# Configuration

## Configure an Upstream CA

To configure the SPIRE Server to use your own upstream CA, make sure to mount the secret into the server container and specify it's cert, key, and bundle path's in the server [Upstream CA plugin](https://github.com/spiffe/spire/blob/master/doc/plugin_server_upstreamauthority_disk.md) [here](https://github.com/greymatter-io/helm-charts/blob/27b1b89c9876f84e78583ec8ec46850d249c5327/spire/server/templates/config-configmap.yaml#L71-L77) as the following:

```diff
UpstreamCA "disk" {
plugin_data {
    cert_file_path = "/path/to/secret/intermediate.crt"
    key_file_path = "/path/to/secret/intermediate.key"
    bundle_file_path = "/path/to/secret/root.crt"
    }
}
```

To use the registrar service with your own CA, you need to generate a corresponding secret to mount for the registrar service, with a cert signed by the above CA with common name `registrar.spire.svc`. This secret needs to be mounted in the registrar container and specified in the registrar configuration file [here](https://github.com/greymatter-io/helm-charts/blob/27b1b89c9876f84e78583ec8ec46850d249c5327/spire/server/templates/config-configmap.yaml#L14-L16) as:

```diff
cert_path = "/path/to/registrar_secret/registrar.spire.svc.crt"
key_path = "/path/to/registrar_secret/registrar.spire.svc.key"
cacert_path = "/path/to/registrar_secret/ca.crt"
```

Lastly, the Validating Webhook Configuration for the registrar service needs a base64 encoded string of the registrar ca.crt from above configured [here](https://github.com/greymatter-io/helm-charts/blob/27b1b89c9876f84e78583ec8ec46850d249c5327/spire/server/templates/validatingwebhookconfiguration.yaml#L13).

## Certificate Rotation Time

By default, the Grey Matter helm charts use a 1 hour certificate rotation time, SVID TTL. This time can be configured in the server's config file. To configure a different default time in the helm charts, update the [default\_svid\_ttl](https://github.com/greymatter-io/helm-charts/blob/27b1b89c9876f84e78583ec8ec46850d249c5327/spire/server/templates/config-configmap.yaml#L28).

## Server, Agent, Registrar Configurations

In general, the SPIRE server, agent, and registrar services can be configured with a number of different options. These options can be found in the SPIRE [server configuration reference](https://github.com/spiffe/spire/blob/master/doc/spire_server.md#spire-server-configuration-reference), [agent configuration reference](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md#spire-agent-configuration-reference), and [Kubernetes Workload Registrar documentation](https://github.com/spiffe/spire/tree/master/support/k8s/k8s-workload-registrar#spire-kubernetes-workload-registrar). To generate and use a completely new config file, mount the file into the pod and set an argument on on the desired container (server, agent, or registrar) with flag `--config` pointing to the file. It should look like `args: ["-config", "/path/to/configfile.conf"]`

When using the Grey Matter helm charts, to modify the server or the registrar configuration files, edit [this file](https://github.com/greymatter-io/helm-charts/blob/release-2.2/spire/server/templates/config-configmap.yaml). To modify the agent configuration file, edit [this file](https://github.com/greymatter-io/helm-charts/blob/release-2.2/spire/agent/templates/config-configmap.yaml).

### Adding a Service

For a detailed example of deploying a service to the mesh and configuring it for SPIFFE/SPIRE see [this guide](https://greymatter.gitbook.io/grey-matter-documentation/1.7-beta/guides/launch-service-k8s).