-
Notifications
You must be signed in to change notification settings - Fork 485
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1618 from martincapello/add-full-agent-config
Add agent configuration file including all the possible configuration options
- Loading branch information
Showing
1 changed file
with
320 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,320 @@ | ||
| # This is the SPIRE Agent configuration file including all possible configuration | ||
| # options. | ||
|
|
||
| # agent: Contains core configuration parameters. | ||
| agent { | ||
| # data_dir: A directory the agent can use for its runtime data. Default: $PWD. | ||
| data_dir = "./.data" | ||
|
|
||
| # insecure_bootstrap: If true, the agent bootstraps without verifying the server's | ||
| # identity. Default: false. | ||
| # insecure_bootstrap = false | ||
|
|
||
| # join_token: An optional token which has been generated by the SPIRE server. | ||
| # join_token = "" | ||
|
|
||
| # log_file: File to write logs to. | ||
| # log_file = "" | ||
|
|
||
| # log_format: Format of logs, <text|json>. Default: text. | ||
| # log_format = "text" | ||
|
|
||
| # log_level: Sets the logging level <DEBUG|INFO|WARN|ERROR>. Default: INFO | ||
| log_level = "DEBUG" | ||
|
|
||
| # server_address: DNS name or IP address of the SPIRE server. | ||
| server_address = "127.0.0.1" | ||
|
|
||
| # server_port: Port number of the SPIRE server. | ||
| server_port = "8081" | ||
|
|
||
| # socket_path: Location to bind the workload API socket. Default: $PWD/spire_api. | ||
| socket_path = "/tmp/agent.sock" | ||
|
|
||
| # trust_bundle_path: Path to the SPIRE server CA bundle. | ||
| trust_bundle_path = "./conf/agent/dummy_root_ca.crt" | ||
|
|
||
| # trust_bundle_url: URL to download the initial SPIRE server trust bundle. | ||
| # trust_bundle_url = "" | ||
|
|
||
| # trust_domain: The trust domain that this agent belongs to. | ||
| trust_domain = "example.org" | ||
|
|
||
| # sds: Optional SDS configuration section. | ||
| # sds = { | ||
| # # default_svid_name: The TLS Certificate resource name to use for the default | ||
| # # X509-SVID with Envoy SDS. Default: default. | ||
| # # default_svid_name = "default" | ||
|
|
||
| # # default_bundle_name: The Validation Context resource name to use for the | ||
| # # default X.509 bundle with Envoy SDS. Default: ROOTCA. | ||
| # # default_bundle_name = "ROOTCA" | ||
| # } | ||
| } | ||
|
|
||
| # plugins: Contains the configuration for each plugin. | ||
| # Each nested object has the following format: | ||
| # | ||
| # PluginType "plugin_name" { | ||
| # | ||
| # # plugin_cmd: Path to the plugin implementation binary (optional, not | ||
| # # needed for built-ins) | ||
| # plugin_cmd = <string> | ||
| # | ||
| # # plugin_checksum: An optional sha256 of the plugin binary (optional, | ||
| # # not needed for built-ins) | ||
| # plugin_checksum = <string> | ||
| # | ||
| # # plugin_data: Plugin-specific data | ||
| # plugin_data { | ||
| # ...configuration options... | ||
| # } | ||
| # | ||
| # # enabled: Enable or disable the plugin (enabled by default) | ||
| # enabled = [true | false] | ||
| # } | ||
| plugins { | ||
| # KeyManager "disk": A key manager which writes the private key to disk. | ||
| KeyManager "disk" { | ||
| plugin_data { | ||
| # directory: The directory in which to store the private key. | ||
| directory = "./.data" | ||
| } | ||
| } | ||
|
|
||
| # KeyManager "memory": An in-memory key manager which does not persist | ||
| # private keys (must re-attest after restarts). | ||
| KeyManager "memory" { | ||
| plugin_data {} | ||
| } | ||
|
|
||
| # NodeAttestor "aws_iid": A node attestor which attests agent identity | ||
| # using an AWS Instance Identity Document. | ||
| NodeAttestor "aws_iid" { | ||
| plugin_data { | ||
| # ec2_metadata_endpoint: Endpoint for AWS SDK to retrieve instance metadata. | ||
| # ec2_metadata_endpoint = "" | ||
| } | ||
| } | ||
|
|
||
| # NodeAttestor "azure_msi": A node attestor which attests agent identity | ||
| # using an Azure MSI token. | ||
| NodeAttestor "azure_msi" { | ||
| plugin_data { | ||
| # resource_id: The resource ID (or audience) to request for the MSI | ||
| # token. The server will reject tokens with resource IDs it does not | ||
