Skip to content

stellhub/stellguard-agent

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 

Repository files navigation

StellGuard Agent

StellGuard Agent is the node-side identity agent for the Stell zero-trust platform. It connects workloads to StellGuard Service, requests short-lived certificates, rotates local credentials, and stores trust material for mTLS-enabled services.

The first milestone focuses on a compact, runnable Go agent that can renew workload identity material from the service API. The implementation is standard-library only, making it easy to embed, harden, and extend with node attestation or workload selectors later.

Capabilities

  • Request SPIFFE-style workload certificates from StellGuard Service.
  • Persist certificate, private key, and trust bundle files locally.
  • Support one-shot renewal or interval-based credential rotation.
  • Send bearer-token authentication when STELLGUARD_TOKEN or --token is configured.
  • Propagate context cancellation for clean shutdown.

Quick Start

Run StellGuard Service first:

go run github.com/stellhub/stellguard-service/cmd/stellguard-service --addr :8080 --token local-dev-token

Run the agent once:

go run ./cmd/stellguard-agent \
  --service-url http://localhost:8080 \
  --spiffe-id spiffe://stell.local/workload/api \
  --token local-dev-token \
  --cert-file ./runtime/tls.crt \
  --key-file ./runtime/tls.key \
  --bundle-file ./runtime/ca.crt \
  --once

Run continuous renewal:

go run ./cmd/stellguard-agent \
  --service-url http://localhost:8080 \
  --spiffe-id spiffe://stell.local/workload/api \
  --token local-dev-token \
  --interval 10m

Development

go test ./...

Roadmap

  • Node attestation and workload selector integration.
  • Local Unix socket API for workload credential delivery.
  • Secure key storage and atomic credential rotation.
  • Metrics, audit events, and service discovery integration.

About

Go node agent for StellGuard zero-trust identity, fetching workload certificates, rotating local keys, and delivering mTLS credentials to services.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages