Skip to content

feat: integrate jwtlet as in-cluster IdP for service-to-service auth#17

Open
paullatzelsperger wants to merge 12 commits into
mainfrom
feat/integrate_jwtlet
Open

feat: integrate jwtlet as in-cluster IdP for service-to-service auth#17
paullatzelsperger wants to merge 12 commits into
mainfrom
feat/integrate_jwtlet

Conversation

@paullatzelsperger

@paullatzelsperger paullatzelsperger commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • Deploys jwtlet as the OAuth2 issuer for all in-cluster workloads; EDC control plane, IdentityHub, and IssuerService now trust jwtlet as their JWKS/token issuer
  • Switches CFM agents and seed jobs from static client credentials to RFC 8693 token exchange (Kubernetes ServiceAccount token → short-lived, scoped EDC token)
  • Refines the scope model: drops the unused provisioner tier, changes admin scope claims to concrete EDC API scopes (management-api:admin identity-api:admin issuer-admin-api:admin), and uses the minimum required scope per operation in the issuer seed job
  • Restructures the k8s/base layer into infra/, security/, and telemetry/ sub-overlays for better organisation
  • Adds docs/token-exchange.md: full explanation of the machine auth path, the exchange flow, scope model, and an onboarding guide for new client apps

🤖 Generated with Claude Code

paullatzelsperger and others added 11 commits June 2, 2026 09:33
@paullatzelsperger
structure base layer better
73125b0
@paullatzelsperger
add jwtlet resources
d7aa5e4
@paullatzelsperger
chore: convert vault-agent sidecar to native init container pattern
0cd3696 
Moves vault-agent from a regular sidecar to a native sidecar (initContainer
with restartPolicy: Always) so the Vault token is guaranteed to exist before
main containers start. Adds a busybox wait-for-token init container to block
startup until the token file is written.
@paullatzelsperger
rename SA
96e039b
@paullatzelsperger
rename jwtlet allowed token audience
44e4a3c
@paullatzelsperger
add jwtlet seed job
bcbb9a8 
for resource mappings and scope mappings
@paullatzelsperger
deploy jwtlet-agent
17c01c8
@paullatzelsperger
switch apps over to using jwtlet as IdP
d23d23f
@paullatzelsperger
issuer seed job uses jwtlet
0347a36
@paullatzelsperger
reference jwtlet agent in orchestration definition
af08398
@paullatzelsperger @claude
document token exchange and refine scope model
0bf5a1f 
- add docs/token-exchange.md: full explanation of the jwtlet-based
  machine auth path, the RFC 8693 exchange flow, scope mechanisms,
  and an onboarding guide for new client apps
- update README with a summary section linking to the new doc
- fix scope model: drop unused 'provisioner' tier, change 'admin'
  claims to concrete EDC scopes instead of a role claim
- issuer seed job: use admin scope for tenant creation, narrow to
  write scope for attestation definitions
- enable imagePullPolicy: Always on jwtlet deployment
- comment out ui/ overlay temporarily

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@paullatzelsperger paullatzelsperger changed the title Integrate jwtlet as in-cluster IdP for service-to-service auth feat: integrate jwtlet as in-cluster IdP for service-to-service auth Jun 12, 2026
@jimmarino jimmarino self-requested a review June 12, 2026 13:21
@jimmarino jimmarino self-requested a review June 12, 2026 13:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jimmarino jimmarino jimmarino approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@paullatzelsperger @jimmarino