# Server 配置 ## 配置文件格式 SPIRE Server 使用 HCL (HashiCorp Configuration Language) 格式的配置文件。 ## 基本配置 ```hcl server { # 绑定地址 bind_address = "0.0.0.0" # 绑定端口 bind_port = "8081" # 信任域 trust_domain = "example.org" # 数据目录 data_dir = "/opt/spire/data/server" # 日志级别: DEBUG, INFO, WARN, ERROR log_level = "INFO" # 日志格式: text, json log_format = "text" # Unix socket 路径(管理 API) socket_path = "/tmp/spire-server/private/api.sock" } ``` ## 完整配置示例 ```hcl server { bind_address = "0.0.0.0" bind_port = "8081" trust_domain = "example.org" data_dir = "/opt/spire/data/server" log_level = "INFO" log_format = "json" socket_path = "/tmp/spire-server/private/api.sock" # CA 配置 ca_key_type = "ec-p256" ca_ttl = "24h" # SVID TTL default_x509_svid_ttl = "1h" default_jwt_svid_ttl = "5m" # Agent TTL agent_ttl = "24h" # JWT 配置 jwt_issuer = "https://spire.example.org" # 审计日志 audit_log_enabled = true } # 插件配置 plugins { DataStore "sql" { plugin_data { database_type = "postgres" connection_string = "host=db.example.org port=5432 dbname=spire user=spire password=secret sslmode=require" max_open_conns = 10 max_idle_conns = 5 conn_max_lifetime = "1h" } } NodeAttestor "k8s_psat" { plugin_data { clusters = { "production" = { service_account_allow_list = ["spire:spire-agent"] kube_config_file = "" allowed_node_label_keys = ["topology.kubernetes.io/zone"] allowed_pod_label_keys = ["app", "version"] } } } } NodeAttestor "join_token" { plugin_data {} } KeyManager "disk" { plugin_data { keys_path = "/opt/spire/data/server/keys.json" } } Notifier "k8sbundle" { plugin_data { namespace = "spire" config_map = "trust-bundle" } } } # 联邦配置 federation { bundle_endpoint { address = "0.0.0.0" port = 8443 } federates_with "partner.org" { bundle_endpoint_url = "https://spire.partner.org:8443" bundle_endpoint_profile "https_spiffe" { endpoint_spiffe_id = "spiffe://partner.org/spire/server" } } } # 健康检查 health_checks { listener_enabled = true bind_address = "0.0.0.0" bind_port = "8080" live_path = "/live" ready_path = "/ready" } # 遥测 telemetry { Prometheus { host = "0.0.0.0" port = 9988 } } ``` ## 配置参数详解 ### server 块 | 参数 | 类型 | 默认值 | 描述 | |------|------|--------|------| | `bind_address` | string | "0.0.0.0" | Server 监听地址 | | `bind_port` | string | "8081" | Server 监听端口 | | `trust_domain` | string | 必填 | 信任域名称 | | `data_dir` | string | 必填 | 数据存储目录 | | `log_level` | string | "INFO" | 日志级别 | | `log_format` | string | "text" | 日志格式 | | `socket_path` | string | - | Unix socket 路径 | | `ca_key_type` | string | "ec-p256" | CA 密钥类型 | | `ca_ttl` | duration | "24h" | CA 证书 TTL | | `default_x509_svid_ttl` | duration | "1h" | X.509 SVID 默认 TTL | | `default_jwt_svid_ttl` | duration | "5m" | JWT SVID 默认 TTL | | `agent_ttl` | duration | - | Agent SVID TTL | | `jwt_issuer` | string | - | JWT 颁发者 | | `audit_log_enabled` | bool | false | 启用审计日志 | ### 密钥类型 | 类型 | 描述 | 推荐场景 | |------|------|----------| | `ec-p256` | ECDSA P-256 | 默认推荐 | | `ec-p384` | ECDSA P-384 | 更高安全性 | | `rsa-2048` | RSA 2048 | 兼容性需求 | | `rsa-4096` | RSA 4096 | 高安全性需求 | ## 环境变量 配置支持环境变量替换: ```hcl server { trust_domain = "${SPIRE_TRUST_DOMAIN}" } plugins { DataStore "sql" { plugin_data { connection_string = "${DATABASE_URL}" } } } ``` ## 配置验证 ```bash # 验证配置文件语法 spire-server validate -config /path/to/server.conf ``` ## 最佳实践 :::{admonition} 生产环境建议 :class: tip 1. **使用 PostgreSQL/MySQL**: 不要在生产环境使用 SQLite 2. **启用审计日志**: 记录所有身份操作 3. **配置健康检查**: 便于监控和负载均衡 4. **设置合理的 TTL**: 平衡安全性和性能 5. **使用 JSON 日志**: 便于日志分析 ::: ## 下一步 了解 {doc}`/4.server/cli` 命令行工具使用。