📣 Heads up: Breaking change to the Testbed Directory

[tkircsi]

Important

🔒 Why this is happening: these changes are part of a security-hardening effort for the testbed Directory.

TL;DR: We are making breaking changes to our testbed by removing mTLS SPIFFE x509 public access and renaming hostnames to canonical, environment-neutral names. Every federated peer must update its config, re-bootstrap the trust bundle, and update configuration around affected testbed endpoints.

---

What's changed

Service	Old	New
SPIRE trust domain	prod.ads.outshift.io	spire.ads.outshift.io
SPIRE bundle endpoint	prod.spire.ads.outshift.io	spire.ads.outshift.io
SPIRE OIDC discovery	prod.oidc-discovery.spire.ads.outshift.io	oidc-discovery.spire.ads.outshift.io
Routing / P2P (libp2p)	prod.routing.ads.outshift.io	routing.ads.outshift.io
OCI registry (Zot)	prod.zot.ads.outshift.io	store.ads.outshift.io
OIDC issuer (Dex IdP)	prod.idp.ads.outshift.io	idp.ads.outshift.io

Note: the trust domain and its bundle endpoint now share one self-consistent host (spire.ads.outshift.io).

Why

• Security considerations around exposing mTLS to public workloads
• Consolidating the testbed onto clean, canonical hostnames (dropping the prod. prefix for the public-facing testbed endpoints), consistent with the broader testbed hardening + gateway consolidation work
• Removes the confusing spire. vs prod.spire. split between the trust domain name and its bundle endpoint

Who is affected

• Federated partners - anyone whose SPIRE deployment federates with our testbed.
• Anyone with outdated testbed endpoint configs - bootstrap addresses, registry pulls, scripts, CI.

⚠️ Action required (federated peers)

The testbed SPIRE will come up under a new trust domain with a new CA/trust bundle. SVIDs issued under the old prod.ads.outshift.io will no longer validate. To stay federated you must:

1. Update your federation config (ClusterFederatedTrustDomain / apiserver.spire.federation):
   • trustDomain: prod.ads.outshift.io → spire.ads.outshift.io
   • bundleEndpointURL: https://prod.spire.ads.outshift.io → https://spire.ads.outshift.io
2. Re-bootstrap the trust bundle from the new endpoint (https_web / Let's Encrypt profile).
3. Update any authz policies that reference the trust domain (e.g. p,prod.ads.outshift.io,* → p,spire.ads.outshift.io,*).
4. Update hardcoded bootstrap peers to /dns4/routing.ads.outshift.io/tcp/5555/p2p/<peer-id> (the peer ID is unchanged - only the DNS name moved).
5. Update registry pulls to store.ads.outshift.io.

Until you migrate, federation with the testbed will be down for your instance.

Note

💻 Using the dirctl CLI? Update these testbed endpoints in your CLI config (or the matching flags / env vars in your scripts):

• Server / gateway address - server_address / --server-addr: prod.gateway.ads.outshift.io:443 → ads.outshift.io:443
• OIDC issuer - oidc_issuer / --oidc-issuer / DIRECTORY_CLIENT_OIDC_ISSUER: https://prod.idp.ads.outshift.io → https://idp.ads.outshift.io

Stale endpoints will simply stop resolving once the old DNS records are retired.

References

• dir-staging federation descriptor PR: feat: follow up the testbed changes dir-staging#58
• Upstream chart default (bootstrap_peers) updated in agntcy/dir.

Please let us know if you have any questions or you need any help with migration.
Thank you for understanding!