SVIDs.

Key changes

  • spiffe-agent daemon (src/code.cloudfoundry.org/spiffe-agent/) — a new
    per-cell sidecar implementing the SPIFFE Workload API (FetchJWTSVID). It
    attests workloads from their instance-identity cert + BBS metadata and proxies
    signing requests to UAA's /jwt-svid/sign endpoint.
  • rep: new diego.executor.spiffe_socket_dir property; setup_mounted_data_dirs
    creates the shared socket directory 0711 (world-traversable, no read) so
    user-namespaced app containers can reach the socket.
  • executor submodule bumped to the spiffe-socket-handler branch
    (cloudfoundry/executor) that bind-mounts the socket into app containers.
  • Bring-up fixes: decode UAA's expires_at as a numeric epoch; socket-dir perms.

Note: the large insertion count is almost entirely vendored third-party code
(go-spiffe/v2, gRPC, protobuf) pulled in for the agent. The hand-written change
is the spiffe-agent package, the rep template, and the property spec.

Context

Part of RFC UAA-SPIFFE-001UAA as a SPIFFE Identity Server for Cloud Foundry.

Cross-repo dependencies

  • cloudfoundry/executor spiffe-socket-handler (vendored here)
  • cloudfoundry/uaa spiffe-signer — the JWT-SVID signing endpoint
  • cloudfoundry/uaa-release spiffe-signer — exposes the uaa.spiffe.* properties

Status

Draft / POC. End-to-end verified on bosh-lite: a test app fetched a valid JWT-SVID
over the injected Workload API socket.

rkoster added 13 commits June 29, 2026 10:28
Introduce the SPIFFE Agent sidecar that runs on Diego cells and serves
JWT-SVIDs to workloads over the SPIFFE Workload API. The agent attests
local CF containers via SO_PEERCRED, resolves identity from BBS, and
exchanges instance certificates for SVIDs at the UAA signer endpoint
using RSA proof-of-possession.

Daemon lives inline at src/code.cloudfoundry.org/spiffe-agent (config,
cfattestor, bbsresolver, signer, workloadapi, cmd) with a BOSH job and
package. Pulls in go-spiffe v2.8.1 as a top-level dependency.
UAA's JwtSvidResponse serializes expires_at as a JSON number (Java long), but the signer decoded it as a string, breaking unmarshalling of the sign response. Decode as int64. The value is informational only; callers read expiry from the SVID's own exp claim.
The executor bind-mounts the SPIFFE socket dir read-only into every app container. App containers run as an unprivileged, user-namespaced uid that is neither the directory owner nor in its group, so the directory must be world-traversable (o+x) to reach the 0666 socket. Create it 0711 (withholding read) when diego.executor.spiffe_socket_dir is set.
Pull in the executor SPIFFE socket credential handler that bind-mounts the spiffe-agent Workload API socket into app containers and injects SPIFFE_ENDPOINT_SOCKET. Depends on the cloudfoundry/executor spiffe-socket-handler branch.
Implement the Workload API FetchJWTBundles RPC so standard SPIFFE clients
(go-spiffe JWTSource, spire-agent) can obtain the JWT trust bundle for
offline JWT-SVID validation.

A new signer.BundleSource fetches UAA's token_keys JWKS and publishes it
keyed by the trust domain SPIFFE ID. The server streams the current bundle
immediately, then polls token_keys at a refresh interval and re-sends only
when the bundle changes, supporting signing-key rotation. The endpoint
requires the SPIFFE security header but performs no peer attestation, since
trust bundles are public.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

1 participant