API Reference
Riptides exposes a declarative, Kubernetes-style API built on Custom Resource Definitions (CRDs). You manage workload identities, credential sources, credential bindings, and service definitions as standard Kubernetes resources using kubectl or any Kubernetes-compatible tooling.
API Groups
Section titled “API Groups”Riptides organizes its resources into three API groups:
| API Group | Description |
|---|---|
core.riptides.io | Primary resources for workload identity, credentials, and service definitions. |
auth.riptides.io | Authentication primitives such as join tokens, and verifiers. |
crypto.riptides.io | Cryptographic material management (certificates, keys). These resources are system-managed and not typically user-facing. |
Version
Section titled “Version”All resources are currently served at version v1alpha1.
Resource Reference
Section titled “Resource Reference”| Resource | API Group | Kind | Description |
|---|---|---|---|
| WorkloadIdentity | core.riptides.io | WorkloadIdentity | Defines a cryptographic identity for a workload, including its SPIFFE ID, selectors, TLS policy, and allowed communication peers. |
| CredentialSource | core.riptides.io | CredentialSource | Defines where and how credentials are obtained — from Kubernetes secrets, cloud IAM (AWS, GCP, Azure), HashiCorp Vault, JWT minting, OAuth2, or OCI. |
| CredentialBinding | core.riptides.io | CredentialBinding | Binds a CredentialSource to a workload and defines how credentials are delivered (on-the-wire injection or sysfs files). |
| Service | core.riptides.io | Service | Defines a network service (internal or external) that workloads connect to, used for egress policy matching. |
| Daemon | core.riptides.io | Daemon | Represents a Riptides daemon running on a node. |
| DaemonGroup | core.riptides.io | DaemonGroup | Groups daemons for scoping workload identity assignments. |
| JoinToken | auth.riptides.io | JoinToken | Bootstrap token used by daemons to join the control plane. |
| Verifier | auth.riptides.io | Verifier | Defines how identity claims are verified. |
| IdentityProvider | core.riptides.io | IdentityProvider | Configures an external identity provider for OIDC federation. |
| OIDCClient | core.riptides.io | OIDCClient | Registers an OIDC client for token exchange. |
Note: Resources in the
crypto.riptides.iogroup are managed automatically by the Riptides control plane and do not require direct user interaction under normal operation.
Namespace
Section titled “Namespace”All Riptides CRDs are namespaced. By convention, resources are created in the riptides-system namespace.
Deprecation Notice
Section titled “Deprecation Notice”The WorkloadCredential resource is deprecated. Use CredentialBinding instead to bind credentials to workloads.