feat(panda-chat)!: service-account bot identity + privileged sidecar split#481
Merged
Conversation
…credentials Replace the seeded-credentials bot identity (credentials.panda.credentialsJson / credentialsFile + seed-panda-creds initContainer) with an Authentik service account: credentials.panda.botUsername / botToken materialize as PANDA_BOT_USERNAME / PANDA_BOT_TOKEN, and panda-config.yaml now configures proxy.auth mode client_credentials against the Authentik panda-proxy application issuer (default panda.issuerUrl switches from Dex to Authentik; the trailing slash is part of the issuer). panda-server mints access tokens on demand and keeps them in memory — nothing is written under credentials/. Both bot values are required when panda.enabled, so a values gap fails at template time instead of producing a half-authenticated pod. Requires a hermes-agent-panda image carrying panda with client_credentials support. Part of chat docs/identity-and-attribution-plan.md (Phase 3).
Two-container pod: hermes always runs unprivileged (uid 10000, caps dropped) and panda-server + dockerd move to a privileged sidecar that is the only container holding PANDA_BOT_USERNAME/TOKEN — the credential gets its own Secret so hermes' envFrom can no longer expose it to LLM-driven shell execution. Hermes reaches the sidecar on 127.0.0.1:2480 via the shared pod netns; sidecar probes are exec-based (server binds loopback). Resources split: .resources -> hermes, panda.resources -> sidecar.
7dca5ff to
e8d4774
Compare
Member
Author
|
Rebased onto master (#479's .helmignore fix + 0.1.1 republish). Conflict resolution: chart |
barnabasbusa
approved these changes
Jun 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Chart 0.1.0 → 0.2.0, two breaking changes (design: ethpandaops/chat
docs/identity-and-attribution-plan.md):1. Bot identity via Authentik
client_credentials(replaces seeded refresh-token credentials):credentials.panda.{credentialsJson,credentialsFile}→{botUsername,botToken}(bothrequiredwhenpanda.enabled)panda-config.yamlrenders aproxy.authblock withmode: client_credentialsagainst the Authentik issuer (trailing slash is part of the issuer); Dex default removedseed-panda-credsinitContainer deleted — tokens are minted on demand and live in memory only2. Container split — hermes is never privileged:
hermescontainer: always unprivileged (uid 10000, caps dropped), no docker socket, no bot credentialpanda-serversidecar (only whenpanda.enabled): privileged (dockerd), same image withpanda-stackentrypoint arg, and the ONLY container that mounts the new dedicated<name>-panda-secret(PANDA_BOT_USERNAME/PANDA_BOT_TOKEN). Hermes executes LLM-driven shell commands, so it must never share an environment with the credential.127.0.0.1:2480(shared pod netns); sidecar probes are exec-based (server binds loopback).resources→ hermes,panda.resources→ sidecarRequires the
hermes-agent-pandaimage with the dispatch entrypoint (ethpandaops/chat) built on a panda release that includes client_credentials (ethpandaops/panda#170) — do not roll to a devnet before both exist.Verification
helm template(panda enabled): hermesprivileged=False runAsUser=10000 envFrom=[hermes-secret]; panda-serverprivileged=True envFrom=[panda-secret]; secrets carry the right keyshelm template(panda disabled): single unprivileged container, no panda SecretbotUsername/botTokenfails with a clearrequirederror