Upstream CA integration

This page provides details on the configuration of upstream Certificate Authority (CA) in SPIRE servers.

Note

This topic does not differentiate between SPIRE server flavours as both work the same in this respect.

Upstream CA config is represented by spire-server.upstreamAuthority in the Helm chart values.

The default — no upstream CA (self-signed)

By default, SPIRE server does not utilise an upstream CA and, instead, relies on a self-signed CA it generates when bootstrapping.

Important

This is currently incompatible with high availability of the Cofide SPIRE Server. An upstream CA must be configured in such a scenario.

A future version will allow self-signed CAs.

cert-manager

A popular, and often easily-available, option to configure upstream CA is to utilise cert-manager. For easiest out-of-the-box experience, one can rely on the following config which instructs the Helm chart to also precreate the upstream CA:

spire-server:
  upstreamAuthority:
    certManager:
      enabled: true
      ca:
        create: true

Other possible configuration options for cert-manager are described alongside Helm chart values.

Other options

Other possible upstream CA options are described alongside Helm chart values.

Example supported providers include: AWS PCA, HCP Vault, and SPIRE itself.