Tyler King
420a4e2ea0
Critical fixes: - F-01: SatScope array form support (single pointer → slice with polymorphic JSON) - F-02: Add governance-intent@guildhouse.dev as 10th Shellstream extension - F-06: Replace os.Exit(1) stubs with go-plugin Serve() boilerplate in all cmd/ - F-13: Validate SatScope.ResourcePattern is non-empty High priority: - F-03: Add normative Accord policy syntax note to credential-governance.md §8.2 - F-04: Replace OID XXXXX placeholder with explicit PEN reference and IANA TODO - F-05: Document CredentialComposer hook mapping in spec and plugin-types.md - F-07/F-08: Commit CI pipeline (.github/workflows/ci.yaml) - F-09: Add hashicorp/go-plugin v1.6.3 to go.mod Medium priority: - F-10: Wire sample-ssh-cert-extensions.json fixture into shellstream tests - F-11: Cross-reference merkle proof depth limit (256 leaves) in governance spec - F-12: Add YAML format clarification headers to deploy configs - F-14: Expand README with project status, docs links, and quick-start Low priority: - F-15: Standardize "SSH SVID" → "SSH-SVID" terminology across docs - F-16: Add GovernanceEpochSeconds to PluginConfig and deploy configs - F-17: Add troubleshooting section to deployment.md, error handling to OIDC docs Global: Rename all extension keys from @guildhouse.io to @guildhouse.dev Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
67 lines
2.4 KiB
YAML
67 lines
2.4 KiB
YAML
# SPIRE Server configuration with Guildhouse plugins.
|
|
#
|
|
# FORMAT NOTE: This file uses YAML for readability as a reference document.
|
|
# SPIRE natively uses HCL configuration format. To use this with SPIRE, convert
|
|
# to HCL syntax or use a SPIRE version that supports YAML config (v1.9+).
|
|
# See docs/deployment.md for HCL configuration examples.
|
|
#
|
|
# This is a reference configuration — adapt paths and addresses for your cluster.
|
|
# See docs/deployment.md for full deployment instructions.
|
|
|
|
server:
|
|
bind_address: 0.0.0.0
|
|
bind_port: 8081
|
|
data_dir: /var/lib/spire/server
|
|
log_level: INFO
|
|
trust_domain: guildhouse.example.org
|
|
ca_ttl: 24h
|
|
default_x509_svid_ttl: 1h
|
|
default_jwt_svid_ttl: 5m
|
|
|
|
plugins:
|
|
DataStore:
|
|
sql:
|
|
plugin_data:
|
|
database_type: sqlite3
|
|
connection_string: /var/lib/spire/server/datastore.sqlite3
|
|
|
|
NodeAttestor:
|
|
k8s_psat:
|
|
plugin_data:
|
|
clusters:
|
|
guildhouse:
|
|
service_account_allow_list:
|
|
- spire:spire-agent
|
|
|
|
KeyManager:
|
|
# Guildhouse Substrate KeyManager — governance-aware key management.
|
|
guildhouse_substrate:
|
|
plugin_cmd: /opt/spire/plugins/substrate-keymanager
|
|
plugin_data:
|
|
trust_domain: guildhouse.example.org
|
|
governance_addr: governance.quartermaster.svc.cluster.local:50051
|
|
notary_addr: notary.quartermaster.svc.cluster.local:50051
|
|
cluster_id: guildhouse-prod
|
|
governance_epoch_seconds: 300 # 5 minutes; max 256 credential events per epoch
|
|
|
|
CredentialComposer:
|
|
# Guildhouse SSH Credential Composer — SSH certificate + Shellstream extensions.
|
|
guildhouse_ssh:
|
|
plugin_cmd: /opt/spire/plugins/ssh-credential-composer
|
|
plugin_data:
|
|
trust_domain: guildhouse.example.org
|
|
governance_addr: governance.quartermaster.svc.cluster.local:50051
|
|
default_cert_ttl: 5m
|
|
max_cert_ttl: 1h
|
|
|
|
Notifier:
|
|
# Guildhouse Governance Notifier — credential lifecycle → governance events.
|
|
guildhouse_governance:
|
|
plugin_cmd: /opt/spire/plugins/governance-notifier
|
|
plugin_data:
|
|
governance_addr: governance.quartermaster.svc.cluster.local:50051
|
|
ceremony_addr: ceremony.bascule.svc.cluster.local:50052
|
|
notary_addr: notary.quartermaster.svc.cluster.local:50051
|
|
cluster_id: guildhouse-prod
|
|
trust_domain: guildhouse.example.org
|
|
governance_epoch_seconds: 300
|