Kubernetes security extensions for the Kagenti ecosystem, providing zero-trust authentication for workloads through transparent token exchange and dynamic Keycloak client registration using SPIFFE/SPIRE identities.
AuthBridge provides end-to-end authentication for Kubernetes workloads with SPIFFE/SPIRE integration. It consists of:
- AuthProxy — Envoy proxy with a gRPC external processor for inbound JWT validation and outbound OAuth 2.0 token exchange (RFC 8693). Enables secure service-to-service communication by transparently intercepting traffic.
- Client Registration — Automatically registers Kubernetes workloads as Keycloak OAuth2 clients using their SPIFFE identity, eliminating manual client configuration and static credentials.
- Keycloak Sync — Declarative tool for synchronizing Keycloak configuration.
See the AuthBridge README for architecture details and the demos index for getting started.
All images are published to ghcr.io/kagenti/kagenti-extensions/:
| Image | Description |
|---|---|
envoy-with-processor |
Envoy 1.28 + go-processor ext-proc |
proxy-init |
Alpine + iptables init container |
client-registration |
Python Keycloak client registrar |
authbridge |
Combined sidecar (Envoy + go-processor + spiffe-helper + client-registration) |
auth-proxy |
Example pass-through proxy (for demos) |
demo-app |
Demo target service |
# Install pre-commit hooks
make pre-commit
# Run formatters
make fmt
# Build AuthProxy Docker images
make build-images
# Run local testing (requires Kind cluster)
./local-build-and-test.shSee LOCAL_TESTING_GUIDE.md for the full local development setup.
- kagenti — Core Kagenti platform
- kagenti-operator — Kubernetes operator for sidecar injection (includes the admission webhook)