# SPIRE Server configuration with Keylime node attestor. # # Replaces tpm_devid attestor with Keylime-backed attestation. # Keylime is the single TPM authority; this plugin queries its # attestation results from the posture-current ConfigMap. # # See deploy/cascade-timing.md for revocation cascade timing. server: bind_address: 0.0.0.0 bind_port: 8081 data_dir: /var/lib/spire/server log_level: INFO trust_domain: guild-a.guildhouse.io ca_ttl: 8760h # 1 year default_x509_svid_ttl: 1h default_jwt_svid_ttl: 5m plugins: NodeAttestor: # Primary: Keylime-backed attestation for nodes with hardware TPM. # Reads posture-current ConfigMap via volume mount. keylime: plugin_cmd: /opt/spire/plugins/keylime-attestor plugin_data: source: configmap posture_configmap_path: /var/run/posture/posture-current max_attestation_age_secs: 600 # Fallback: K8s PSAT for cloud nodes without hardware TPM. k8s_psat: plugin_data: clusters: local: service_account_allow_list: - spire:spire-agent KeyManager: guildhouse_substrate: plugin_cmd: /opt/spire/plugins/substrate-keymanager plugin_data: trust_domain: guild-a.guildhouse.io governance_addr: governance.quartermaster.svc.cluster.local:50051 notary_addr: notary.quartermaster.svc.cluster.local:50051 cluster_id: guild-a governance_epoch_seconds: 300 CredentialComposer: guildhouse_ssh: plugin_cmd: /opt/spire/plugins/ssh-credential-composer plugin_data: trust_domain: guild-a.guildhouse.io governance_addr: governance.quartermaster.svc.cluster.local:50051 default_cert_ttl: 5m max_cert_ttl: 1h Notifier: guildhouse_governance: plugin_cmd: /opt/spire/plugins/governance-notifier plugin_data: governance_addr: governance.quartermaster.svc.cluster.local:50051 ceremony_addr: ceremony.bascule.svc.cluster.local:50052 notary_addr: notary.quartermaster.svc.cluster.local:50051 cluster_id: guild-a trust_domain: guild-a.guildhouse.io governance_epoch_seconds: 300 DataStore: sql: plugin_data: database_type: sqlite3 connection_string: /var/lib/spire/server/datastore.sqlite3