| # recognize. Default: https://management.azure.com/ | ||
| # resource_id = "https://management.azure.com/" | ||
| } | ||
| } | ||
|
|
||
| # NodeAttestor "gcp_iit": A node attestor which attests agent identity | ||
| # using a GCP Instance Identity Token. | ||
| NodeAttestor "gcp_iit" { | ||
| plugin_data { | ||
| # identity_token_host: Host where an identity token can be retrieved | ||
| # from. Default: metadata.google.internal. | ||
| # identity_token_host = "metadata.google.internal" | ||
|
|
||
| # service_account: The service account to fetch an identity token | ||
| # from. Default: default. | ||
| # service_account = "default" | ||
| } | ||
| } | ||
|
|
||
| # NodeAttestor "join_token": A node attestor which uses a server-generated | ||
| # join token. | ||
| NodeAttestor "join_token" { | ||
| plugin_data {} | ||
| } | ||
|
|
||
| # NodeAttestor "k8s_psat": A node attestor which attests agent identity | ||
| # using a Kubernetes Projected Service Account token. | ||
| NodeAttestor "k8s_psat" { | ||
| plugin_data { | ||
| # cluster: Name of the cluster. It must correspond to a cluster | ||
| # configured in the server plugin. | ||
| # cluster = "" | ||
|
|
||
| # token_path: Path to the projected service account token on disk. | ||
| # Default: /var/run/secrets/tokens/spire-agent. | ||
| # token_path = "/var/run/secrets/tokens/spire-agent" | ||
| } | ||
| } | ||
|
|
||
| # NodeAttestor "k8s_sat": A node attestor which attests agent identity | ||
| # using a Kubernetes Service Account token. | ||
| NodeAttestor "k8s_sat" { | ||
| plugin_data { | ||
| # cluster: Name of the cluster. It must correspond to a cluster | ||
| # configured in the server plugin. | ||
| # cluster = "" | ||
|
|
||
| # token_path: Path to the service account token on disk. | ||
| # Default: /run/secrets/kubernetes.io/serviceaccount/token. | ||
| # token_path = "/run/secrets/kubernetes.io/serviceaccount/token" | ||
| } | ||
| } | ||
|
|
||
| # NodeAttestor "sshpop": A node attestor which attests agent identity | ||
| # using an existing ssh certificate. | ||
| NodeAttestor "sshpop" { | ||
| plugin_data { | ||
| # host_key_path: The path to the private key on disk in openssh format. Default: /etc/ssh/ssh_host_rsa_key | ||
| # host_key_path = "/etc/ssh/ssh_host_rsa_key" | ||
|
|
||
| # host_cert_path: The path to the certificate on disk in openssh | ||
| # format. Default: /etc/ssh/ssh_host_rsa_key-cert.pub. | ||
| # host_cert_path = "/etc/ssh/ssh_host_rsa_key-cert.pub" | ||
| } | ||
| } | ||
|
|
||
| # NodeAttestor "x509pop": A node attestor which attests agent identity | ||
| # using an existing X.509 certificate. | ||
| NodeAttestor "x509pop" { | ||
| plugin_data { | ||
| # private_key_path: The path to the private key on disk (PEM encoded | ||
| # PKCS1 or PKCS8). | ||
| # private_key_path = "" | ||
|
|
||
| # certificate_path: The path to the certificate bundle on disk. The | ||
| # file must contain one or more PEM blocks, starting with the identity | ||
| # certificate followed by any intermediate certificates necessary for | ||
| # chain-of-trust validation. | ||
| # certificate_path = "" | ||
|
|
||
| # intermediates_path: Optional. The path to a chain of intermediate | ||
| # certificates on disk. The file must contain one or more PEM blocks, | ||
| # corresponding to intermediate certificates necessary for chain-of-trust | ||
| # validation. If the file pointed by certificate_path contains more | ||
| # than one certificate, this chain of certificates will be appended to it. | ||
| # intermediates_path = "" | ||
| } | ||
| } | ||
|
|
||
| # WorkloadAttestor "docker": A workload attestor which allows selectors | ||
| # based on docker constructs such label and image_id. | ||
| WorkloadAttestor "docker" { | ||
| plugin_data { | ||
| # docker_socket_path: The location of the docker daemon socket. | ||
| # docker_socket_path = "" | ||
|
|
||
| # docker_version: The API version of the docker daemon. If not | ||
| # specified, the version is negotiated by the client. | ||
| # docker_version = "" | ||
| } | ||
| } | ||
|
|
||
| # WorkloadAttestor "k8s": A workload attestor which allows selectors based | ||
| # on Kubernetes constructs such ns (namespace) and sa (service account). | ||
