From aa2485b366e84fd3558db2f72dced9e117e70d35 Mon Sep 17 00:00:00 2001 From: martincapello Date: Thu, 4 Jun 2020 12:21:21 -0300 Subject: [PATCH 1/2] Added agent configuration file including all the possible configuration options. Signed-off-by: martincapello --- conf/agent/agent_full.conf | 320 +++++++++++++++++++++++++++++++++++++ 1 file changed, 320 insertions(+) create mode 100644 conf/agent/agent_full.conf diff --git a/conf/agent/agent_full.conf b/conf/agent/agent_full.conf new file mode 100644 index 0000000000..c5c128f9df --- /dev/null +++ b/conf/agent/agent_full.conf @@ -0,0 +1,320 @@ +# This is the SPIRE Agent configuration file including all possible configuration +# options. + +# agent: Contains core configuration parameters. +agent { + # data_dir: A directory the agent can use for its runtime data. Default: $PWD. + data_dir = "./.data" + + # insecure_bootstrap: If true, the agent bootstraps without verifying the server's + # identity. Default: false. + # insecure_bootstrap = false. + + # join_token: An optional token which has been generated by the SPIRE server. + # join_token = "" + + # log_file: File to write logs to. + # log_file = "" + + # log_format: Format of logs, . Default: text. + # log_format = "text" + + # log_level: Sets the logging level . Default: INFO + log_level = "DEBUG" + + # server_address: DNS name or IP address of the SPIRE server. + server_address = "127.0.0.1" + + # server_port: Port number of the SPIRE server. + server_port = "8081" + + # socket_path: Location to bind the workload API socket. Default: $PWD/spire_api. + socket_path = "/tmp/agent.sock" + + # trust_bundle_path: Path to the SPIRE server CA bundle. + trust_bundle_path = "./conf/agent/dummy_root_ca.crt" + + # trust_bundle_url: URL to download the initial SPIRE server trust bundle. + # trust_bundle_url = "" + + # trust_domain: The trust domain that this agent belongs to. + trust_domain = "example.org" + + # sds: Optional SDS configuration section. + # sds = { + # # default_svid_name: The TLS Certificate resource name to use for the default + # # X509-SVID with Envoy SDS. Default: default. + # # default_svid_name = "default" + + # # default_bundle_name: The Validation Context resource name to use for the + # # default X.509 bundle with Envoy SDS. Default: ROOTCA. + # # default_bundle_name = "ROOTCA" + # } +} + +# plugins: Contains the configuration for each plugin. +# Each nested object has the following format: +# +# PluginType "plugin_name" { +# +# # plugin_cmd: Path to the plugin implementation binary (optional, not +# # needed for built-ins) +# plugin_cmd = +# +# # plugin_checksum: An optional sha256 of the plugin binary (optional, +# # not needed for built-ins) +# plugin_checksum = +# +# # plugin_data: Plugin-specific data +# plugin_data { +# ...configuration options... +# } +# +# # enabled: Enable or disable the plugin (enabled by default) +# enabled = [true | false] +# } +plugins { + # KeyManager "disk": A key manager which writes the private key to disk. + KeyManager "disk" { + plugin_data { + # directory: The directory in which to store the private key. + directory = "./.data" + } + } + + # KeyManager "memory": An in-memory key manager which does not persist + # private keys (must re-attest after restarts). + KeyManager "memory" { + plugin_data {} + } + + # NodeAttestor "aws_iid": A node attestor which attests agent identity + # using an AWS Instance Identity Document. + NodeAttestor "aws_iid" { + plugin_data { + # ec2_metadata_endpoint: Endpoint for AWS SDK to retrieve instance metadata. + # ec2_metadata_endpoint = "" + } + } + + # NodeAttestor "azure_msi": A node attestor which attests agent identity + # using an Azure MSI token. + NodeAttestor "azure_msi" { + plugin_data { + # resource_id: The resource ID (or audience) to request for the MSI + # token. The server will reject tokens with resource IDs it does not + # recognize. Default: https://management.azure.com/ + # resource_id = "https://management.azure.com/" + } + } + + # NodeAttestor "gcp_iit": A node attestor which attests agent identity + # using a GCP Instance Identity Token. + NodeAttestor "gcp_iit" { + plugin_data { + # identity_token_host: Host where an identity token can be retrieved + # from. Default: metadata.google.internal. + # identity_token_host = "metadata.google.internal" + + # service_account: The service account to fetch an identity token + # from. Default: default. + # service_account = "default" + } + } + + # NodeAttestor "join_token": A node attestor which uses a server-generated + # join token. + NodeAttestor "join_token" { + plugin_data {} + } + + # NodeAttestor "k8s_psat": A node attestor which attests agent identity + # using a Kubernetes Projected Service Account token. + NodeAttestor "k8s_psat" { + plugin_data { + # cluster: Name of the cluster. It must correspond to a cluster + # configured in the server plugin. + # cluster = "" + + # token_path: Path to the projected service account token on disk. + # Default: /var/run/secrets/tokens/spire-agent. + # token_path = "/var/run/secrets/tokens/spire-agent" + } + } + + # NodeAttestor "k8s_sat": A node attestor which attests agent identity + # using a Kubernetes Service Account token. + NodeAttestor "k8s_sat" { + plugin_data { + # cluster: Name of the cluster. It must correspond to a cluster + # configured in the server plugin. + # cluster = "" + + # token_path: Path to the service account token on disk. + # Default: /run/secrets/kubernetes.io/serviceaccount/token. + # token_path = "/run/secrets/kubernetes.io/serviceaccount/token" + } + } + + # NodeAttestor "sshpop": A node attestor which attests agent identity + # using an existing ssh certificate. + NodeAttestor "sshpop" { + plugin_data { + # host_key_path: The path to the private key on disk in openssh format. Default: /etc/ssh/ssh_host_rsa_key + # host_key_path = "/etc/ssh/ssh_host_rsa_key" + + # host_cert_path: The path to the certificate on disk in openssh + # format. Default: /etc/ssh/ssh_host_rsa_key-cert.pub. + # host_cert_path = "/etc/ssh/ssh_host_rsa_key-cert.pub" + } + } + + # NodeAttestor "x509pop": A node attestor which attests agent identity + # using an existing X.509 certificate. + NodeAttestor "x509pop" { + plugin_data { + # private_key_path: The path to the private key on disk (PEM encoded + # PKCS1 or PKCS8). + # private_key_path = "" + + # certificate_path: The path to the certificate bundle on disk. The + # file must contain one or more PEM blocks, starting with the identity + # certificate followed by any intermediate certificates necessary for + # chain-of-trust validation. + # certificate_path = "" + + # intermediates_path: Optional. The path to a chain of intermediate + # certificates on disk. The file must contain one or more PEM blocks, + # corresponding to intermediate certificates necessary for chain-of-trust + # validation. If the file pointed by certificate_path contains more + # than one certificate, this chain of certificates will be appended to it. + # intermediates_path = "" + } + } + + # WorkloadAttestor "docker": A workload attestor which allows selectors + # based on docker constructs such label and image_id. + WorkloadAttestor "docker" { + plugin_data { + # docker_socket_path: The location of the docker daemon socket. + # docker_socket_path = "" + + # docker_version: The API version of the docker daemon. If not + # specified, the version is negotiated by the client. + # docker_version = "" + } + } + + # WorkloadAttestor "k8s": A workload attestor which allows selectors based + # on Kubernetes constructs such ns (namespace) and sa (service account). + WorkloadAttestor "k8s" { + plugin_data { + # kubelet_read_only_port: The kubelet read-only port. This is mutually + # exlusive with kubelet_secure_port. + kubelet_read_only_port = "10255" + + # kubelet_secure_port: The kubelet secure port. It defaults to 10250 + # unless kubelet_read_only_port is set. + # kubelet_secure_port = "10250" + + # kubelet_ca_path: The path