Skip to content

[FEATURE]: identity-spiffe plugin for SPIFFE workload identity #109

Description

@araujof

Summary

Add an identity-spiffe plugin (sibling to identity-jwt under builtins/plugins/) that validates SPIFFE SVIDs and maps the SPIFFE ID into the subject/workload-identity extension.

identity-jwt validates bearer JWTs, but agent deployments increasingly authenticate with workload identity — SPIFFE SVID or k8s ServiceAccount — not a bearer JWT. The new plugin reuses the existing identity_resolve hook: validate an x509-SVID / JWT-SVID, then map spiffe://<trust-domain>/ns/<ns>/sa/<sa> into the subject extension so policy can key on workload identity.

User Story 1

  • As an: operator running agents under SPIFFE/SPIRE
  • I want: CPEX to resolve identity from a SPIFFE SVID
  • So that: policies reference agents by workload identity, not bearer token or IP/hostname

Acceptance Criteria

Scenario: Valid SVID resolves to a subject
  Given an agent presenting a valid x509-SVID or JWT-SVID
  When identity_resolve runs
  Then the SPIFFE ID is mapped into the subject extension

Scenario: Untrusted trust domain is rejected
  Given an SVID from a trust domain not in the plugin's trust config
  When identity_resolve runs
  Then identity resolution fails and the request is denied

Scenario: Policy keys on workload identity
  Given a resolved SPIFFE subject
  When a route requires a specific workload identity
  Then the policy matches on the SPIFFE ID

Design Sketch

Mirror the identity-jwt layout (config.rs, factory.rs, resolver.rs, trust config). Validate against a configured set of trusted SPIFFE trust domains; support both x509-SVID and JWT-SVID.

Additional Context

Scoped in the Praxis epic #678 alignment work (AgentPolicy data model + credential isolation, praxis sub-issues #680 and #686). Reuses the existing identity_resolve hook.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions