60 lines
2 KiB
YAML
60 lines
2 KiB
YAML
# SPIRE Server configuration with Guildhouse plugins.
|
|
#
|
|
# This is a reference configuration — adapt paths and addresses for your cluster.
|
|
# See docs/deployment.md for full deployment instructions.
|
|
|
|
server:
|
|
bind_address: 0.0.0.0
|
|
bind_port: 8081
|
|
data_dir: /var/lib/spire/server
|
|
log_level: INFO
|
|
trust_domain: guildhouse.example.org
|
|
ca_ttl: 24h
|
|
default_x509_svid_ttl: 1h
|
|
default_jwt_svid_ttl: 5m
|
|
|
|
plugins:
|
|
DataStore:
|
|
sql:
|
|
plugin_data:
|
|
database_type: sqlite3
|
|
connection_string: /var/lib/spire/server/datastore.sqlite3
|
|
|
|
NodeAttestor:
|
|
k8s_psat:
|
|
plugin_data:
|
|
clusters:
|
|
guildhouse:
|
|
service_account_allow_list:
|
|
- spire:spire-agent
|
|
|
|
KeyManager:
|
|
# Guildhouse Substrate KeyManager — governance-aware key management.
|
|
guildhouse_substrate:
|
|
plugin_cmd: /opt/spire/plugins/substrate-keymanager
|
|
plugin_data:
|
|
trust_domain: guildhouse.example.org
|
|
governance_addr: governance.quartermaster.svc.cluster.local:50051
|
|
notary_addr: notary.quartermaster.svc.cluster.local:50051
|
|
cluster_id: guildhouse-prod
|
|
|
|
CredentialComposer:
|
|
# Guildhouse SSH Credential Composer — SSH certificate + Shellstream extensions.
|
|
guildhouse_ssh:
|
|
plugin_cmd: /opt/spire/plugins/ssh-credential-composer
|
|
plugin_data:
|
|
trust_domain: guildhouse.example.org
|
|
governance_addr: governance.quartermaster.svc.cluster.local:50051
|
|
default_cert_ttl: 5m
|
|
max_cert_ttl: 1h
|
|
|
|
Notifier:
|
|
# Guildhouse Governance Notifier — credential lifecycle → governance events.
|
|
guildhouse_governance:
|
|
plugin_cmd: /opt/spire/plugins/governance-notifier
|
|
plugin_data:
|
|
governance_addr: governance.quartermaster.svc.cluster.local:50051
|
|
ceremony_addr: ceremony.bascule.svc.cluster.local:50052
|
|
notary_addr: notary.quartermaster.svc.cluster.local:50051
|
|
cluster_id: guildhouse-prod
|
|
trust_domain: guildhouse.example.org
|