Skip to content

Commit

Permalink
Allow configuration of TLS policy: docs
Browse files Browse the repository at this point in the history 
Signed-off-by: Hugo Landau <[email protected]>
  • Loading branch information
@anvega @hlandau
anvega authored and hlandau committed Aug 9, 2024
1 parent fc0836d commit 7841e54
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 9 deletions.
17 changes: 14 additions & 3 deletions doc/plugin_server_upstreamauthority_spire.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,20 @@ The plugin accepts the following configuration options:

These are the current experimental configurations:

| experimental | Description | Default |
|------------------------------|-----------------------------------------------------------------------------------------------------------|---------|
| workload_api_named_pipe_name | Pipe name of the Workload API named pipe (Windows only; e.g. pipe name of the SPIRE Agent API named pipe) |
| experimental | Description | Default |
|------------------------------|----------------------------------------------------------------------------------------------------------------|---------|
| workload_api_named_pipe_name | Pipe name of the Workload API named pipe (Windows only; e.g. pipe name of the SPIRE Agent API named pipe) | |
| pq_kem_mode | Whether to use a post-quantum key exchange method for TLS handshake. Set to "default", "attempt" or "require". | default |

The `pq_kem_mode` option supports the following options:

| `pq_kem_mode` Value | Description |
|:--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| default | Inherit system default key exchange configuration. Whether a post-quantum-safe key exchange method is available may depend on environmental configuration (e.g. GODEBUG). |
| attempt | Opportunistically attempt to negotiate a post-quantum-safe key exchange method. |
| require | Require negotiation of a post-quantum-safe key exchange method. |

The `pq_kem_mode` option is currently experimental and may be changed or removed in a future release. Currently, use of this option requires Go 1.23 or later, as this is the first Go release supporting at least one post-quantum-safe key exchange method.

Sample configuration (Unix):

Expand Down
23 changes: 17 additions & 6 deletions doc/spire_agent.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,12 +71,23 @@ This may be useful for templating configuration files, for example across differ
| `workload_x509_svid_key_type` | The workload X509 SVID key type &lt;rsa-2048&vert;ec-p256&gt; | ec-p256 |
| `availability_target` | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. See [Availability Target](#availability-target) | |

| experimental | Description | Default |
|:---------------------------|------------------------------------------------------------------------------------|-------------------------|
| `named_pipe_name` | Pipe name to bind the SPIRE Agent API named pipe (Windows only) | \spire-agent\public\api |
| `sync_interval` | Sync interval with SPIRE server with exponential backoff | 5 sec |
| `x509_svid_cache_max_size` | Soft limit of max number of SVIDs that would be stored in LRU cache (deprecated) | 1000 |
| `disable_lru_cache` | Reverts back to use the SPIRE Agent non-LRU cache for storing SVIDs (deprecated) | false |
| experimental | Description | Default |
|:---------------------------|------------------------------------------------------------------------------------------------------------------|-------------------------|
| `named_pipe_name` | Pipe name to bind the SPIRE Agent API named pipe (Windows only) | \spire-agent\public\api |
| `sync_interval` | Sync interval with SPIRE server with exponential backoff | 5 sec |
| `x509_svid_cache_max_size` | Soft limit of max number of SVIDs that would be stored in LRU cache (deprecated) | 1000 |
| `disable_lru_cache` | Reverts back to use the SPIRE Agent non-LRU cache for storing SVIDs (deprecated) | false |
| `pq_kem_mode` | Whether to use a post-quantum key exchange method for TLS handshake. Set to "default", "attempt" or "require". | default |

The `pq_kem_mode` option supports the following options:

| `pq_kem_mode` Value | Description |
|:--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| default | Inherit system default key exchange configuration. Whether a post-quantum-safe key exchange method is available may depend on environmental configuration (e.g. GODEBUG). |
| attempt | Opportunistically attempt to negotiate a post-quantum-safe key exchange method. |
| require | Require negotiation of a post-quantum-safe key exchange method. |

The `pq_kem_mode` option is currently experimental and may be changed or removed in a future release. Currently, use of this option requires Go 1.23 or later, as this is the first Go release supporting at least one post-quantum-safe key exchange method.

### Initial trust bundle configuration

Expand Down
11 changes: 11 additions & 0 deletions doc/spire_server.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@ This may be useful for templating configuration files, for example across differ
| `prune_events_older_than`| How old an event can be before being deleted. Used with events based cache. Decreasing this will keep the events table smaller, but will increase risk of missing an event if connection to the database is down. | 12h |
| `auth_opa_policy_engine` | The [auth opa_policy engine](/doc/authorization_policy_engine.md) used for authorization decisions | default SPIRE authorization policy |
| `named_pipe_name` | Pipe name of the SPIRE Server API named pipe (Windows only) | \spire-server\private\api |
| `pq_kem_mode` | Whether to use a post-quantum key exchange method for TLS handshake. Set to "default", "attempt" or "require". | default |

| ratelimit | Description | Default |
|:--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|---------|
Expand All @@ -111,6 +112,16 @@ This may be useful for templating configuration files, for example across differ
| `rego_path` | File to retrieve OPA rego policy for authorization. | |
| `policy_data_path` | File to retrieve databindings for policy evaluation. | |

The `pq_kem_mode` option supports the following options:

| `pq_kem_mode` Value | Description |
|:--------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| default | Inherit system default key exchange configuration. Whether a post-quantum-safe key exchange method is available may depend on environmental configuration (e.g. GODEBUG). |
| attempt | Opportunistically attempt to negotiate a post-quantum-safe key exchange method. |
| require | Require negotiation of a post-quantum-safe key exchange method. |

The `pq_kem_mode` option is currently experimental and may be changed or removed in a future release. Currently, use of this option requires Go 1.23 or later, as this is the first Go release supporting at least one post-quantum-safe key exchange method.

### Profiling Names

These are the available profiles that can be set in the `profiling_names` configuration value:
Expand Down

0 comments on commit 7841e54

Please sign in to comment.