| WorkloadAttestor "k8s" { | ||
| plugin_data { | ||
| # kubelet_read_only_port: The kubelet read-only port. This is mutually | ||
| # exlusive with kubelet_secure_port. | ||
| kubelet_read_only_port = "10255" | ||
|
|
||
| # kubelet_secure_port: The kubelet secure port. It defaults to 10250 | ||
| # unless kubelet_read_only_port is set. | ||
| # kubelet_secure_port = "10250" | ||
|
|
||
| # kubelet_ca_path: The path on disk to a file containing CA certificates | ||
| # used to verify the kubelet certificate. Required unless | ||
| # skip_kubelet_verification is set. Defaults to the cluster CA | ||
| # bundle /run/secrets/kubernetes.io/serviceaccount/ca.crt. | ||
| # kubelet_ca_path = "/run/secrets/kubernetes.io/serviceaccount/ca.crt" | ||
|
|
||
| # skip_kubelet_verification: If true, kubelet certificate verification | ||
| # is skipped. | ||
| # skip_kubelet_verification = false | ||
|
|
||
| # token_path: The path on disk to the bearer token used for kubelet | ||
| # authentication. Defaults to the service account token /run/secrets/kubernetes.io/serviceaccount/token. | ||
| # token_path = "/run/secrets/kubernetes.io/serviceaccount/token" | ||
|
|
||
| # certificate_path: The path on disk to client certificate used for | ||
| # kubelet authentication. | ||
| # certificate_path = "" | ||
|
|
||
| # private_key_path: The path on disk to client key used for kubelet | ||
| # authentication. | ||
| # private_key_path = "" | ||
|
|
||
| # node_name_env: The environment variable used to obtain the node | ||
| # name. Default: MY_NODE_NAME. | ||
| # node_name_env = "MY_NODE_NAME" | ||
|
|
||
| # node_name: The name of the node. Overrides the value obtained by | ||
| # the environment variable specified by node_name_env. | ||
| # node_name = "" | ||
| } | ||
| } | ||
|
|
||
| # WorkloadAttestor "unix": A workload attestor which generates unix-based | ||
| # selectors like uid and gid. | ||
| WorkloadAttestor "unix" { | ||
| plugin_data { | ||
| # discover_workload_path: If true, the workload path will be discovered | ||
| # by the plugin and used to provide additional selectors. Default: false. | ||
| # discover_workload_path = false | ||
|
|
||
| # workload_size_limit: The limit of workload binary sizes when | ||
| # calculating certain selectors (e.g. sha256). If zero, no limit is | ||
| # enforced. If negative, never calculate the hash. Default: 0. | ||
| # workload_size_limit = 0 | ||
| } | ||
| } | ||
| } | ||
|
|
||
| # telemetry: If telemetry is desired use this section to configure the | ||
| # available metrics collectors. | ||
| # telemetry { | ||
| # Prometheus { | ||
| # # host: Prometheus server host. | ||
| # # host = "" | ||
|
|
||
| # # port: Prometheus server port. | ||
| # port = 9988 | ||
| # } | ||
|
|
||
| # DogStatsd = [ | ||
| # # List of DogStatsd addresses. | ||
| # { address = "localhost:8125" }, | ||
| # { address = "collector.example.org:1337" }, | ||
| # ] | ||
|
|
||
| # Statsd = [ | ||
| # # List of Statsd addresses. | ||
| # { address = "localhost:1337" }, | ||
| # { address = "collector.example.org:8125" }, | ||
| # ] | ||
|
|
||
| # M3 = [ | ||
| # # List of M3 configurations. | ||
| # { address = "localhost:9000" env = "dev" }, | ||
| # { address = "collector.example.org:9000" env = "prod" }, | ||
| # ] | ||
|
|
||
| # InMem { | ||
| # # enabled: Enable this collector. Default: true. | ||
| # # enabled = true | ||
| # } | ||
| # } | ||
|
|
||
| # health_checks: If health checking is desired use this section to configure | ||
| # and expose an additional server endpoint for such purpose. | ||
| # health_checks { | ||
| # # listener_enabled: Enables health checks endpoint. | ||
| # listener_enabled = true | ||
|
|
||
| # # bind_address: IP address or DNS name of the health checks endpoint. Default: localhost. | ||
| # # bind_address = "localhost" | ||
|
|
||
| # # bind_port: HTTP Port number of the health checks endpoint. Default: 80. | ||
| # # bind_port = "80" | ||
|
|
||
| # # live_path: HTTP resource path for checking server liveness. Default: /live. | ||
| # # live_path = "/live" | ||
|
|
||
| # # ready_path: HTTP resource path for checking server readiness. Default: /ready. | ||
| # # ready_path = "/ready" | ||
| # } |