feat: Add agent authentication based on instance ID (#336)

* feat: Add agent authentication based on instance ID Each cloud has it's own unique instance identity signatures, which can be used for zero-token authentication. This change adds support for tracking by "instance_id", and automatically authenticating with Google Cloud. * Add test for CLI * Fix workspace agent request name * Fix race with adding to wait group * Fix name of instance identity token
2025-07-01 16:07:26 +00:00 · 2022-02-21 14:36:29 -06:00
parent 67613da86d
commit 8958b641e9
41 changed files with 752 additions and 251 deletions
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@ -5,6 +5,7 @@ import (
 	"sync"

 	"github.com/go-chi/chi/v5"
+	"google.golang.org/api/idtoken"

 	"cdr.dev/slog"
 	"github.com/coder/coder/database"
@ -18,6 +19,8 @@ type Options struct {
 	Logger   slog.Logger
 	Database database.Store
 	Pubsub   database.Pubsub
+
+	GoogleTokenValidator *idtoken.Validator
 }

 // New constructs the Coder API into an HTTP handler.
@ -107,6 +110,12 @@ func New(options *Options) (http.Handler, func()) {
 			})
 		})

+		r.Route("/workspaceagent", func(r chi.Router) {
+			r.Route("/authenticate", func(r chi.Router) {
+				r.Post("/google-instance-identity", api.postAuthenticateWorkspaceAgentUsingGoogleInstanceIdentity)
+			})
+		})
+
 		r.Route("/files", func(r chi.Router) {
 			r.Use(httpmw.ExtractAPIKey(options.Database, nil))
 			r.Post("/", api.postFiles)