Summary
Replace the file-based JWT-SVID approach (spiffe-helper writes to /opt/jwt_svid.token, authbridge reads from file) with direct SPIRE Workload API calls using the go-spiffe SDK. This eliminates the spiffe-helper sidecar container.
Current approach
spiffe-helper sidecar → SPIRE agent socket → writes /opt/jwt_svid.token
authbridge → reads /opt/jwt_svid.token via FileJWTSource → uses for token exchange
Three containers: agent + authbridge + spiffe-helper (+ optional client-registration)
Proposed approach
authbridge → SPIRE agent socket (direct via go-spiffe SDK) → FetchJWTSVID() on demand
Two containers: agent + authbridge
How Klaviger does it
Klaviger already implements this pattern:
internal/spiffe/jwt_source.go — connects to SPIRE Workload API via workloadapi.NewJWTSource()- Fetches JWT-SVIDs on demand with caching (10% expiry buffer refresh)
- Mounts SPIRE agent socket via CSI volume at
/spiffe-workload-api
- No spiffe-helper, no file I/O, no polling
Implementation
authbridge already has:
authlib/spiffe/file.go — FileJWTSource (current, reads from file)go-spiffe/v2 dependency in go.mod
Add:
authlib/spiffe/workload.go — WorkloadJWTSource using workloadapi.NewJWTSource()- Config option:
identity.spiffe_source: workload-api (vs current file default)
- Mount the SPIRE agent socket CSI volume directly on the authbridge container
The operator change: when injecting proxy-sidecar mode with SPIRE enabled, skip spiffe-helper injection and mount the CSI volume on authbridge-proxy instead.
Benefits
- One fewer sidecar (spiffe-helper eliminated)
- No file I/O polling — direct gRPC to SPIRE agent
- SVIDs never touch the filesystem (more secure)
- Simpler pod spec: 2 containers (agent + authbridge) instead of 3-4
- Faster startup — no waiting for spiffe-helper to write files
Scope
- Proxy-sidecar mode first (no backward compat concerns)
- Envoy-sidecar mode can adopt later (needs entrypoint.sh changes)
- The file-based path remains as fallback for environments without Workload API access
Related
Summary
Replace the file-based JWT-SVID approach (spiffe-helper writes to /opt/jwt_svid.token, authbridge reads from file) with direct SPIRE Workload API calls using the go-spiffe SDK. This eliminates the spiffe-helper sidecar container.
Current approach
Three containers: agent + authbridge + spiffe-helper (+ optional client-registration)
Proposed approach
Two containers: agent + authbridge
How Klaviger does it
Klaviger already implements this pattern:
internal/spiffe/jwt_source.go— connects to SPIRE Workload API viaworkloadapi.NewJWTSource()/spiffe-workload-apiImplementation
authbridge already has:
authlib/spiffe/file.go—FileJWTSource(current, reads from file)go-spiffe/v2dependency ingo.modAdd:
authlib/spiffe/workload.go—WorkloadJWTSourceusingworkloadapi.NewJWTSource()identity.spiffe_source: workload-api(vs currentfiledefault)The operator change: when injecting proxy-sidecar mode with SPIRE enabled, skip spiffe-helper injection and mount the CSI volume on authbridge-proxy instead.
Benefits
Scope
Related