spiffe · marcofranssen · Aug 18, 2023 · Aug 8, 2023 · Aug 9, 2023 · Aug 9, 2023
@@ -362,6 +362,12 @@ Now you can interact with the Spire agent socket from your own application. The
 | spire-server.ingress.tls | list | `[]` |  |
 | spire-server.initContainers | list | `[]` |  |
 | spire-server.jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain |
+| spire-server.keyManager.awsKMS.enabled | bool | `false` |  |
+| spire-server.keyManager.awsKMS.keyMetadataFile | string | `"/run/spire/data/aws-kms-key-metadata"` |  |
+| spire-server.keyManager.awsKMS.keyPolicyFile | string | `""` |  |
+| spire-server.keyManager.awsKMS.region | string | `""` |  |
+| spire-server.keyManager.disk.enabled | bool | `true` |  |
+| spire-server.keyManager.disk.keysPath | string | `"/run/spire/data/keys.json"` |  |
 | spire-server.livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe |
 | spire-server.livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe |
 | spire-server.livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe |

@@ -160,6 +160,12 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | ingress.tls | list | `[]` |  |
 | initContainers | list | `[]` |  |
 | jwtIssuer | string | `"oidc-discovery.example.org"` | The JWT issuer domain |
+| keyManager.awsKMS.enabled | bool | `false` |  |
+| keyManager.awsKMS.keyMetadataFile | string | `"/run/spire/data/aws-kms-key-metadata"` |  |
+| keyManager.awsKMS.keyPolicyFile | string | `""` |  |
+| keyManager.awsKMS.region | string | `""` |  |
+| keyManager.disk.enabled | bool | `true` |  |
+| keyManager.disk.keysPath | string | `"/run/spire/data/keys.json"` |  |
 | livenessProbe.failureThreshold | int | `2` | Failure threshold count for livenessProbe |
 | livenessProbe.initialDelaySeconds | int | `15` | Initial delay seconds for livenessProbe |
 | livenessProbe.periodSeconds | int | `60` | Period seconds for livenessProbe |

@@ -1,5 +1,6 @@
 {{- define "spire-server.yaml-config" -}}
 {{- $upstreamAuthorityUsed := 0 }}
+{{- $keyManagerUsed := 0 }}
 {{- $root := . }}
 server:
   bind_address: "0.0.0.0"
@@ -46,11 +47,41 @@ plugins:
               service_account_allow_list: {{ include "spire-server.serviceAccountAllowedList" $root | trim }}
   {{- end }}
   {{- end }}
-
+
+  {{- with .Values.keyManager.disk }}
+  {{- if eq (.enabled | toString) "true" }}
+  {{- $keyManagerUsed = add1 $keyManagerUsed }}
   KeyManager:
     - disk:
         plugin_data:
-          keys_path: "/run/spire/data/keys.json"
+          keys_path: {{ .keysPath | quote }}
+  {{- end }}
+  {{- end }}
+
+  {{- with .Values.keyManager.awsKMS }}
+  {{- if eq (.enabled | toString) "true" }}
+  {{- $keyManagerUsed = add1 $keyManagerUsed }}
+  KeyManager:
+    - aws_kms:
+        plugin_data:
+          region: {{ .region | quote }}
+          key_metadata_file: {{ .keyMetadataFile | quote }}
+          {{- if ne .accessKeyID "" }}
+          access_key_id: {{ .accessKeyID | quote }}
+          {{- end }}
+          {{- if ne .secretAccessKey "" }}
+          secret_access_key: {{ .secretAccessKey | quote }}
+          {{- end }}
+          {{- if ne .keyPolicyFile "" }}
+          key_policy_file: {{ .keyPolicyFile | quote }}
+          {{- end }}
+
+  {{- end }}
+  {{- end }}
+
+{{- if ne $keyManagerUsed 1 }}
+{{- fail "You have to enable exactly one Key Manager." }}
+{{- end }}
 
   Notifier:
     - k8sbundle:

@@ -175,6 +175,16 @@ ca_subject:
   organization: Example
   common_name: example.org
 
+keyManager:
+  disk:
+    enabled: true
+    keysPath: "/run/spire/data/keys.json"
+  awsKMS:
+    enabled: false
+    region: ""
+    keyMetadataFile: "/run/spire/data/aws-kms-key-metadata"
+    keyPolicyFile: ""
+
 upstreamAuthority:
   disk:
     enabled: false