on disk to a file containing CA certificates + # used to verify the kubelet certificate. Required unless + # skip_kubelet_verification is set. Defaults to the cluster CA + # bundle /run/secrets/kubernetes.io/serviceaccount/ca.crt. + # kubelet_ca_path = "/run/secrets/kubernetes.io/serviceaccount/ca.crt" + + # skip_kubelet_verification: If true, kubelet certificate verification + # is skipped. + # skip_kubelet_verification = false + + # token_path: The path on disk to the bearer token used for kubelet + # authentication. Defaults to the service account token /run/secrets/kubernetes.io/serviceaccount/token. + # token_path = "/run/secrets/kubernetes.io/serviceaccount/token" + + # certificate_path: The path on disk to client certificate used for + # kubelet authentication. + # certificate_path = "" + + # private_key_path: The path on disk to client key used for kubelet + # authentication. + # private_key_path = "" + + # node_name_env: The environment variable used to obtain the node + # name. Default: MY_NODE_NAME. + # node_name_env = "MY_NODE_NAME" + + # node_name: The name of the node. Overrides the value obtained by + # the environment variable specified by node_name_env. + # node_name = "" + } + } + + # WorkloadAttestor "unix": A workload attestor which generates unix-based + # selectors like uid and gid. + WorkloadAttestor "unix" { + plugin_data { + # discover_workload_path: If true, the workload path will be discovered + # by the plugin and used to provide additional selectors. Default: false. + # discover_workload_path = false + + # workload_size_limit: The limit of workload binary sizes when + # calculating certain selectors (e.g. sha256). If zero, no limit is + # enforced. If negative, never calculate the hash. Default: 0. + # workload_size_limit = 0 + } + } +} + +# telemetry: If telemetry is desired use this section to configure the +# available metrics collectors. +# telemetry { +# Prometheus { +# # host: Prometheus server host. +# # host = "" + +# # port: Prometheus server port. +# port = 9988 +# } + +# DogStatsd = [ +# # List of DogStatsd addresses. +# { address = "localhost:8125" }, +# { address = "collector.example.org:1337" }, +# ] + +# Statsd = [ +# # List of Statsd addresses. +# { address = "localhost:1337" }, +# { address = "collector.example.org:8125" }, +# ] + +# M3 = [ +# # List of M3 configurations. +# { address = "localhost:9000" env = "dev" }, +# { address = "collector.example.org:9000" env = "prod" }, +# ] + +# InMem { +# # enabled: Enable this collector. Default: true. +# # enabled = true +# } +# } + +# health_checks: If health checking is desired use this section to configure +# and expose an additional server endpoint for such purpose. +# health_checks { +# # listener_enabled: Enables health checks endpoint. +# listener_enabled = true + +# # bind_address: IP address or DNS name of the health checks endpoint. Default: localhost. +# # bind_address = "localhost" + +# # bind_port: HTTP Port number of the health checks endpoint. Default: 80. +# # bind_port = "80" + +# # live_path: HTTP resource path for checking server liveness. Default: /live. +# # live_path = "/live" + +# # ready_path: HTTP resource path for checking server readiness. Default: /ready. +# # ready_path = "/ready" +# } From 8935c835280191e41a559d98c47463c576e51782 Mon Sep 17 00:00:00 2001 From: martincapello Date: Thu, 11 Jun 2020 17:23:14 -0300 Subject: [PATCH 2/2] Addressed PR comment. Signed-off-by: martincapello --- conf/agent/agent_full.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/agent/agent_full.conf b/conf/agent/agent_full.conf index c5c128f9df..7578dbef72 100644 --- a/conf/agent/agent_full.conf +++ b/conf/agent/agent_full.conf @@ -8,7 +8,7 @@ agent { # insecure_bootstrap: If true, the agent bootstraps without verifying the server's # identity. Default: false. - # insecure_bootstrap = false. + # insecure_bootstrap = false # join_token: An optional token which has been generated by the SPIRE server. # join_token = ""