SPIRE Server is responsible for validating and signing all CSRs in the SPIFFE trust domain. Validation is performed through platform-specific Attestation plugins, as well as policy enforcement backed by the SPIRE Server datastore.
The following details the configurations for the spire server. The configurations can be set through a .conf file or passed as command line args, the command line configurations takes precedence.
| Configuration | Description | Default |
|---|---|---|
base_svid_ttl |
TTL to use when creating the base SPIFFE ID | |
bind_address |
IP address or DNS name of the SPIRE server | |
bind_port |
HTTP Port number of the SPIRE server | |
bind_http_port |
The HTTP port where the SPIRE Service is set to listen | |
log_file |
File to write logs to | |
log_level |
Sets the logging level <DEBUG|INFO|WARN|ERROR> | INFO |
trust_domain |
The trust domain that this server belongs to | |
umask |
Umask value to use for new files | 0077 |
upstream_bundle |
Include upstream CA certificates in the trust bundle | false |
Note: Changing the umask may expose your signing authority to users other than the SPIRE agent/server.
The server configuration file also contains the configuration for the server plugins.
Plugin configurations are under the plugins { ... } section, which has the following format:
plugins {
pluginType "pluginName" {
...
plugin configuration options here
...
}
}The following configuration options are available to configure a plugin:
| Configuration | Description |
|---|---|
| plugin_cmd | Path to the plugin implementation binary (optional, not needed for built-ins) |
| plugin_checksum | An optional sha256 of the plugin binary (optional, not needed for built-ins) |
| enabled | Enable or disable the plugin |
| plugin_data | Plugin-specific data |
Please see the built-in plugins section below for information on plugins that are available out-of-the-box.
All of the configuration file above options have identical command-line counterparts. In addition, the following flags are available.
| Command | Action | Default |
|---|---|---|
-config string |
Path to a SPIRE config file | conf/server/server.conf |
Generates one node join token and creates a registration entry for it. This token can be used to
bootstrap one spire-agent installation. The optional -spiffeID can be used to give the tooken a
human-readable registration entry name in addition to the token-based entry.
| Command | Action | Default |
|---|---|---|
-serverAddr |
Address of the SPIRE server to register with | localhost:8081 |
-spiffeID |
Additional SPIFFE ID to assign the token owner (optional) | |
-ttl |
Token TTL in seconds | 600 |
Creates registration entries.
| Command | Action | Default |
|---|---|---|
-data |
Path to a file containing registration data in JSON format (optional). | |
-parentID |
The SPIFFE ID of this record's parent. | |
-selector |
A colon-delimeted type:value selector used for attestation. This parameter can be used more than once, to specify multiple selectors that must be satisfied. | |
-serverAddr |
Address of the SPIRE server. | localhost:8081 |
-spiffeID |
The SPIFFE ID that this record represents and will be set to the SVID issued. | |
-ttl |
A TTL, in seconds, for any SVID issued as a result of this record. | 3600 |
Deletes a specified registration entry.
| Command | Action | Default |
|---|---|---|
-entryID |
The Registration Entry ID of the record to delete | |
-serverAddr |
Address of the SPIRE server | localhost:8081 |
Displays configured registration entries.
| Command | Action | Default |
|---|---|---|
-entryID |
The Entry ID of the record to show. | |
-parentID |
The Parent ID of the records to show. | |
-selector |
A colon-delimeted type:value selector. Can be used more than once to specify multiple selectors. | |
-serverAddr |
Address of the SPIRE server. | localhost:8081 |
-spiffeID |
The SPIFFE ID of the records to show. | |
-selector |
A TTL, in seconds, for any SVID issued as a result of this record. | 3600 |
The server consists of a master process (spire-server) and five plugins - the CA, the Upstream CA, The Data Store, the Node Attestor, and the Node Resolver. The master process implements the Registration API and the Node API, with which agents communicate with the server.
| Type | Description |
|---|---|
| ServerCA | Implements both signing and key storage logic for the server's CA operations. Useful for leveraging hardware-based key operations. |
| DataStore | Provides persistent storage and HA features. |
| NodeAttestor | Implements validation logic for nodes attempting to assert their identity. Generally paired with an agent plugin of the same type. |
| NodeResolver | A plugin capable of discovering platform-specific metadata of nodes which have been successfully attested. Discovered metadata is stored as selectors and can be used when creating registration entries. |
| UpstreamCA | Allows SPIRE server to integrate with existing PKI systems. The ServerCA plugin generates CSRs for its signing authority, which are submitted to the upstream CA for signing. |
| Type | Name | Description |
|---|---|---|
| ServerCA | memory | An in-memory CA for signing SVIDs |
| DataStore | sql | An sql database storage for SQLite and PostgreSQL databases for the SPIRE datastore |
| NodeAttestor | join_token | A node attestor which validates agents attesting with server-generated join tokens |
| NodeAttestor | aws_iid | A node attestor which validates agents attesting with AWS Instance Identity Document and Signatures. |
| NodeResolver | noop | It is mandatory to have at least one node resolver plugin configured. This one is a no-op |
| UpstreamCA | disk | Uses a CA loaded from disk to generate SPIRE server intermediate certificates for use in the ServerCA plugin |