|
| 1 | +# Upstream Community Engagement Guide |
| 2 | + |
| 3 | +**AegisSovereignAI** (LF Edge/AI Project) |
| 4 | + |
| 5 | +This document outlines the sequential steps for introducing the Unified Identity feature to upstream communities. |
| 6 | + |
| 7 | +--- |
| 8 | + |
| 9 | +## Phase 1: SPIRE Community (Week 1-2) |
| 10 | + |
| 11 | +### Step 1.1: Join SPIFFE Slack |
| 12 | +- **Link:** https://slack.spiffe.io/ |
| 13 | +- **Channel:** `#spire-dev` |
| 14 | + |
| 15 | +### Step 1.2: Post Introduction Message |
| 16 | + |
| 17 | +> **Subject: [RFC] Hardware Attestation Claims in X.509 SVIDs via Keylime Integration** |
| 18 | +> |
| 19 | +> Hi SPIRE community! 👋 |
| 20 | +> |
| 21 | +> We're from the **AegisSovereignAI** project under LF Edge/AI. We've developed a CredentialComposer plugin that extends X.509 SVIDs with hardware attestation claims from Keylime TPM verification. |
| 22 | +> |
| 23 | +> **What we built:** |
| 24 | +> - A `unifiedidentity` CredentialComposer plugin that adds an AttestedClaims X.509 extension (OID `1.3.6.1.4.1.55744.1.1`) |
| 25 | +> - TPM "App Key" support - workload-specific keys certified by Keylime's Attestation Key |
| 26 | +> - Geolocation claims bound to TPM PCR-15 |
| 27 | +> |
| 28 | +> **Use case:** Hybrid cloud environments where workload identity needs to carry verifiable hardware integrity and location proofs. |
| 29 | +> |
| 30 | +> **Resources:** |
| 31 | +> - Repository: https://github.com/lfedgeai/AegisSovereignAI/tree/main/hybrid-cloud-poc |
| 32 | +> - Architecture: https://github.com/lfedgeai/AegisSovereignAI/blob/main/hybrid-cloud-poc/README-arch-sovereign-unified-identity.md |
| 33 | +> - Roadmap: https://github.com/lfedgeai/AegisSovereignAI/blob/main/hybrid-cloud-poc/UPSTREAM_MERGE_ROADMAP.md |
| 34 | +> |
| 35 | +> We'd love to discuss upstreaming this as a formal SPIRE plugin. Would there be interest in a community meeting presentation? |
| 36 | +> |
| 37 | +> Thanks! |
| 38 | +
|
| 39 | +### Step 1.3: Request Community Meeting Slot |
| 40 | +- **Meeting Schedule:** Bi-weekly (check SPIFFE calendar) |
| 41 | +- **Request via:** Slack or GitHub Discussion |
| 42 | + |
| 43 | +### Step 1.4: Submit GitHub Discussion/RFC |
| 44 | +- **Location:** https://github.com/spiffe/spire/discussions |
| 45 | +- **Type:** RFC for CredentialComposer plugin extension |
| 46 | + |
| 47 | +--- |
| 48 | + |
| 49 | +## Phase 2: Keylime Community (Week 2-3) |
| 50 | + |
| 51 | +### Step 2.1: Join Keylime Slack |
| 52 | +- **Link:** https://cloud-native.slack.com/ |
| 53 | +- **Channel:** `#keylime` |
| 54 | + |
| 55 | +### Step 2.2: Post Introduction Message |
| 56 | + |
| 57 | +> **Subject: [RFC] App Key Verification API for SPIRE Integration** |
| 58 | +> |
| 59 | +> Hi Keylime community! 👋 |
| 60 | +> |
| 61 | +> We're from the **AegisSovereignAI** project under LF Edge/AI. We've extended Keylime to support "App Keys" - TPM-bound application keys that enable SPIRE workload identity with hardware attestation. |
| 62 | +> |
| 63 | +> **What we built:** |
| 64 | +> - **App Key Verification API** in the Keylime Verifier for on-demand SPIRE queries |
| 65 | +> - **Delegated Certification** where the Attestation Key (AK) signs workload App Keys |
| 66 | +> - **Geolocation Attestation** with nonce-bound location claims in PCR-15 |
| 67 | +> - **rust-keylime extensions** for TPM quote generation with geolocation |
| 68 | +> |
| 69 | +> **Changes:** |
| 70 | +> - `keylime/app_key_verification.py` - New verification endpoint |
| 71 | +> - `rust-keylime/` - Agent extensions for App Key certification |
| 72 | +> - Feature-flagged with `unified_identity_enabled` |
| 73 | +> |
| 74 | +> **Resources:** |
| 75 | +> - Repository: https://github.com/lfedgeai/AegisSovereignAI/tree/main/hybrid-cloud-poc |
| 76 | +> - Architecture: https://github.com/lfedgeai/AegisSovereignAI/blob/main/hybrid-cloud-poc/README-arch-sovereign-unified-identity.md |
| 77 | +> |
| 78 | +> Would love to present at a community call and discuss the best path to upstream these features! |
