f0268305ae
Document the trust withdrawal cascade: Keylime breach → posture degraded → sessions downgraded → SPIRE re-attestation fails → SVIDs expire → service mTLS fails → quorum degrades No new code for the cascade — it's emergent from existing re-attestation behavior + the Keylime attestor plugin. SPIRE federation handles cross-edge propagation through standard certificate expiration. Three timing profiles: Standard (~1hr), Enhanced (~15min), Critical (~5min) with SVID TTL configuration guidance. Example SPIRE server config with Keylime attestor + k8s_psat fallback for nodes without hardware TPM. Signed-off-by: Tyler King <tking@guildhouse.dev> Signed-off-by: Tyler J King <tking727@gmail.com>
72 lines
2.3 KiB
YAML
72 lines
2.3 KiB
YAML
# SPIRE Server configuration with Keylime node attestor.
|
|
#
|
|
# Replaces tpm_devid attestor with Keylime-backed attestation.
|
|
# Keylime is the single TPM authority; this plugin queries its
|
|
# attestation results from the posture-current ConfigMap.
|
|
#
|
|
# See deploy/cascade-timing.md for revocation cascade timing.
|
|
|
|
server:
|
|
bind_address: 0.0.0.0
|
|
bind_port: 8081
|
|
data_dir: /var/lib/spire/server
|
|
log_level: INFO
|
|
trust_domain: guild-a.guildhouse.io
|
|
ca_ttl: 8760h # 1 year
|
|
default_x509_svid_ttl: 1h
|
|
default_jwt_svid_ttl: 5m
|
|
|
|
plugins:
|
|
NodeAttestor:
|
|
# Primary: Keylime-backed attestation for nodes with hardware TPM.
|
|
# Reads posture-current ConfigMap via volume mount.
|
|
keylime:
|
|
plugin_cmd: /opt/spire/plugins/keylime-attestor
|
|
plugin_data:
|
|
source: configmap
|
|
posture_configmap_path: /var/run/posture/posture-current
|
|
max_attestation_age_secs: 600
|
|
|
|
# Fallback: K8s PSAT for cloud nodes without hardware TPM.
|
|
k8s_psat:
|
|
plugin_data:
|
|
clusters:
|
|
local:
|
|
service_account_allow_list:
|
|
- spire:spire-agent
|
|
|
|
KeyManager:
|
|
guildhouse_substrate:
|
|
plugin_cmd: /opt/spire/plugins/substrate-keymanager
|
|
plugin_data:
|
|
trust_domain: guild-a.guildhouse.io
|
|
governance_addr: governance.quartermaster.svc.cluster.local:50051
|
|
notary_addr: notary.quartermaster.svc.cluster.local:50051
|
|
cluster_id: guild-a
|
|
governance_epoch_seconds: 300
|
|
|
|
CredentialComposer:
|
|
guildhouse_ssh:
|
|
plugin_cmd: /opt/spire/plugins/ssh-credential-composer
|
|
plugin_data:
|
|
trust_domain: guild-a.guildhouse.io
|
|
governance_addr: governance.quartermaster.svc.cluster.local:50051
|
|
default_cert_ttl: 5m
|
|
max_cert_ttl: 1h
|
|
|
|
Notifier:
|
|
guildhouse_governance:
|
|
plugin_cmd: /opt/spire/plugins/governance-notifier
|
|
plugin_data:
|
|
governance_addr: governance.quartermaster.svc.cluster.local:50051
|
|
ceremony_addr: ceremony.bascule.svc.cluster.local:50052
|
|
notary_addr: notary.quartermaster.svc.cluster.local:50051
|
|
cluster_id: guild-a
|
|
trust_domain: guild-a.guildhouse.io
|
|
governance_epoch_seconds: 300
|
|
|
|
DataStore:
|
|
sql:
|
|
plugin_data:
|
|
database_type: sqlite3
|
|
connection_string: /var/lib/spire/server/datastore.sqlite3
|