tokenbridge-k8s-sidecar is a Kubernetes sidecar container that exchanges a projected Kubernetes ServiceAccount token for a custom access token using a remote tokenbridge service. The sidecar writes the resulting token to a shared volume, making it available to your main application container.
- Securely exchanges Kubernetes ServiceAccount tokens for custom tokens.
- Periodically refreshes the token before expiration.
- Shares the token with your main application via a writable volume.
- Designed for use as a sidecar in Kubernetes Pods.
A prebuilt image is available on Docker Hub:
docker pull hupe1980/tokenbridge-k8s-sidecar:latestYou can reference this image directly in your Kubernetes manifests.
See config/deployment.yaml for an example manifest:
apiVersion: v1
kind: ServiceAccount
metadata:
name: tokenbridge-sa
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tokenbridge-example
spec:
replicas: 1
selector:
matchLabels:
app: tokenbridge-example
template:
metadata:
labels:
app: tokenbridge-example
spec:
serviceAccountName: tokenbridge-sa
volumes:
- name: token-vol
projected:
sources:
- serviceAccountToken:
path: sa-token
expirationSeconds: 3600
audience: tokenbridge
- name: tokenbridge-vol
emptyDir: {}
containers:
- name: main-app
image: alpine:3.21
command: ["/bin/sh"]
args: ["-c", "sleep infinity"]
volumeMounts:
- name: tokenbridge-vol
mountPath: /run/secrets/tokenbridge
readOnly: true
env:
- name: TOKENBRIDGE_TOKEN_FILE
value: /run/secrets/tokenbridge/access-token
- name: sidecar
image: hupe1980/tokenbridge-k8s-sidecar:latest
volumeMounts:
- name: token-vol
mountPath: /var/run/secrets/tokens
readOnly: true
- name: tokenbridge-vol
mountPath: /run/secrets/tokenbridge
env:
- name: SA_TOKEN_PATH
value: /var/run/secrets/tokens/sa-token
- name: OUTPUT_TOKEN_PATH
value: /run/secrets/tokenbridge/access-token
- name: EXCHANGE_URL
value: https://your-tokenbridge-service/exchange
- name: REFRESH_INTERVAL
value: 1h
- name: AUDIENCE
value: tokenbridgeThe sidecar expects the following environment variables:
SA_TOKEN_PATH(required): Path to the projected ServiceAccount token.OUTPUT_TOKEN_PATH(required): Path to write the exchanged token.EXCHANGE_URL(required): URL of the tokenbridge service.REFRESH_INTERVAL(optional): How often to refresh the token (default:1h).AUDIENCE(optional): Audience for the token exchange.
- Build:
make build - Lint:
make lint - Test:
make test
- TokenBridge: The main project for TokenBridge, providing core functionality and documentation.
- TokenBridge GitHub Action: Automate your workflows with TokenBridge using GitHub Actions.
- TokenBridge Backend Example: A practical example of how to create a TokenBridge backend application.
MIT License. See LICENSE for details.