diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index bc475f306..2e02a3f44 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -143,6 +143,7 @@ A Helm chart to install the SPIRE agent. | `customPlugins.workloadAttestor` | Custom plugins of type WorkloadAttestor are configured here | `{}` | | `experimental.enabled` | Allow configuration of experimental features | `false` | | `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` | +| `experimental.requirePQKEM` | Require use of a post-quantum-safe key exchange method for TLS handshakes. | `false` | | `experimental.featureFlags` | List of developer feature flags | `[]` | | `agents` | Configure multiple agent DaemonSets. Useful when you have different node types and nodeAttestors | `{}` | | `tools.kubectl.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` | diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index 77c15acd3..77be88f63 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -77,6 +77,7 @@ agent: {{- if eq (.enabled | toString) "true" }} experimental: sync_interval: {{ .syncInterval | quote }} + require_pq_kem: {{ .requirePQKEM }} {{- if gt (len .featureFlags) 0 }} feature_flags: {{- range .featureFlags }} diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 3e32556d6..5a7cd9bdb 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -376,6 +376,8 @@ experimental: enabled: false ## @param experimental.syncInterval Sync interval with SPIRE server with exponential backoff syncInterval: 5s + ## @param experimental.requirePQKEM Require use of a post-quantum-safe key exchange method for TLS handshakes. + requirePQKEM: false ## @param experimental.featureFlags [array] List of developer feature flags featureFlags: [] diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 0b133d166..71f9bcbf1 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -499,6 +499,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `experimental.cacheReloadInterval` | The amount of time between two reloads of the in-memory entry cache. | `5s` | | `experimental.eventsBasedCache` | Use events to update the cache with what's changed since the last update. | `false` | | `experimental.pruneEventsOlderThan` | How old an event can be before being deleted. Used with events based cache. | `12h` | +| `experimental.requirePQKEM` | Require use of a post-quantum-safe key exchange method for TLS handshakes. | `false` | | `experimental.featureFlags` | List of developer feature flags | `[]` | | `experimental.authOpaPolicyEngine` | The [auth opa_policy engine](https://github.com/spiffe/spire/blob/main/doc/authorization_policy_engine.md) used for authorization decisions. Defaults to the default SPIRE authorization policy. | `{}` | | `experimental.authOpaPolicyEngine.local.policy_data` | A JSON blob that defines additional data that can be used in the rego policy. | `""` | diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index 07a10edff..701187ca6 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -105,6 +105,7 @@ server: cache_reload_interval: {{ .cacheReloadInterval | quote }} events_based_cache: {{ .eventsBasedCache }} prune_events_older_than: {{ .pruneEventsOlderThan | quote }} + require_pq_kem: {{ .requirePQKEM }} {{- if gt (len .featureFlags) 0 }} feature_flags: {{- range .featureFlags }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index a0b3fd146..e2e7fcdfe 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -1271,6 +1271,8 @@ experimental: eventsBasedCache: false ## @param experimental.pruneEventsOlderThan How old an event can be before being deleted. Used with events based cache. pruneEventsOlderThan: 12h + ## @param experimental.requirePQKEM Require use of a post-quantum-safe key exchange method for TLS handshakes. + requirePQKEM: false ## @param experimental.featureFlags [array] List of developer feature flags featureFlags: [] ## @param experimental.authOpaPolicyEngine [object] The [auth opa_policy engine](https://github.com/spiffe/spire/blob/main/doc/authorization_policy_engine.md) used for authorization decisions. Defaults to the default SPIRE authorization policy.