SPIRE WorkloadAttestor that reads governance env vars from /proc/{pid}/environ
(walking up the process tree to find gsh) and emits gsap: selectors on workload
SVIDs. Maps BASCULE_* vars set by bascule-shell and future GSH_* vars to the
11-selector vocabulary defined in gsap-types/src/selectors.rs.
- pkg/gsap/selectors.go: shared Go constants mirroring Rust vocabulary
- cmd/gsap-attestor/: plugin implementation with /proc reading, process tree
walking, capability ceiling translation, and fail-open for non-governed processes
- 28 tests covering selector extraction, proc parsing, tree walking, and depth limits
- Makefile, Dockerfile, deploy config updated
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Two-stage build. Builder stage: golang:1.23.6-bookworm (pinned to
match the go directive in go.mod exactly), CGO_ENABLED=0, -trimpath
and -s -w linker flags for reproducible, size-minimized static
binaries. Compiles all four plugin binaries into /plugins/.
Runtime stage: debian:bookworm-slim with the /plugins/ directory
copied in and made world-readable. The image is inert — SPIRE server
and agent Deployments consume it via an initContainer that runs
`cp -r /plugins/ /opt/spire/plugins/` into a shared emptyDir volume,
so no ENTRYPOINT is needed.
Path: git.guildhouse.dev/tking/spire-plugins:v0.1.0.
Not replacing Containerfile.dev, which remains the local-dev variant.
Signed-off-by: Tyler J King <tking@guildhouse.dev>
