Bug
When CLIENT_AUTH_TYPE=federated-jwt is set in authbridge-config, the operator generates per-agent configs (authbridge-config-<workload>) where the pipeline outbound token-exchange plugin has identity.type: spiffe but is missing jwt_audience and jwt_svid_path.
The authbridge-proxy crashes on startup with:
identity.type=spiffe requires identity.jwt_audience to be set
Expected behavior
The operator should propagate all identity fields (jwt_audience, jwt_svid_path) from the base authbridge-runtime-config into the pipeline's token-exchange plugin config, not just identity.type.
Actual behavior
The top-level identity block in the per-agent config is correct:
identity:
client_id_file: /shared/client-id.txt
client_secret_file: /shared/client-secret.txt
jwt_svid_path: /opt/jwt_svid.token
jwt_audience: https://keycloak.example.com/realms/myrealm
type: spiffe
But the pipeline section only copies type:
pipeline:
outbound:
plugins:
- config:
identity:
type: spiffe # <-- missing jwt_audience and jwt_svid_path
keycloak_realm: myrealm
keycloak_url: https://keycloak.example.com
name: token-exchange
Steps to reproduce
- Deploy workloads with kagenti sidecar injection
- Create a SPIFFE Identity Provider in Keycloak (
make setup-keycloak-spiffe)
- Set
CLIENT_AUTH_TYPE=federated-jwt in authbridge-config
- Set
identity.type: spiffe with jwt_audience and jwt_svid_path in authbridge-runtime-config
- Delete per-agent configs and let the operator regenerate them
- Observe the authbridge-proxy crash in the new pods
Workaround
Keep identity.type: client-secret in authbridge-runtime-config while setting CLIENT_AUTH_TYPE=federated-jwt in authbridge-config. The proxy uses client-secret for its own token exchange calls, while the operator registers Keycloak clients with SPIFFE IDs. Token exchange works correctly in this configuration.
Environment
Bug
When
CLIENT_AUTH_TYPE=federated-jwtis set inauthbridge-config, the operator generates per-agent configs (authbridge-config-<workload>) where the pipeline outbound token-exchange plugin hasidentity.type: spiffebut is missingjwt_audienceandjwt_svid_path.The authbridge-proxy crashes on startup with:
Expected behavior
The operator should propagate all identity fields (
jwt_audience,jwt_svid_path) from the baseauthbridge-runtime-configinto the pipeline'stoken-exchangeplugin config, not justidentity.type.Actual behavior
The top-level
identityblock in the per-agent config is correct:But the pipeline section only copies
type:Steps to reproduce
make setup-keycloak-spiffe)CLIENT_AUTH_TYPE=federated-jwtinauthbridge-configidentity.type: spiffewithjwt_audienceandjwt_svid_pathinauthbridge-runtime-configWorkaround
Keep
identity.type: client-secretinauthbridge-runtime-configwhile settingCLIENT_AUTH_TYPE=federated-jwtinauthbridge-config. The proxy uses client-secret for its own token exchange calls, while the operator registers Keycloak clients with SPIFFE IDs. Token exchange works correctly in this configuration.Environment
proxy-sidecar