workloadidentity

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 10, 2026 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Overview

Package workloadidentity implements OIDC workload identity tokens for sandbox containers, following the GitHub Actions OIDC pattern.

Trust Model

Each cluster is its own OIDC issuer with an independent signing key and JWKS endpoint. New clusters sign with RS256 (RSA), the universally supported default; clusters provisioned before that default keep their EdDSA key advertised in JWKS for verification while new tokens are signed with a freshly generated RS256 key. Miren Cloud is not in the trust path — it only contributes organization_id and cluster_id as claim metadata during registration. This per-cluster model means external verifiers (e.g., AWS IAM OIDC) must configure trust per cluster rather than once for all of Miren. A future central issuer could reduce that to one trust config scoped by claims, but would introduce a single point of compromise for all clusters.

Issuer URL (iss claim)

The issuer URL is the cluster's cryptographic identity anchor — it's baked into every token and pinned in external trust configurations. For cloud-registered clusters, this is the provisioned DNS hostname (e.g., https://cluster-abc.miren.systems). For bare-metal clusters without registration, it falls back to cfg.TLS.AdditionalNames[0], meaning the identity anchor is determined by config list order. This fallback is intentionally simple for v1; a more deliberate selection mechanism (e.g., explicit --issuer-url flag) may be warranted if bare-metal OIDC federation sees adoption.

Index

Constants

View Source 
const (
	DefaultTTL = 1 * time.Hour
	MaxTTL     = 24 * time.Hour
	MinTTL     = 60 * time.Second
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Issuer 

type Issuer struct {
	// contains filtered or unexported fields
}

func NewIssuer 

func NewIssuer(cfg IssuerConfig) (*Issuer, error)

func (*Issuer) DiscoveryDocument 

func (iss *Issuer) DiscoveryDocument() []byte

func (*Issuer) Hostname 

func (iss *Issuer) Hostname() string

func (*Issuer) IssueToken 

func (iss *Issuer) IssueToken(app, sandboxID string) (string, error)

func (*Issuer) IssueTokenWithOptions 

func (iss *Issuer) IssueTokenWithOptions(app, sandboxID string, opts TokenOptions) (string, error)

func (*Issuer) IssuerURL 

func (iss *Issuer) IssuerURL() string

func (*Issuer) JWKSDocument 

func (iss *Issuer) JWKSDocument() ([]byte, error)

func (*Issuer) PublicKey 

func (iss *Issuer) PublicKey() any

type IssuerConfig 

type IssuerConfig struct {
	DataPath       string
	IssuerURL      string
	OrganizationID string
	ClusterID      string
}

type TokenIssuer 

type TokenIssuer interface {
	IssueToken(app, sandboxID string) (string, error)
	IssueTokenWithOptions(app, sandboxID string, opts TokenOptions) (string, error)
	IssuerURL() string
}

TokenIssuer is the minting surface the sandbox controller depends on. The concrete *Issuer satisfies it directly (the coordinator holds the signing key). Distributed runners have no signing key, so they supply an implementation that proxies minting to the coordinator over RPC.

type TokenOptions 

type TokenOptions struct {
	Audience []string
	TTL      time.Duration
}

type WorkloadClaims 

type WorkloadClaims struct {
	jwt.RegisteredClaims
	OrganizationID string `json:"organization_id,omitempty"`
	ClusterID      string `json:"cluster_id,omitempty"`
	App            string `json:"app,omitempty"`
	SandboxID      string `json:"sandbox_id"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.