From 859505ae5271fd453f4e2b97d6c1474308338217 Mon Sep 17 00:00:00 2001 From: Daniel Schlatter Date: Mon, 23 Feb 2026 15:30:58 -0700 Subject: [PATCH] add key experimental.requirePQKEM for spire-server and spire-agent Signed-off-by: Daniel Schlatter --- charts/spire/charts/spire-agent/README.md | 1 + charts/spire/charts/spire-agent/templates/configmap.yaml | 1 + charts/spire/charts/spire-agent/values.yaml | 2 ++ charts/spire/charts/spire-server/README.md | 1 + charts/spire/charts/spire-server/templates/configmap.yaml | 1 + charts/spire/charts/spire-server/values.yaml | 2 ++ 6 files changed, 8 insertions(+) diff --git a/charts/spire/charts/spire-agent/README.md b/charts/spire/charts/spire-agent/README.md index bc475f306..2e02a3f44 100644 --- a/charts/spire/charts/spire-agent/README.md +++ b/charts/spire/charts/spire-agent/README.md @@ -143,6 +143,7 @@ A Helm chart to install the SPIRE agent. | `customPlugins.workloadAttestor` | Custom plugins of type WorkloadAttestor are configured here | `{}` | | `experimental.enabled` | Allow configuration of experimental features | `false` | | `experimental.syncInterval` | Sync interval with SPIRE server with exponential backoff | `5s` | +| `experimental.requirePQKEM` | Require use of a post-quantum-safe key exchange method for TLS handshakes. | `false` | | `experimental.featureFlags` | List of developer feature flags | `[]` | | `agents` | Configure multiple agent DaemonSets. Useful when you have different node types and nodeAttestors | `{}` | | `tools.kubectl.image.registry` | The OCI registry to pull the image from | `registry.k8s.io` | diff --git a/charts/spire/charts/spire-agent/templates/configmap.yaml b/charts/spire/charts/spire-agent/templates/configmap.yaml index 77c15acd3..77be88f63 100644 --- a/charts/spire/charts/spire-agent/templates/configmap.yaml +++ b/charts/spire/charts/spire-agent/templates/configmap.yaml @@ -77,6 +77,7 @@ agent: {{- if eq (.enabled | toString) "true" }} experimental: sync_interval: {{ .syncInterval | quote }} + require_pq_kem: {{ .requirePQKEM }} {{- if gt (len .featureFlags) 0 }} feature_flags: {{- range .featureFlags }} diff --git a/charts/spire/charts/spire-agent/values.yaml b/charts/spire/charts/spire-agent/values.yaml index 3e32556d6..5a7cd9bdb 100644 --- a/charts/spire/charts/spire-agent/values.yaml +++ b/charts/spire/charts/spire-agent/values.yaml @@ -376,6 +376,8 @@ experimental: enabled: false ## @param experimental.syncInterval Sync interval with SPIRE server with exponential backoff syncInterval: 5s + ## @param experimental.requirePQKEM Require use of a post-quantum-safe key exchange method for TLS handshakes. + requirePQKEM: false ## @param experimental.featureFlags [array] List of developer feature flags featureFlags: [] diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index 711fa494b..cac7ab8a6 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -499,6 +499,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `experimental.cacheReloadInterval` | The amount of time between two reloads of the in-memory entry cache. | `5s` | | `experimental.eventsBasedCache` | Use events to update the cache with what's changed since the last update. | `false` | | `experimental.pruneEventsOlderThan` | How old an event can be before being deleted. Used with events based cache. | `12h` | +| `experimental.requirePQKEM` | Require use of a post-quantum-safe key exchange method for TLS handshakes. | `false` | | `experimental.featureFlags` | List of developer feature flags | `[]` | | `experimental.authOpaPolicyEngine` | The [auth opa_policy engine](https://github.com/spiffe/spire/blob/main/doc/authorization_policy_engine.md) used for authorization decisions. Defaults to the default SPIRE authorization policy. | `{}` | | `experimental.authOpaPolicyEngine.local.policy_data` | A JSON blob that defines additional data that can be used in the rego policy. | `""` | diff --git a/charts/spire/charts/spire-server/templates/configmap.yaml b/charts/spire/charts/spire-server/templates/configmap.yaml index 07a10edff..701187ca6 100644 --- a/charts/spire/charts/spire-server/templates/configmap.yaml +++ b/charts/spire/charts/spire-server/templates/configmap.yaml @@ -105,6 +105,7 @@ server: cache_reload_interval: {{ .cacheReloadInterval | quote }} events_based_cache: {{ .eventsBasedCache }} prune_events_older_than: {{ .pruneEventsOlderThan | quote }} + require_pq_kem: {{ .requirePQKEM }} {{- if gt (len .featureFlags) 0 }} feature_flags: {{- range .featureFlags }} diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index 7d6e12690..b35fb062e 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -1271,6 +1271,8 @@ experimental: eventsBasedCache: false ## @param experimental.pruneEventsOlderThan How old an event can be before being deleted. Used with events based cache. pruneEventsOlderThan: 12h + ## @param experimental.requirePQKEM Require use of a post-quantum-safe key exchange method for TLS handshakes. + requirePQKEM: false ## @param experimental.featureFlags [array] List of developer feature flags featureFlags: [] ## @param experimental.authOpaPolicyEngine [object] The [auth opa_policy engine](https://github.com/spiffe/spire/blob/main/doc/authorization_policy_engine.md) used for authorization decisions. Defaults to the default SPIRE authorization policy.