NewClient no longer returns an error when Quartermaster is unreachable.
grpc.DialContext without WithBlock is already non-blocking; the prior
10s timeout context was effectively a no-op. Removing it and adding
explicit ConnectParams (BaseDelay 1s, Multiplier 1.5, Jitter 0.2,
MaxDelay 30s, MinConnectTimeout 20s) makes the intended behavior
explicit: the gRPC ClientConn retries connection in the background
with exponential backoff, and RPCs return Unavailable until QM is up.
The governance-notifier and substrate-keymanager plugins already log
RPC errors via handleEvent and continue without aborting the SPIRE
operation, so no call-site changes are needed. This unblocks SPIRE
bootstrap when Quartermaster hasn't been deployed yet, breaking the
SPIRE <-> QM circular deployment dependency.
Added watchConnState helper that logs once per transition so operators
see at SPIRE startup whether QM is reachable: a single WARN-style line
when the connection is not yet Ready, and an INFO line when it becomes
Ready. conn.Connect() is called eagerly so those logs fire at plugin
load rather than waiting for the first RPC.
Deferred:
- Add a unit test for NewClient succeeding with an unreachable address
(existing TestNewClientAcceptsTLSConfig is a pre-existing failure
using placeholder cert paths; unrelated to this change).
Signed-off-by: Tyler J King <tking@guildhouse.dev>
Document the trust withdrawal cascade:
Keylime breach → posture degraded → sessions downgraded
→ SPIRE re-attestation fails → SVIDs expire
→ service mTLS fails → quorum degrades
No new code for the cascade — it's emergent from existing
re-attestation behavior + the Keylime attestor plugin.
SPIRE federation handles cross-edge propagation through
standard certificate expiration.
Three timing profiles: Standard (~1hr), Enhanced (~15min),
Critical (~5min) with SVID TTL configuration guidance.
Example SPIRE server config with Keylime attestor + k8s_psat
fallback for nodes without hardware TPM.
Signed-off-by: Tyler King <tking@guildhouse.dev>
Signed-off-by: Tyler J King <tking727@gmail.com>
New shellstream extension §10.6 network-policy@guildhouse.dev carrying
GovernedNetworkPolicy hash in SSH certificates. New §8.7 in upper layers
spec documenting network governance lifecycle events (attach, detach,
flow policy, route announce/withdraw) emitted by governance-notifier
using the tiered consent transport model.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add consent-channels@guildhouse.dev SSH certificate extension for
advertising available consent transport channels. Add §8.6 to upper
layers spec describing HFL as the in-process capability boundary
within Shellstream sessions, with WIT as the formal contract.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
