Configuration
Last updated
Was this helpful?
1.2
Last updated
Was this helpful?
To configure the SPIRE Server to use your own upstream CA, make sure to mount the secret into the server container and specify it's cert, key, and bundle path's in the server as the following:
To use the registrar service with your own CA, you need to generate a corresponding secret to mount for the registrar service, with a cert signed by the above CA with common name registrar.spire.svc. This secret needs to be mounted in the registrar container and specified in the registrar configuration file as:
Lastly, the Validating Webhook Configuration for the registrar service needs a base64 encoded string of the registrar ca.crt from above configured .
By default, the Grey Matter helm charts use a 1 hour certificate rotation time, SVID TTL. This time can be configured in the server's config file. To configure a different default time in the helm charts, update the .
In general, the SPIRE server, agent, and registrar services can be configured with a number of different options. These options can be found in the SPIRE , , and . To generate and use a completely new config file, mount the file into the pod and set an argument on on the desired container (server, agent, or registrar) with flag --config pointing to the file. It should look like args: ["-config", "/path/to/configfile.conf"]
When using the Grey Matter helm charts, to modify the server or the registrar configuration files, edit . To modify the agent configuration file, edit .
For a detailed example of deploying a service to the mesh and configuring it for SPIFFE/SPIRE see .