Verifier
A Verifier defines how daemons prove their identity when connecting to the Riptides control plane. Each Verifier targets a specific authentication mechanism and can filter incoming daemons by required metadata and automatically assign workload identities.
- API Group:
auth.riptides.io - Version:
v1alpha1 - Kind:
Verifier - Plural:
verifiers
The spec must include exactly one of the following authentication method fields. Optionally, requiredMetadata and workloadIDTemplate can be set alongside any method.
Authentication Methods
Section titled “Authentication Methods”AWSIID
Section titled “AWSIID”- Type:
object
Verifies daemons using the AWS EC2 Instance Identity Document. The daemon presents a signed document from the EC2 metadata service, and the control plane validates the signature against AWS public certificates. No additional configuration is required on the object itself — use requiredMetadata to restrict which AWS accounts, regions, or instance types are accepted.
GCPIIT
Section titled “GCPIIT”- Type:
object
Verifies daemons using a Google Cloud Instance Identity Token (a JWT signed by Google).
| Field | Type | Required | Description |
|---|---|---|---|
audience | string | No | Expected audience claim in the token |
jwksURL | string | No | Custom JWKS URL for token verification |
jwksCacheTTL | string | No | Cache duration for JWKS keys (e.g., 300s) |
iatLeeway | string | No | Allowed clock skew for the iat claim (e.g., 60s) |
joinToken
Section titled “joinToken”- Type:
object
Verifies daemons using a pre-shared JoinToken. Useful for initial setup, development, or environments where platform-native identity is unavailable. No additional fields — the token itself is defined in a separate JoinToken resource.
K8sSAT
Section titled “K8sSAT”- Type:
object
Verifies daemons using a Kubernetes Service Account Token.
| Field | Type | Required | Description |
|---|---|---|---|
clusterID | string | Yes | Identifier for the Kubernetes cluster |
jwksSource | object | Yes | Source of JWKS for token validation. One of inline (string) or remote ({url, minRefreshInterval}) |
audience | string | No | Expected audience claim |
iatLeeway | string | No | Allowed clock skew for iat (e.g., 60s) |
X509CertPOP
Section titled “X509CertPOP”- Type:
object
Verifies daemons by X.509 certificate proof of possession.
| Field | Type | Required | Description |
|---|---|---|---|
caCertificatePEM | string | Yes | PEM-encoded CA certificate used to validate the daemon’s certificate |
SSHCertPOP
Section titled “SSHCertPOP”- Type:
object
Verifies daemons by SSH certificate proof of possession.
| Field | Type | Required | Description |
|---|---|---|---|
authorizedCA | array of string | Yes | List of authorized CA public keys |
GitHubActions
Section titled “GitHubActions”- Type:
object
Verifies daemons using a GitHub Actions OIDC token. The runner fetches the token from the Actions token endpoint (ACTIONS_ID_TOKEN_REQUEST_URL) and the control plane validates it against GitHub’s public JWKS.
| Field | Type | Required | Description |
|---|---|---|---|
repositoryOwner | string | Yes | GitHub organisation or user that owns the repository. Tokens from any other owner are rejected. |
repository | string | No | Full repository name (e.g. your-org/my-repo). Restricts to a single repository. |
environment | string | No | GitHub deployment environment name. Restricts to workflows running in that environment. |
ref | string | No | Git ref (e.g. refs/heads/main). Restricts to a specific branch or tag. |
audience | string | No | Expected audience claim in the token (default: riptides) |
jwksURL | string | No | Custom JWKS URL (default: https://token.actions.githubusercontent.com/.well-known/jwks) |
jwksCacheTTL | string | No | Cache duration for JWKS keys (e.g. 300s) |
iatLeeway | string | No | Allowed clock skew for the iat claim (e.g. 60s) |
- Type:
object
Verifies daemons using a generic JWT.
| Field | Type | Required | Description |
|---|---|---|---|
issuer | string | Yes | Expected token issuer |
audience | string | No | Expected audience claim |
jwksSource | object | No | JWKS source: inline (string) or remote ({url, minRefreshInterval}) |
metadataMap | map[string]string | No | Mapping of JWT claims to daemon metadata keys |
iatLeeway | string | No | Allowed clock skew (e.g., 60s) |
Common Fields
Section titled “Common Fields”requiredMetadata
Section titled “requiredMetadata”- Type:
arrayof objects (free-form key-value pairs) - Required: No
Restricts which daemons this verifier will accept. Each entry is a key-value pair that must match the daemon’s metadata derived from its authentication proof. For example, an AWSIID verifier can require a specific AWS account ID.
Common keys by verifier type:
| Verifier | Key | Description |
|---|---|---|
| AWSIID | awsiid:account:id | AWS account ID |
| AWSIID | awsiid:region | AWS region |
| GCPIIT | gcpiit:project:id | GCP project ID |
| GCPIIT | gcpiit:zone | GCP zone |
| GitHubActions | githubactions:repository:owner | GitHub org or user |
| GitHubActions | githubactions:repository:full_name | Full repo name (org/repo) |
| GitHubActions | githubactions:workflow | Workflow name |
| GitHubActions | githubactions:environment | Deployment environment |
| GitHubActions | githubactions:ref | Git ref |
workloadIDTemplate
Section titled “workloadIDTemplate”- Type:
string - Required: No
A Go template string used to automatically generate the workloadID for daemons that match this verifier. Template variables are populated from the daemon’s authentication metadata.
Status
Section titled “Status”| Field | Type | Description |
|---|---|---|
state | string | One of Unspecified, Available, Failed |
message | string | Human-readable status message (set on failure) |
Examples
Section titled “Examples”AWS Instance Identity Document Verifier
Section titled “AWS Instance Identity Document Verifier”Accepts daemons from a specific AWS account:
apiVersion: auth.riptides.io/v1alpha1kind: Verifiermetadata: name: awsiid namespace: riptides-systemspec: AWSIID: {} requiredMetadata: - awsiid:account:id: "123456789012"GCP Instance Identity Token Verifier
Section titled “GCP Instance Identity Token Verifier”Accepts daemons from a specific GCP project:
apiVersion: auth.riptides.io/v1alpha1kind: Verifiermetadata: name: gcpiit namespace: riptides-systemspec: GCPIIT: audience: gcp-iit requiredMetadata: - gcpiit:project:id: my-gcp-project-123456GitHub Actions Verifier
Section titled “GitHub Actions Verifier”Accepts runners from a specific GitHub organisation, restricted to the main branch:
apiVersion: auth.riptides.io/v1alpha1kind: Verifiermetadata: name: github-actions namespace: riptides-systemspec: GitHubActions: repositoryOwner: your-org ref: refs/heads/main audience: riptidesJoin Token Verifier
Section titled “Join Token Verifier”Accepts daemons that present a valid pre-shared token (useful for development):
apiVersion: auth.riptides.io/v1alpha1kind: Verifiermetadata: name: jointoken namespace: riptides-systemspec: joinToken: {}