spiffe · daescha · Feb 23, 2026
@@ -143,6 +143,7 @@ A Helm chart to install the SPIRE agent.
 | `customPlugins.workloadAttestor`                       | Custom plugins of type WorkloadAttestor are configured here                                                                                                                                       | `{}`                                                                             |
 | `experimental.enabled`                                 | Allow configuration of experimental features                                                                                                                                                      | `false`                                                                          |
 | `experimental.syncInterval`                            | Sync interval with SPIRE server with exponential backoff                                                                                                                                          | `5s`                                                                             |
+| `experimental.requirePQKEM`                            | Require use of a post-quantum-safe key exchange method for TLS handshakes.                                                                                                                        | `false`                                                                          |
 | `experimental.featureFlags`                            | List of developer feature flags                                                                                                                                                                   | `[]`                                                                             |
 | `agents`                                               | Configure multiple agent DaemonSets. Useful when you have different node types and nodeAttestors                                                                                                  | `{}`                                                                             |
 | `tools.kubectl.image.registry`                         | The OCI registry to pull the image from                                                                                                                                                           | `registry.k8s.io`                                                                |

@@ -77,6 +77,7 @@ agent:
   {{- if eq (.enabled | toString) "true" }}
   experimental:
     sync_interval: {{ .syncInterval | quote }}
+    require_pq_kem: {{ .requirePQKEM }}
     {{- if gt (len .featureFlags) 0 }}
     feature_flags:
       {{- range .featureFlags }}

@@ -376,6 +376,8 @@ experimental:
   enabled: false
   ## @param experimental.syncInterval Sync interval with SPIRE server with exponential backoff
   syncInterval: 5s
+  ## @param experimental.requirePQKEM Require use of a post-quantum-safe key exchange method for TLS handshakes.
+  requirePQKEM: false
   ## @param experimental.featureFlags [array] List of developer feature flags
   featureFlags: []
 

@@ -499,6 +499,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr
 | `experimental.cacheReloadInterval`                   | The amount of time between two reloads of the in-memory entry cache.                                                                                                                                                                   | `5s`                                                                             |
 | `experimental.eventsBasedCache`                      | Use events to update the cache with what's changed since the last update.                                                                                                                                                              | `false`                                                                          |
 | `experimental.pruneEventsOlderThan`                  | How old an event can be before being deleted. Used with events based cache.                                                                                                                                                            | `12h`                                                                            |
+| `experimental.requirePQKEM`                          | Require use of a post-quantum-safe key exchange method for TLS handshakes.                                                                                                                                                             | `false`                                                                          |
 | `experimental.featureFlags`                          | List of developer feature flags                                                                                                                                                                                                        | `[]`                                                                             |
 | `experimental.authOpaPolicyEngine`                   | The [auth opa_policy engine](https://github.com/spiffe/spire/blob/main/doc/authorization_policy_engine.md) used for authorization decisions. Defaults to the default SPIRE authorization policy.                                       | `{}`                                                                             |
 | `experimental.authOpaPolicyEngine.local.policy_data` | A JSON blob that defines additional data that can be used in the rego policy.                                                                                                                                                          | `""`                                                                             |

@@ -105,6 +105,7 @@ server:
     cache_reload_interval: {{ .cacheReloadInterval | quote }}
     events_based_cache: {{ .eventsBasedCache }}
     prune_events_older_than: {{ .pruneEventsOlderThan | quote }}
+    require_pq_kem: {{ .requirePQKEM }}
     {{- if gt (len .featureFlags) 0 }}
     feature_flags:
       {{- range .featureFlags }}

@@ -1271,6 +1271,8 @@ experimental:
   eventsBasedCache: false
   ## @param experimental.pruneEventsOlderThan How old an event can be before being deleted. Used with events based cache.
   pruneEventsOlderThan: 12h
+  ## @param experimental.requirePQKEM Require use of a post-quantum-safe key exchange method for TLS handshakes.
+  requirePQKEM: false
   ## @param experimental.featureFlags [array] List of developer feature flags
   featureFlags: []
   ## @param experimental.authOpaPolicyEngine [object] The [auth opa_policy engine](https://github.com/spiffe/spire/blob/main/doc/authorization_policy_engine.md) used for authorization decisions. Defaults to the default SPIRE authorization policy.