From 04352496f5e6df84f3c447c576647ca9e0155c52 Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Mon, 19 Aug 2024 15:07:02 +0300 Subject: [PATCH] Document some missing configuration items (#5393) * Document some missing configuration items Signed-off-by: Sorin Dumitru * Adjust deprecation message Signed-off-by: Sorin Dumitru --------- Signed-off-by: Sorin Dumitru --- doc/spire_agent.md | 13 +++++++------ doc/spire_server.md | 2 ++ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/doc/spire_agent.md b/doc/spire_agent.md index d02fdf88dd..4954d6b176 100644 --- a/doc/spire_agent.md +++ b/doc/spire_agent.md @@ -71,12 +71,13 @@ This may be useful for templating configuration files, for example across differ | `workload_x509_svid_key_type` | The workload X509 SVID key type <rsa-2048|ec-p256> | ec-p256 | | `availability_target` | The minimum amount of time desired to gracefully handle SPIRE Server or Agent downtime. This configurable influences how aggressively X509 SVIDs should be rotated. If set, must be at least 24h. See [Availability Target](#availability-target) | | -| experimental | Description | Default | -|:---------------------------|------------------------------------------------------------------------------------|-------------------------| -| `named_pipe_name` | Pipe name to bind the SPIRE Agent API named pipe (Windows only) | \spire-agent\public\api | -| `sync_interval` | Sync interval with SPIRE server with exponential backoff | 5 sec | -| `x509_svid_cache_max_size` | Soft limit of max number of SVIDs that would be stored in LRU cache (deprecated) | 1000 | -| `disable_lru_cache` | Reverts back to use the SPIRE Agent non-LRU cache for storing SVIDs (deprecated) | false | +| experimental | Description | Default | +|:------------------------------|--------------------------------------------------------------------------------------|-------------------------| +| `named_pipe_name` | Pipe name to bind the SPIRE Agent API named pipe (Windows only) | \spire-agent\public\api | +| `sync_interval` | Sync interval with SPIRE server with exponential backoff | 5 sec | +| `x509_svid_cache_max_size` | Soft limit of max number of SVIDs that would be stored in LRU cache (deprecated) | 1000 | +| `disable_lru_cache` | Reverts back to use the SPIRE Agent non-LRU cache for storing SVIDs (deprecated) | false | +| `use_sync_authorized_entries` | Use SyncAuthorizedEntries API for periodically synchronization of authorized entries | false | ### Initial trust bundle configuration diff --git a/doc/spire_server.md b/doc/spire_server.md index 1304225cc7..48a7768d96 100644 --- a/doc/spire_server.md +++ b/doc/spire_server.md @@ -82,6 +82,7 @@ This may be useful for templating configuration files, for example across differ | `ratelimit` | Rate limiting configurations, usually used when the server is behind a load balancer (see below) | | | `socket_path` | Path to bind the SPIRE Server API socket to (Unix only) | /tmp/spire-server/private/api.sock | | `trust_domain` | The trust domain that this server belongs to (should be no more than 255 characters) | | +| `use_legacy_downstream_x509_ca_ttl` | Use the downstream spire-server registration entry TTL as the downstream CA TTL. This is deprecated and will be removed in a future version. | true | | ca_subject | Description | Default | |:----------------------------|--------------------------------|----------------| @@ -94,6 +95,7 @@ This may be useful for templating configuration files, for example across differ | `cache_reload_interval` | The amount of time between two reloads of the in-memory entry cache. Increasing this will mitigate high database load for extra large deployments, but will also slow propagation of new or updated entries to agents. | 5s | | `events_based_cache` | Use events to update the cache with what's changed since the last update. Enabling this will reduce overhead on the database. | false | | `prune_events_older_than`| How old an event can be before being deleted. Used with events based cache. Decreasing this will keep the events table smaller, but will increase risk of missing an event if connection to the database is down. | 12h | +| `sql_transaction_timeout`| Maximum time an SQL transaction could take, used by the events based cache to determine when an event id is unlikely to be used anymore. | 24h | | `auth_opa_policy_engine` | The [auth opa_policy engine](/doc/authorization_policy_engine.md) used for authorization decisions | default SPIRE authorization policy | | `named_pipe_name` | Pipe name of the SPIRE Server API named pipe (Windows only) | \spire-server\private\api |