# SPIRE Agent configuration with Guildhouse OIDC Attestor plugin.
#
# FORMAT NOTE: This file uses YAML for readability as a reference document.
# SPIRE natively uses HCL configuration format. To use this with SPIRE, convert
# to HCL syntax or use a SPIRE version that supports YAML config (v1.9+).
# See docs/deployment.md for HCL configuration examples.
#
# This is a reference configuration — adapt paths and addresses for your cluster.
# See docs/deployment.md for full deployment instructions.

agent:
  data_dir: /var/lib/spire/agent
  log_level: INFO
  server_address: spire-server.spire.svc.cluster.local
  server_port: 8081
  socket_path: /run/spire/sockets/agent.sock
  trust_domain: guildhouse.example.org

plugins:
  NodeAttestor:
    k8s_psat:
      plugin_data:
        cluster: guildhouse

  KeyManager:
    memory:
      plugin_data: {}

  WorkloadAttestor:
    # Standard Kubernetes workload attestation.
    k8s:
      plugin_data:
        skip_kubelet_verification: false

    # Guildhouse OIDC attestation — verifies workload OIDC tokens.
    guildhouse_oidc:
      plugin_cmd: /opt/spire/plugins/oidc-attestor
      plugin_data:
        issuer: https://keycloak.guildhouse.example.org/realms/platform
        audience: spire
        token_path: /var/run/secrets/oidc/token

    # GSAP attestation — reads governance env vars from process tree.
    gsap:
      plugin_cmd: /opt/spire/plugins/gsap-attestor
      plugin_data:
        proc_root: /proc
        max_depth: 10