To configure the SPIRE Server to use your own upstream CA, make sure to mount the secret into the server container and specify it's cert, key, and bundle path's in the server Upstream CA pluginhere as the following:
To use the registrar service with your own CA, you need to generate a corresponding secret to mount for the registrar service, with a cert signed by the above CA with common name registrar.spire.svc. This secret needs to be mounted in the registrar container and specified in the registrar configuration file here as:
Lastly, the Validating Webhook Configuration for the registrar service needs a base64 encoded string of the registrar ca.crt from above configured here.
Certificate Rotation Time
By default, the Grey Matter helm charts use a 1 hour certificate rotation time, SVID TTL. This time can be configured in the server's config file. To configure a different default time in the helm charts, update the default_svid_ttl.
Server, Agent, Registrar Configurations
In general, the SPIRE server, agent, and registrar services can be configured with a number of different options. These options can be found in the SPIRE server configuration reference, agent configuration reference, and Kubernetes Workload Registrar documentation. To generate and use a completely new config file, mount the file into the pod and set an argument on on the desired container (server, agent, or registrar) with flag --config pointing to the file. It should look like args: ["-config", "/path/to/configfile.conf"]
When using the Grey Matter helm charts, to modify the server or the registrar configuration files, edit this file. To modify the agent configuration file, edit this file.
Adding a Service
For a detailed example of deploying a service to the mesh and configuring it for SPIFFE/SPIRE see this guide.
