This repository contains the deployment manifests for AGNTCY Directory project and serves as the federation registry for the public staging network. It is designed to be used with Argo CD for GitOps-style continuous deployment.
The manifests are organized into two main sections:
projects/: Contains Argo CD project definitions.projectapps/: Contains Argo CD application definitions.
The project will deploy the following components:
applications/dir- AGNTCY Directory server with storage backend (v1.2.0)applications/spire*- SPIRE stack for identity and federation (with SPIFFE CSI driver)
NOTE: This is not a production-ready deployment. It is provided as-is for demonstration and testing purposes.
Latest Version: v1.2.0 - See CHANGELOG.md for what's new.
Choose your path based on your goal:
Goal: Connect your application to the existing Directory network to discover agents.
Prerequisites: You'll need a SPIRE server in your environment.
Next Step: Follow the Client Onboarding Guide
Goal: Run your own Directory instance for local testing or private deployment.
Prerequisites: Kubernetes cluster (Kind, Minikube, or cloud provider)
Next Step: See Getting Started (Helm or GitOps/Argo CD)
Goal: Run your own Directory instance and federate with the public staging network.
Prerequisites: Kubernetes cluster + SPIRE knowledge
Next Steps:
- Deploy your Directory instance (see Getting Started)
- Setup federation (see Client Onboarding Guide after deployment)
The default Directory deployment in this repository uses SPIFFE/SPIRE-oriented authentication that works well for in-cluster workloads. If you also want to support dirctl, SDKs, or automation running outside the cluster, enable the optional OIDC add-on in applications/dir/dev/values.yaml.
This add-on puts an Envoy gateway in front of Directory:
- A remote client gets an OIDC token from your identity provider.
- Envoy validates the JWT using the configured issuer and JWKS settings.
- The ext-authz service maps token claims to roles and allowed gRPC methods.
- Only authorized requests are forwarded to the internal Directory apiserver.
Use the OIDC add-on when:
- You want remote
dirctlaccess from a laptop or workstation outside the cluster - You want a human login flow backed by Dex
- You want GitHub Actions or other external automation to call Directory with OIDC tokens
Keep it disabled if you only need in-cluster, SPIFFE-based access.
The staging example now includes a fully commented, opt-in OIDC block in applications/dir/dev/values.yaml. The main settings are:
apiserver.envoyAuthz.enabled: installs the optional Envoy/ext-authz add-onapiserver.envoy-authz.envoy.backend.*: points Envoy at the internal Directory serviceapiserver.envoy-authz.envoy.oidc.dex.*: configures Dex as the human/user OIDC issuerapiserver.envoy-authz.envoy.oidc.github.*: configures GitHub Actions OIDC for automationapiserver.envoy-authz.authServer.oidc.issuers: maps issuers to principal types such asuserorgithubapiserver.envoy-authz.authServer.oidc.roles: maps users, clients, or workflows to allowed gRPC methodsapiserver.envoy-authz.ingress.*: exposes the Envoy gateway for external access over gRPC
If you want interactive user login, configure Dex in applications/dex/dev/values.yaml and make sure:
config.issuermatches the public URL where Dex is reachable- your GitHub OAuth app credentials are supplied through a Kubernetes Secret
- the Dex issuer values in
applications/dex/dev/values.yamlandapplications/dir/dev/values.yamlmatch
Enabling Dex by itself is not enough for remote Directory access. Remote clients also need the Envoy/ext-authz add-on enabled so their OIDC tokens can be validated before requests reach Directory.
The staging values file is a user-facing example. For the complete public source of truth for all supported fields, see:
agntcy/dir/install/charts/dir/apiserver/values.yamlagntcy/dir/install/charts/envoy-authz/values.yaml
After deploying your Directory instance (see Getting Started), it will be isolated and cannot discover agents from other organizations.
Current State (Standalone):
- ✅ Your Directory works for your organization
- ❌ Cannot discover agents from other organizations
- ❌ Your agents are not discoverable by others
- ❌ Limited to your own trust domain
After Federation:
- ✅ All standalone benefits
- ✅ Discover agents across multiple organizations
- ✅ Your agents become globally discoverable
- ✅ Part of decentralized discovery network
Federation requires configuring SPIRE to exchange trust bundles with other Directory instances.
Follow these steps:
-
Choose a Federation Profile
- https_web (recommended): Uses standard HTTPS + Let's Encrypt, no SSL passthrough needed
- https_spiffe: Uses SPIFFE mTLS, requires SSL passthrough and bootstrap bundle exchange
See Federation Profiles for detailed comparison.
-
Create Your Federation File
- Describes how others can connect to your SPIRE federation endpoint
- Template:
onboarding/federation/.federation.web.template.yaml(or.federation.spiffe.template.yaml) - Example: See
onboarding/federation/prod.ads.outshift.io.yamlfor reference
-
Submit Your Federation File
- Fork this repository
- Add your file to
onboarding/federation/your-domain.com.yaml - Submit a Pull Request
-
Deploy Directory's Federation File
- After approval, deploy
onboarding/federation/prod.ads.outshift.io.yamlto your cluster - Run
task gen:dirto regenerateapplications/dir/gen.values.yaml - ArgoCD will automatically sync the federation configuration
- This tells your SPIRE how to connect to the Directory network
- After approval, deploy
Complete Instructions: See the Client Onboarding Guide for step-by-step federation setup.
| Topic | Link |
|---|---|
| Getting Started | docs.agntcy.org/dir/getting-started |
| Partner Federation with Prod | docs.agntcy.org/dir/partner-prod-federation |
| Federation Profiles | docs.agntcy.org/dir/federation-profiles |
| Federation Troubleshooting | docs.agntcy.org/dir/federation-troubleshooting |
| Production Deployment | docs.agntcy.org/dir/prod-deployment |
Distributed under Apache 2.0 License. See LICENSE for more information. Copyright AGNTCY Contributors (https://github.com/agntcy)