feat(spire): Keylime node attestor plugin — single TPM authority
Custom SPIRE NodeAttestor that queries Keylime attestation status
instead of performing independent TPM attestation. Keylime remains
the single TPM authority in the stack.
Two data source strategies:
- ConfigMap (default): reads posture-current ConfigMap (recommended,
consistent with single-consumer principle)
- Verifier: queries Keylime verifier REST API directly (for
out-of-cluster SPIRE servers)
Fail-closed: unknown nodes, unreachable sources, degraded posture
all result in non-attested verdict — no SVID issued.
Maps posture level to attestation verdict:
Normal(5)/Elevated(4) → Attested
Restricted(3) → Pending
Critical(2)/Lockdown(1) → Failed
8 unit tests covering ConfigMap source, verifier mapping, edge cases.
Signed-off-by: Tyler King <tking@guildhouse.dev>
Signed-off-by: Tyler J King <tking727@gmail.com>
5f62da6ca9