# Configuration ## Configure an Upstream CA To configure the SPIRE Server to use your own upstream CA, make sure to mount the secret into the server container and specify it's cert, key, and bundle path's in the server [Upstream CA plugin](https://github.com/spiffe/spire/blob/master/doc/plugin_server_upstreamauthority_disk.md) [here](https://github.com/greymatter-io/helm-charts/blob/27b1b89c9876f84e78583ec8ec46850d249c5327/spire/server/templates/config-configmap.yaml#L71-L77) as the following: ```diff UpstreamCA "disk" { plugin_data { cert_file_path = "/path/to/secret/intermediate.crt" key_file_path = "/path/to/secret/intermediate.key" bundle_file_path = "/path/to/secret/root.crt" } } ``` To use the registrar service with your own CA, you need to generate a corresponding secret to mount for the registrar service, with a cert signed by the above CA with common name `registrar.spire.svc`. This secret needs to be mounted in the registrar container and specified in the registrar configuration file [here](https://github.com/greymatter-io/helm-charts/blob/27b1b89c9876f84e78583ec8ec46850d249c5327/spire/server/templates/config-configmap.yaml#L14-L16) as: ```diff cert_path = "/path/to/registrar_secret/registrar.spire.svc.crt" key_path = "/path/to/registrar_secret/registrar.spire.svc.key" cacert_path = "/path/to/registrar_secret/ca.crt" ``` Lastly, the Validating Webhook Configuration for the registrar service needs a base64 encoded string of the registrar ca.crt from above configured [here](https://github.com/greymatter-io/helm-charts/blob/27b1b89c9876f84e78583ec8ec46850d249c5327/spire/server/templates/validatingwebhookconfiguration.yaml#L13). ## Certificate Rotation Time By default, the Grey Matter helm charts use a 1 hour certificate rotation time, SVID TTL. This time can be configured in the server's config file. To configure a different default time in the helm charts, update the [default\_svid\_ttl](https://github.com/greymatter-io/helm-charts/blob/27b1b89c9876f84e78583ec8ec46850d249c5327/spire/server/templates/config-configmap.yaml#L28). ## Server, Agent, Registrar Configurations In general, the SPIRE server, agent, and registrar services can be configured with a number of different options. These options can be found in the SPIRE [server configuration reference](https://github.com/spiffe/spire/blob/master/doc/spire_server.md#spire-server-configuration-reference), [agent configuration reference](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md#spire-agent-configuration-reference), and [Kubernetes Workload Registrar documentation](https://github.com/spiffe/spire/tree/master/support/k8s/k8s-workload-registrar#spire-kubernetes-workload-registrar). To generate and use a completely new config file, mount the file into the pod and set an argument on on the desired container (server, agent, or registrar) with flag `--config` pointing to the file. It should look like `args: ["-config", "/path/to/configfile.conf"]` When using the Grey Matter helm charts, to modify the server or the registrar configuration files, edit [this file](https://github.com/greymatter-io/helm-charts/blob/release-2.2/spire/server/templates/config-configmap.yaml). To modify the agent configuration file, edit [this file](https://github.com/greymatter-io/helm-charts/blob/release-2.2/spire/agent/templates/config-configmap.yaml). ### Adding a Service For a detailed example of deploying a service to the mesh and configuring it for SPIFFE/SPIRE see [this guide](/grey-matter-documentation/guides/launch-service-k8s.md). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://greymatter.gitbook.io/grey-matter-documentation/usage/fabric/security/spire/configuration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.