Tiny HTTP proxy that adds Kubernetes ServiceAccount token authentication to outbound requests. Runs inside sandbox microVMs.
For architecture overview, see docs/secret-proxy.md.
Sits between SDK HTTP clients and the external secret-proxy:
SDK → auth-proxy (localhost:8080) → secret-proxy (external)
adds SA token injects secrets
This proxy has NO secrets - it only adds authentication.
go build -o auth-proxy .| Variable | Default | Description |
|---|---|---|
LISTEN_ADDR |
:8080 |
Address to listen on |
TOKEN_PATH |
/var/run/secrets/proxy-auth/token |
Path to SA token file |
UPSTREAM_PROXY |
http://secret-proxy.netclode.svc.cluster.local:8080 |
External proxy URL |
- Reads ServiceAccount token from mounted volume (refreshed every 5 minutes)
- For each request, adds
Proxy-Authorization: Bearer <token>header - Forwards to upstream secret-proxy
Supports both HTTP requests and HTTPS CONNECT tunneling.