StellGuard Agent is the node-side identity agent for the Stell zero-trust platform. It connects workloads to StellGuard Service, requests short-lived certificates, rotates local credentials, and stores trust material for mTLS-enabled services.
The first milestone focuses on a compact, runnable Go agent that can renew workload identity material from the service API. The implementation is standard-library only, making it easy to embed, harden, and extend with node attestation or workload selectors later.
- Request SPIFFE-style workload certificates from StellGuard Service.
- Persist certificate, private key, and trust bundle files locally.
- Support one-shot renewal or interval-based credential rotation.
- Send bearer-token authentication when
STELLGUARD_TOKENor--tokenis configured. - Propagate context cancellation for clean shutdown.
Run StellGuard Service first:
go run github.com/stellhub/stellguard-service/cmd/stellguard-service --addr :8080 --token local-dev-tokenRun the agent once:
go run ./cmd/stellguard-agent \
--service-url http://localhost:8080 \
--spiffe-id spiffe://stell.local/workload/api \
--token local-dev-token \
--cert-file ./runtime/tls.crt \
--key-file ./runtime/tls.key \
--bundle-file ./runtime/ca.crt \
--onceRun continuous renewal:
go run ./cmd/stellguard-agent \
--service-url http://localhost:8080 \
--spiffe-id spiffe://stell.local/workload/api \
--token local-dev-token \
--interval 10mgo test ./...- Node attestation and workload selector integration.
- Local Unix socket API for workload credential delivery.
- Secure key storage and atomic credential rotation.
- Metrics, audit events, and service discovery integration.