SPIRE converts JSON plugin_data to HCL v1 native syntax with quoted
attribute names ("max_depth" = 10). HCL v2's parser rejects quoted
keys, so strip them before parsing.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Temporary diagnostic commit — surfaces the exact data SPIRE sends to
the Configure RPC so we can determine why JSON decode fails.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
SPIRE's chart renders plugin_data as JSON via reformat-and-yaml2json,
so hclsimple.Decode with "plugin.json" filename triggers HCL v2 JSON
mode. Falls back to native HCL for direct testing.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The original implementation used hashicorp/go-plugin directly with a
custom handshake, which SPIRE rejected. Switch to spire-plugin-sdk's
pluginmain.Serve() for correct WorkloadAttestor protocol negotiation,
implement ConfigServer for plugin_data parsing, and return selector
values in key:value format (SPIRE infers the type prefix from the
plugin name). Config decoding tries JSON first (chart renders YAML
as JSON) then falls back to HCL.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
SPIRE WorkloadAttestor that reads governance env vars from /proc/{pid}/environ
(walking up the process tree to find gsh) and emits gsap: selectors on workload
SVIDs. Maps BASCULE_* vars set by bascule-shell and future GSH_* vars to the
11-selector vocabulary defined in gsap-types/src/selectors.rs.
- pkg/gsap/selectors.go: shared Go constants mirroring Rust vocabulary
- cmd/gsap-attestor/: plugin implementation with /proc reading, process tree
walking, capability ceiling translation, and fail-open for non-governed processes
- 28 tests covering selector extraction, proc parsing, tree walking, and depth limits
- Makefile, Dockerfile, deploy config updated
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Two-stage build. Builder stage: golang:1.23.6-bookworm (pinned to
match the go directive in go.mod exactly), CGO_ENABLED=0, -trimpath
and -s -w linker flags for reproducible, size-minimized static
binaries. Compiles all four plugin binaries into /plugins/.
Runtime stage: debian:bookworm-slim with the /plugins/ directory
copied in and made world-readable. The image is inert — SPIRE server
and agent Deployments consume it via an initContainer that runs
`cp -r /plugins/ /opt/spire/plugins/` into a shared emptyDir volume,
so no ENTRYPOINT is needed.
Path: git.guildhouse.dev/tking/spire-plugins:v0.1.0.
Not replacing Containerfile.dev, which remains the local-dev variant.
Signed-off-by: Tyler J King <tking@guildhouse.dev>
NewClient no longer returns an error when Quartermaster is unreachable.
grpc.DialContext without WithBlock is already non-blocking; the prior
10s timeout context was effectively a no-op. Removing it and adding
explicit ConnectParams (BaseDelay 1s, Multiplier 1.5, Jitter 0.2,
MaxDelay 30s, MinConnectTimeout 20s) makes the intended behavior
explicit: the gRPC ClientConn retries connection in the background
with exponential backoff, and RPCs return Unavailable until QM is up.
The governance-notifier and substrate-keymanager plugins already log
RPC errors via handleEvent and continue without aborting the SPIRE
operation, so no call-site changes are needed. This unblocks SPIRE
bootstrap when Quartermaster hasn't been deployed yet, breaking the
SPIRE <-> QM circular deployment dependency.
Added watchConnState helper that logs once per transition so operators
see at SPIRE startup whether QM is reachable: a single WARN-style line
when the connection is not yet Ready, and an INFO line when it becomes
Ready. conn.Connect() is called eagerly so those logs fire at plugin
load rather than waiting for the first RPC.
Deferred:
- Add a unit test for NewClient succeeding with an unreachable address
(existing TestNewClientAcceptsTLSConfig is a pre-existing failure
using placeholder cert paths; unrelated to this change).
Signed-off-by: Tyler J King <tking@guildhouse.dev>
Document the trust withdrawal cascade:
Keylime breach → posture degraded → sessions downgraded
→ SPIRE re-attestation fails → SVIDs expire
→ service mTLS fails → quorum degrades
No new code for the cascade — it's emergent from existing
re-attestation behavior + the Keylime attestor plugin.
SPIRE federation handles cross-edge propagation through
standard certificate expiration.
Three timing profiles: Standard (~1hr), Enhanced (~15min),
Critical (~5min) with SVID TTL configuration guidance.
Example SPIRE server config with Keylime attestor + k8s_psat
fallback for nodes without hardware TPM.
Signed-off-by: Tyler King <tking@guildhouse.dev>
Signed-off-by: Tyler J King <tking727@gmail.com>
New shellstream extension §10.6 network-policy@guildhouse.dev carrying
GovernedNetworkPolicy hash in SSH certificates. New §8.7 in upper layers
spec documenting network governance lifecycle events (attach, detach,
flow policy, route announce/withdraw) emitted by governance-notifier
using the tiered consent transport model.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add consent-channels@guildhouse.dev SSH certificate extension for
advertising available consent transport channels. Add §8.6 to upper
layers spec describing HFL as the in-process capability boundary
within Shellstream sessions, with WIT as the formal contract.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
