tking/guildhouse-spire-plugins
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
guildhouse-spire-plugins/Dockerfile
Tyler J King fe5e2cf3c6 feat(spire): gsap-attestor WorkloadAttestor plugin 
SPIRE WorkloadAttestor that reads governance env vars from /proc/{pid}/environ
(walking up the process tree to find gsh) and emits gsap: selectors on workload
SVIDs. Maps BASCULE_* vars set by bascule-shell and future GSH_* vars to the
11-selector vocabulary defined in gsap-types/src/selectors.rs.

- pkg/gsap/selectors.go: shared Go constants mirroring Rust vocabulary
- cmd/gsap-attestor/: plugin implementation with /proc reading, process tree
  walking, capability ceiling translation, and fail-open for non-governed processes
- 28 tests covering selector extraction, proc parsing, tree walking, and depth limits
- Makefile, Dockerfile, deploy config updated

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-13 03:59:08 -04:00

48 lines
2.2 KiB
Docker
Raw Blame History

# Guildhouse SPIRE Plugins — production image.
#
# This image is a passive binary container: it is not executed directly.
# SPIRE server/agent Deployments mount an emptyDir volume and run an
# initContainer from this image that copies /plugins/ into the shared
# volume. The runtime layer therefore only needs the plugin binaries
# themselves plus a minimal `cp` — distroless static-nonroot ships a
# BusyBox-less runtime, so we use the bookworm slim minimal base here
# which includes coreutils.
#
# Plugin binary paths are /plugins/<name>. SPIRE's HCL plugin_cmd
# directive expects these exact paths.
FROM golang:1.23.6-bookworm AS builder
WORKDIR /src
# Dependency cache layer — go.mod/go.sum copied first so we only redo
# `go mod download` when module graph changes, not on every source edit.
COPY go.mod go.sum ./
RUN go mod download
COPY . .
# Build each plugin binary into /plugins/. CGO disabled so the binaries
# are statically linked and runnable from any base image.
ENV CGO_ENABLED=0
ENV GOOS=linux
ENV GOARCH=amd64
RUN mkdir -p /plugins && \
go build -trimpath -ldflags="-s -w" -o /plugins/oidc-attestor ./cmd/oidc-attestor && \
go build -trimpath -ldflags="-s -w" -o /plugins/ssh-credential-composer ./cmd/ssh-credential-composer && \
go build -trimpath -ldflags="-s -w" -o /plugins/governance-notifier ./cmd/governance-notifier && \
go build -trimpath -ldflags="-s -w" -o /plugins/substrate-keymanager ./cmd/substrate-keymanager && \
go build -trimpath -ldflags="-s -w" -o /plugins/gsap-attestor ./cmd/gsap-attestor
FROM debian:bookworm-slim AS runtime
# No shell commands needed at image boot — this image is inert. The
# initContainer that uses it supplies its own `cp -r /plugins/ /opt/spire/plugins/`
# command. We keep the binaries readable by any UID so SPIRE's
# non-root user can read them out of the shared volume.
COPY --from=builder /plugins/ /plugins/
RUN chmod -R a+rx /plugins
LABEL org.opencontainers.image.source="https://git.guildhouse.dev/tking/guildhouse-spire-plugins" \
org.opencontainers.image.description="Guildhouse SPIRE plugins: oidc-attestor, ssh-credential-composer, governance-notifier, substrate-keymanager, gsap-attestor" \
org.opencontainers.image.licenses="Apache-2.0"
Reference in a new issue View git blame Copy permalink