Ennote Documentation
login

Agent Architecture & Security

The Ennote Smart Agent extends our Identity-Driven, Zero-Persistence architecture directly into your clusters. Review our core synchronization mechanics and strict security posture.

Core Synchronization Mechanics

Unlike legacy vaults that rely on slow polling intervals or RAM-heavy sidecars injected into every pod, the Ennote Agent operates as a single, highly efficient stateless pod per cluster.

  • Solving 'Secret Zero':Deploy using a Bootstrap Token that expires in 2 hours. Upon startup, the Agent generates an Ed25519 keypair in memory, registers its public key with Ennote Cloud, and exchanges it for a 15-minute rotating access token. No long-lived credentials reside in your cluster. 

  • Real-Time Push:The Agent maintains a persistent outbound gRPC connection via HTTP/2 (port 443). Updates are streamed instantly, offering < 1s sync latency without the need for inbound firewall rules. 

  • Smart Rollouts:When a secret updates, the Agent updates the Native K8s Secret and automatically safely executes a Strategic Merge Patch to trigger a Rolling Restart for annotated Deployments, StatefulSets, or DaemonSets. No external sidecars or 'Reloader' tools are required. 

Zero-Trust Security Design

As a cybersecurity company, our agent is engineered with least-privilege principles by default to ensure maximum isolation in high-threat environments:

  • Zero-Ingress Posture:Operates as a Headless Worker Pod with absolutely no listening network ports. All connections are strictly outbound to the Ennote API. 

  • Hardened Pod Environment:The agent runs as non-root, drops all Linux capabilities, disables privilege escalation, and utilizes a strict readOnlyRootFilesystem. 

  • Strict Kubernetes RBAC:Permissions are strictly namespace-scoped to a Role (not a ClusterRole). The agent explicitly lacks the `update` or `delete` verbs on workloads, ensuring a compromised agent cannot delete a database or rewrite an image. 

  • Memory Hygiene & Ephemeral Cryptography:Data Encryption Keys (DEKs) and raw JSON byte arrays are explicitly wiped from the JVM heap post-processing to defeat memory scraping. The agent generates a new, ephemeral session KeyPair for every sync loop. 

  • Collision Defense:The reconciliation loop checks K8s labels before overwriting secrets. If a secret wasn't created by Ennote, it gracefully skips it to prevent destroying existing user data. 

  • Signed Artifacts:All Helm and OCI releases are cryptographically signed via Cosign using GitHub OIDC identities. 

Verifying Chart Signatures

We sign our OCI artifacts using GitHub OIDC via Sigstore's Cosign. To verify the integrity of the downloaded chart before deployment, run the following commands:

# 1. Pull the chart locally
helm pull oci://ghcr.io/ennote-io/charts/ennote-agent

# 2. Verify the signature against the Ennote GitHub Actions identity
cosign verify \
  --certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
  --certificate-identity-regexp="^https://github.com/ennote-io/.*" \
  ghcr.io/ennote-io/charts/ennote-agent

Need Help?

If you encounter any issues or have questions, don’t hesitate to contact support. Our team is here to assist you with any challenges you might face.

Was this page helpful?

© 2026 Ennote.io. All Rights Reserved.