Server 配置

配置文件格式

SPIRE Server 使用 HCL (HashiCorp Configuration Language) 格式的配置文件。

基本配置

server {
    # 绑定地址
    bind_address = "0.0.0.0"
    
    # 绑定端口
    bind_port = "8081"
    
    # 信任域
    trust_domain = "example.org"
    
    # 数据目录
    data_dir = "/opt/spire/data/server"
    
    # 日志级别: DEBUG, INFO, WARN, ERROR
    log_level = "INFO"
    
    # 日志格式: text, json
    log_format = "text"
    
    # Unix socket 路径（管理 API）
    socket_path = "/tmp/spire-server/private/api.sock"
}

完整配置示例

server {
    bind_address = "0.0.0.0"
    bind_port = "8081"
    trust_domain = "example.org"
    data_dir = "/opt/spire/data/server"
    log_level = "INFO"
    log_format = "json"
    socket_path = "/tmp/spire-server/private/api.sock"
    
    # CA 配置
    ca_key_type = "ec-p256"
    ca_ttl = "24h"
    
    # SVID TTL
    default_x509_svid_ttl = "1h"
    default_jwt_svid_ttl = "5m"
    
    # Agent TTL
    agent_ttl = "24h"
    
    # JWT 配置
    jwt_issuer = "https://spire.example.org"
    
    # 审计日志
    audit_log_enabled = true
}

# 插件配置
plugins {
    DataStore "sql" {
        plugin_data {
            database_type = "postgres"
            connection_string = "host=db.example.org port=5432 dbname=spire user=spire password=secret sslmode=require"
            max_open_conns = 10
            max_idle_conns = 5
            conn_max_lifetime = "1h"
        }
    }

    NodeAttestor "k8s_psat" {
        plugin_data {
            clusters = {
                "production" = {
                    service_account_allow_list = ["spire:spire-agent"]
                    kube_config_file = ""
                    allowed_node_label_keys = ["topology.kubernetes.io/zone"]
                    allowed_pod_label_keys = ["app", "version"]
                }
            }
        }
    }

    NodeAttestor "join_token" {
        plugin_data {}
    }

    KeyManager "disk" {
        plugin_data {
            keys_path = "/opt/spire/data/server/keys.json"
        }
    }

    Notifier "k8sbundle" {
        plugin_data {
            namespace = "spire"
            config_map = "trust-bundle"
        }
    }
}

# 联邦配置
federation {
    bundle_endpoint {
        address = "0.0.0.0"
        port = 8443
    }
    
    federates_with "partner.org" {
        bundle_endpoint_url = "https://spire.partner.org:8443"
        bundle_endpoint_profile "https_spiffe" {
            endpoint_spiffe_id = "spiffe://partner.org/spire/server"
        }
    }
}

# 健康检查
health_checks {
    listener_enabled = true
    bind_address = "0.0.0.0"
    bind_port = "8080"
    live_path = "/live"
    ready_path = "/ready"
}

# 遥测
telemetry {
    Prometheus {
        host = "0.0.0.0"
        port = 9988
    }
}

配置参数详解

server 块

参数	类型	默认值	描述
`bind_address`	string	“0.0.0.0”	Server 监听地址
`bind_port`	string	“8081”	Server 监听端口
`trust_domain`	string	必填	信任域名称
`data_dir`	string	必填	数据存储目录
`log_level`	string	“INFO”	日志级别
`log_format`	string	“text”	日志格式
`socket_path`	string	-	Unix socket 路径
`ca_key_type`	string	“ec-p256”	CA 密钥类型
`ca_ttl`	duration	“24h”	CA 证书 TTL
`default_x509_svid_ttl`	duration	“1h”	X.509 SVID 默认 TTL
`default_jwt_svid_ttl`	duration	“5m”	JWT SVID 默认 TTL
`agent_ttl`	duration	-	Agent SVID TTL
`jwt_issuer`	string	-	JWT 颁发者
`audit_log_enabled`	bool	false	启用审计日志

密钥类型

类型	描述	推荐场景
`ec-p256`	ECDSA P-256	默认推荐
`ec-p384`	ECDSA P-384	更高安全性
`rsa-2048`	RSA 2048	兼容性需求
`rsa-4096`	RSA 4096	高安全性需求

环境变量

配置支持环境变量替换：

server {
    trust_domain = "${SPIRE_TRUST_DOMAIN}"
}

plugins {
    DataStore "sql" {
        plugin_data {
            connection_string = "${DATABASE_URL}"
        }
    }
}

配置验证

# 验证配置文件语法
spire-server validate -config /path/to/server.conf

最佳实践

生产环境建议

使用 PostgreSQL/MySQL: 不要在生产环境使用 SQLite
启用审计日志: 记录所有身份操作
配置健康检查: 便于监控和负载均衡
设置合理的 TTL: 平衡安全性和性能
使用 JSON 日志: 便于日志分析

下一步

了解 Server 命令行命令行工具使用。