tking/guildhouse-spire-plugins
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
SPIRE plugins: Keylime node attestor (Go)
7 commits 1 branch 0 tags 404 KiB
Go 98.2%
Dockerfile 1.5%
Makefile 0.3%
Find a file
Tyler J King f0268305ae docs(spire): revocation cascade timing + Keylime SPIRE server config 
Document the trust withdrawal cascade:
  Keylime breach → posture degraded → sessions downgraded
  → SPIRE re-attestation fails → SVIDs expire
  → service mTLS fails → quorum degrades

No new code for the cascade — it's emergent from existing
re-attestation behavior + the Keylime attestor plugin.
SPIRE federation handles cross-edge propagation through
standard certificate expiration.

Three timing profiles: Standard (~1hr), Enhanced (~15min),
Critical (~5min) with SVID TTL configuration guidance.

Example SPIRE server config with Keylime attestor + k8s_psat
fallback for nodes without hardware TPM.

Signed-off-by: Tyler King <tking@guildhouse.dev>
Signed-off-by: Tyler J King <tking727@gmail.com>
2026-04-15 20:36:00 -04:00
.github/workflows Remediate all 17 audit findings from AUDIT.md 2026-02-18 11:45:33 -05:00
cmd feat(spire): Keylime node attestor plugin — single TPM authority 2026-04-15 20:35:45 -04:00
deploy docs(spire): revocation cascade timing + Keylime SPIRE server config 2026-04-15 20:36:00 -04:00
docs feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00
gen feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00
pkg feat(spire): Keylime node attestor plugin — single TPM authority 2026-04-15 20:35:45 -04:00
proto Initial scaffolding: specs, plugins, pkg/shellstream 2026-02-18 10:47:09 -05:00
specs feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00
test/fixtures Remediate all 17 audit findings from AUDIT.md 2026-02-18 11:45:33 -05:00
.gitignore feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00
AUDIT.md Remediate all 17 audit findings from AUDIT.md 2026-02-18 11:45:33 -05:00
buf.gen.yaml Initial scaffolding: specs, plugins, pkg/shellstream 2026-02-18 10:47:09 -05:00
buf.yaml Initial scaffolding: specs, plugins, pkg/shellstream 2026-02-18 10:47:09 -05:00
CLAUDE.md feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00
Containerfile.dev feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00
go.mod feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00
go.sum feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00
LICENSE Initial scaffolding: specs, plugins, pkg/shellstream 2026-02-18 10:47:09 -05:00
Makefile Initial scaffolding: specs, plugins, pkg/shellstream 2026-02-18 10:47:09 -05:00
README.md feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00
SECURITY-AUDIT.md feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00

README.md

Guildhouse SPIRE Plugins

SPIRE plugins and specifications for governed SSH access via SPIFFE identity.

This repository extends the SPIFFE ecosystem with SSH certificate issuance, governance-aware credential lifecycle management, and Guildhouse platform integration.

Project Status

Stage: Active Development

Component Status
Specifications (specs/) Draft — ready for SIG-Spec review
pkg/shellstream Fully implemented with comprehensive tests
pkg/config Implemented — HCL parsing + validation
pkg/oidc Implemented — OIDC discovery, JWKS verification, JWT validation
pkg/governance Implemented — gRPC client with mTLS, intent lifecycle, merkle anchoring
pkg/sshcert Implemented — SSH certificate builder with Shellstream extensions
Plugin binaries (cmd/) Implemented — go-plugin registration, Configure + core methods
Proto codegen (gen/) Generated — quartermaster/v1 + bascule/v1 gRPC stubs
CI pipeline Configured (.github/workflows/ci.yaml)

Quick Start

# Clone and build
git clone https://github.com/guildhouse-cooperative/guildhouse-spire-plugins.git
cd guildhouse-spire-plugins
make build    # Build all plugin binaries → bin/

# Run tests
make test     # Run all unit tests
make lint     # Run go vet

Specifications

The primary deliverables are three formal specifications in specs/:

Plugins

Four SPIRE plugins in cmd/:

Plugin SPIRE Type Runs In Purpose
oidc-attestor WorkloadAttestor Agent OIDC token verification, claim-to-selector mapping
ssh-credential-composer CredentialComposer Server SSH certificate generation with Shellstream extensions
governance-notifier Notifier Server Credential event notification, merkle anchoring
substrate-keymanager KeyManager Server Governance-aware signing key management

Packages

Shared Go libraries in pkg/:

  • shellstream — Encode/decode Shellstream SSH certificate extensions (comprehensive tests)
  • oidc — OIDC discovery + JWKS key fetching + JWT signature verification (RS256, ES256)
  • governance — GovernanceService + NotaryService gRPC client with mTLS, intent lifecycle, merkle anchoring
  • sshcert — SSH certificate builder with Ed25519 keypair generation and Shellstream extension embedding
  • config — HCL configuration loading and validation

Documentation

Detailed documentation in docs/:

Building

make build    # Build all plugin binaries
make test     # Run tests
make lint     # Run go vet
make clean    # Remove build artifacts

Proto Code Generation

Proto files in proto/ are copies from the Guildhouse monorepo. To regenerate Go bindings:

make proto-gen

Requires buf to be installed.

License

Apache License 2.0 — see LICENSE.