| 79 | +> |
| 80 | +> Thanks! |
| 81 | +
|
| 82 | +### Step 2.3: Request Community Meeting Slot |
| 83 | +- **Meeting Schedule:** Bi-weekly (check Keylime GitHub wiki) |
| 84 | + |
| 85 | +### Step 2.4: Submit RFC Issue |
| 86 | +- **Location:** https://github.com/keylime/keylime/issues |
| 87 | +- **Label:** `enhancement`, `RFC` |
| 88 | + |
| 89 | +--- |
| 90 | + |
| 91 | +## Phase 3: Envoy Community (Week 3-4) |
| 92 | + |
| 93 | +### Step 3.1: Join Envoy Slack |
| 94 | +- **Link:** https://envoyproxy.slack.com/ |
| 95 | +- **Channel:** `#wasm` |
| 96 | + |
| 97 | +### Step 3.2: Post Introduction Message |
| 98 | + |
| 99 | +> **Subject: WASM Filter for X.509 Unified Identity Claims Extraction** |
| 100 | +> |
| 101 | +> Hi Envoy community! 👋 |
| 102 | +> |
| 103 | +> We're from the **AegisSovereignAI** project under LF Edge/AI. We've built a Rust-based WASM filter that extracts custom X.509 extension claims from SPIRE SVIDs for policy enforcement in hybrid cloud scenarios. |
| 104 | +> |
| 105 | +> **What it does:** |
| 106 | +> - Extracts Unified Identity extension (OID `1.3.6.1.4.1.55744.1.1`) from client certificates |
| 107 | +> - Parses sensor ID, geolocation, IMEI/IMSI claims |
| 108 | +> - Supports three verification modes: Trust, Runtime (cached), Strict (real-time) |
| 109 | +> - Calls a sidecar for CAMARA device location verification (mobile sensors) |
| 110 | +> - Exposes Prometheus metrics for observability |
| 111 | +> |
| 112 | +> **Use case:** Zero-trust edge deployments where location-based access control is required, with hardware-rooted identity proofs. |
| 113 | +> |
| 114 | +> **Resources:** |
| 115 | +> - WASM Filter: https://github.com/lfedgeai/AegisSovereignAI/tree/main/hybrid-cloud-poc/enterprise-private-cloud/wasm-plugin |
| 116 | +> - Full System: https://github.com/lfedgeai/AegisSovereignAI/tree/main/hybrid-cloud-poc |
| 117 | +> |
| 118 | +> We're planning to publish this as a standalone WASM filter. Happy to share more details or do a demo! |
| 119 | +> |
| 120 | +> Thanks! |
| 121 | +
|
| 122 | +### Step 3.3: Publish as Standalone Project |
| 123 | +- Host under LF Edge/AI GitHub organization |
| 124 | +- Add to Envoy WASM extensions examples (optional) |
| 125 | + |
| 126 | +--- |
| 127 | + |
| 128 | +## Phase 4: Cross-Project Coordination (Week 4+) |
| 129 | + |
| 130 | +### Step 4.1: LF Edge TAC Presentation |
| 131 | +- Present the integration to LF Edge Technical Advisory Council |
| 132 | +- Get organizational support for cross-CNCF collaboration |
| 133 | + |
| 134 | +### Step 4.2: Joint Blog Post |
| 135 | +- Publish on LF Edge blog |
| 136 | +- Cross-post to CNCF blog (if approved) |
| 137 | +- Title suggestion: "Hardware-Rooted Workload Identity: Bridging SPIRE and Keylime for Sovereign Edge" |
| 138 | + |
| 139 | +### Step 4.3: Submit PRs in Phases |
| 140 | +Based on community feedback, submit PRs to: |
| 141 | +1. **SPIRE:** CredentialComposer plugin |
| 142 | +2. **Keylime:** App Key Verification API + rust-keylime extensions |
| 143 | +3. **Envoy:** WASM filter as standalone project reference |
| 144 | + |
| 145 | +--- |
| 146 | + |
| 147 | +## Timeline Summary |
| 148 | + |
| 149 | +| Week | Activity | |
| 150 | +|------|----------| |
| 151 | +| 1 | Join Slack channels, post SPIRE introduction | |
| 152 | +| 2 | Request SPIRE meeting, post Keylime introduction | |
| 153 | +| 3 | Present at SPIRE call, request Keylime meeting, post Envoy introduction | |
| 154 | +| 4 | Present at Keylime call, submit RFCs based on feedback | |
| 155 | +| 5+ | Begin PR submissions, iterate based on reviews | |
| 156 | + |
| 157 | +--- |
| 158 | + |
| 159 | +## Contact & Resources |
| 160 | + |
| 161 | +- **Repository:** https://github.com/lfedgeai/AegisSovereignAI |
| 162 | +- **PoC Directory:** https://github.com/lfedgeai/AegisSovereignAI/tree/main/hybrid-cloud-poc |
| 163 | +- **Roadmap:** https://github.com/lfedgeai/AegisSovereignAI/blob/main/hybrid-cloud-poc/UPSTREAM_MERGE_ROADMAP.md |
0 commit comments