Skip to content

Commit

Permalink
fixup! Introduce a configurable SVID rotation threshold
Browse files Browse the repository at this point in the history 
Signed-off-by: Tomoya Usami <tousami@zlab.co.jp>
  • Loading branch information
Tomoya Usami committed Nov 16, 2023
1 parent de53b22 commit 486084d
Showing 1 changed file with 29 additions and 29 deletions.
58 changes: 29 additions & 29 deletions doc/spire_agent.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,34 +41,34 @@ SPIRE configuration files may be represented in either HCL or JSON. Please see t
If the -expandEnv flag is passed to SPIRE, `$VARIABLE` or `${VARIABLE}` style environment variables are expanded before parsing.
This may be useful for templating configuration files, for example across different trust domains, or for inserting secrets like join tokens.

| Configuration | Description | Default |
|-----------------------------------|--------------------------------------------------------------------------------------------------------------------------------|----------------------------------|
| `admin_socket_path` | Location to bind the admin API socket (disabled as default) | |
| `allow_unauthenticated_verifiers` | Allow agent to release trust bundles to unauthenticated verifiers | false |
| `allowed_foreign_jwt_claims` | List of trusted claims to be returned when validating foreign JWTSVIDs | |
| `authorized_delegates` | A SPIFFE ID list of the authorized delegates. See [Delegated Identity API](#delegated-identity-api) for more information | |
| `data_dir` | A directory the agent can use for its runtime data | $PWD |
| `experimental` | The experimental options that are subject to change or removal (see below) | |
| `insecure_bootstrap` | If true, the agent bootstraps without verifying the server's identity | false |
| `join_token` | An optional token which has been generated by the SPIRE server | |
| `log_file` | File to write logs to | |
| `log_level` | Sets the logging level &lt;DEBUG&vert;INFO&vert;WARN&vert;ERROR&gt; | INFO |
| `log_format` | Format of logs, &lt;text&vert;json&gt; | Text |
| `log_source_location` | If true, logs include source file, line number, and method name fields (adds a bit of runtime cost) | false |
| `profiling_enabled` | If true, enables a [net/http/pprof](https://pkg.go.dev/net/http/pprof) endpoint | false |
| `profiling_freq` | Frequency of dumping profiling data to disk. Only enabled when `profiling_enabled` is `true` and `profiling_freq` > 0. | |
| `profiling_names` | List of profile names that will be dumped to disk on each profiling tick, see [Profiling Names](#profiling-names) | |
| `profiling_port` | Port number of the [net/http/pprof](https://pkg.go.dev/net/http/pprof) endpoint. Only used when `profiling_enabled` is `true`. | |
| `server_address` | DNS name or IP address of the SPIRE server | |
| `server_port` | Port number of the SPIRE server | |
| `socket_path` | Location to bind the SPIRE Agent API socket (Unix only) | /tmp/spire-agent/public/api.sock |
| `sds` | Optional SDS configuration section | |
| `trust_bundle_path` | Path to the SPIRE server CA bundle | |
| `trust_bundle_url` | URL to download the initial SPIRE server trust bundle | |
| `trust_bundle_format` | Format of the initial trust bundle, pem or spiffe | pem |
| `trust_domain` | The trust domain that this agent belongs to (should be no more than 255 characters) | |
| `workload_x509_svid_key_type` | The workload X509 SVID key type &lt;rsa-2048&vert;ec-p256&gt; | ec-p256 |
| `availability_target` | The amount of time to guarantee the SVID availability. Must be grater than 24h. | |
| Configuration | Description | Default |
|-----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------|
| `admin_socket_path` | Location to bind the admin API socket (disabled as default) | |
| `allow_unauthenticated_verifiers` | Allow agent to release trust bundles to unauthenticated verifiers | false |
| `allowed_foreign_jwt_claims` | List of trusted claims to be returned when validating foreign JWTSVIDs | |
| `authorized_delegates` | A SPIFFE ID list of the authorized delegates. See [Delegated Identity API](#delegated-identity-api) for more information | |
| `data_dir` | A directory the agent can use for its runtime data | $PWD |
| `experimental` | The experimental options that are subject to change or removal (see below) | |
| `insecure_bootstrap` | If true, the agent bootstraps without verifying the server's identity | false |
| `join_token` | An optional token which has been generated by the SPIRE server | |
| `log_file` | File to write logs to | |
| `log_level` | Sets the logging level &lt;DEBUG&vert;INFO&vert;WARN&vert;ERROR&gt; | INFO |
| `log_format` | Format of logs, &lt;text&vert;json&gt; | Text |
| `log_source_location` | If true, logs include source file, line number, and method name fields (adds a bit of runtime cost) | false |
| `profiling_enabled` | If true, enables a [net/http/pprof](https://pkg.go.dev/net/http/pprof) endpoint | false |
| `profiling_freq` | Frequency of dumping profiling data to disk. Only enabled when `profiling_enabled` is `true` and `profiling_freq` > 0. | |
| `profiling_names` | List of profile names that will be dumped to disk on each profiling tick, see [Profiling Names](#profiling-names) | |
| `profiling_port` | Port number of the [net/http/pprof](https://pkg.go.dev/net/http/pprof) endpoint. Only used when `profiling_enabled` is `true`. | |
| `server_address` | DNS name or IP address of the SPIRE server | |
| `server_port` | Port number of the SPIRE server | |
| `socket_path` | Location to bind the SPIRE Agent API socket (Unix only) | /tmp/spire-agent/public/api.sock |
| `sds` | Optional SDS configuration section | |
| `trust_bundle_path` | Path to the SPIRE server CA bundle | |
| `trust_bundle_url` | URL to download the initial SPIRE server trust bundle | |
| `trust_bundle_format` | Format of the initial trust bundle, pem or spiffe | pem |
| `trust_domain` | The trust domain that this agent belongs to (should be no more than 255 characters) | |
| `workload_x509_svid_key_type` | The workload X509 SVID key type &lt;rsa-2048&vert;ec-p256&gt; | ec-p256 |
| `availability_target` | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively SVIDs should be rotated. Must be greater than 24h. | |

| experimental | Description | Default |
|:------------------|-----------------------------------------------------------------|-------------------------|
Expand Down Expand Up @@ -108,7 +108,7 @@ These are the available profiles that can be set in the `profiling_freq` configu

### Availability Target

If the `availability_target` is set, the agent will rotate when remaining lifetime of the SVID reaches the `availability_target`.
If the `availability_target` is set, the agent will rotate an SVID when its remaining lifetime reaches the `availability_target`.

To guarantee the `availability_target`, grace period(`SVID lifetime - availability_target`) must be greater than 12h.
If not satisfied, the agent will rotate the SVID by the default rotation strategy (1/2 of lifetime).
Expand Down

0 comments on commit 486084d

Please sign in to comment.