Private Preview

This feature is in private preview and is not publicly available.

Configuration Reference

Overview

This section provides comprehensive configuration options for the SPIRL Reflector component.

Agent Endpoint Configuration Inheritance

The SPIRL Reflector automatically copies certain configuration settings from the agent.endpoint section when deploying. Specifically, the following settings are inherited:

endpoint/endpoints: The TD server endpoint(s) to connect to
supplementalRootsPEM: Additional PEM encoded root CA to trust when connecting to a TD server
connectionMaxAge: Maximum age for gRPC connections to the trust domain server
useGRPCFastRedial: Whether to use fast redial for gRPC connections

Additionally, the Reflector copies configuration from agent.auth and uses the same authentication method as the agent when connecting to the TD server.

These settings are used by the Reflector when initializing its trust domain server client. The values are copied from the agent configuration to ensure consistent connection behavior between the agent and reflector components.

Complete Configuration Schema

reflector:
  # Basic component enablement
  enabled: true
  
  # Deployment configuration
  deployment:
    # Number of replicas to deploy
    replicaCount: 2
    # Environment variables to set
    env: []
    # Resource limits and requests
    resources:
      limits:
        cpu: 500m
        memory: 512Mi
      requests:
        cpu: 100m
        memory: 128Mi
    # Pod disruption budget configuration
    # Note: Only one of minAvailable or maxUnavailable can be specified
    podDisruptionBudget:
      enabled: false  # Enable pod disruption budget
      minAvailable: 1  # Minimum number of available pods during disruption
      # maxUnavailable: 1  # Maximum number of unavailable pods during disruption
  
  # Service configuration
  service:
    type: ClusterIP
    port: 9190 # Agent communication port
    annotations: {}

  # Any additional labels to be applied to the Reflector component
  additionalLabels: {}

  # Environment variables to set
  env: []

  # Sensitive stored state encryption key configuration using cloud configuration
  # options. These are used to indicate how the Reflector should encrypt the local
  # encryption key that is used for encrypting sensitive stored data. The cloud
  # provider configurations are mutually exclusive; only one can be set for a
  # deployment. If none are set then a cluster local key encryption key will be
  # generated and stored in a Kubernetes secret

  # AWS specific configuration
  aws:
    # If set, this KMS key is used for encrypting sensitive stored state. If neither
    # this nor azure key vault config is set then a cluster local key will be
    # generated and used.
    kmsKeyARN: ""
    # Configures explicit endpoints to use to connect to AWS services if they are
    # different than the standard endpoints.
    endpoints:
        kms: ""

  # Azure specific configuration
  azure:
    # Azure Key Vault specific configuration
    keyVault:
      # If url and keyName are set this key will be used for encrypting sensitive
      # stored state. If neither this nor aws config are set then a cluster local
      # key will be generated and used.
      url: ""
      keyName: ""
      # Optional key version of the above key. If not set the most recent version
      # will be used.
      keyVersion: ""

  # Google Cloud specific configuration
  #
  # If all elements of "gcp" is set this key will be used for encrypting sensitive
  # stored state. 
  gcp:
    # The project ID to use for the GCP client.
    projectID: ""
    # The location to use for the GCP client.
    location: ""
    # KMS specific configuration
    kms:
      # The key ring containing the key to use for encrypting sensitive stored state.
      keyRing: ""
      # The key to use for encrypting sensitive stored state.
      keyName: ""  

# Telemetry configuration
# NOTE: This telemetry configuration applies to both the Reflector and the Agent
telemetry:
  # Whether to enable telemetry
  enabled: false
  # Metrics collectors configuration
  collectors:
    # gRPC metrics collector configuration
    grpc:
      # Whether to emit latency metrics. Time histogram metrics for gRPC servers and clients will be emitted if true.
      # Since it is bad practice to have metrics of high cardinality the latency monitoring metrics are disabled by default.
      # https://prometheus.io/docs/practices/instrumentation/#do-not-overuse-labels
      emmitLatencyMetrics: false
  metricsAPI:
    port: 9090

Configuration Sections

Basic Settings

Parameter	Description	Default	Required
`enabled`	Enable SPIRL Reflector deployment	`false`	Yes
`service.type`	Kubernetes service type	`ClusterIP`	No
`service.port`	Port for agent communication	`9190`	No
`service.annotations`	Additional service annotations	`{}`	No
`additionalLabels`	Additional labels for the Reflector component	`{}`	No

Deployment Configuration

Parameter	Description	Default	Required
`deployment.replicaCount`	Number of reflector replicas to deploy	`2`	No
`deployment.env`	Environment variables to set for the deployment	`[]`	No
`deployment.resources.limits.cpu`	CPU limit for reflector pods	`500m`	No
`deployment.resources.limits.memory`	Memory limit for reflector pods	`512Mi`	No
`deployment.resources.requests.cpu`	CPU request for reflector pods	`100m`	No
`deployment.resources.requests.memory`	Memory request for reflector pods	`128Mi`	No
`deployment.podDisruptionBudget.enabled`	Enable pod disruption budget	`false`	No
`deployment.podDisruptionBudget.minAvailable`	Minimum number of available pods during disruption	`1`	No*
`deployment.podDisruptionBudget.maxUnavailable`	Maximum number of unavailable pods during disruption	`1`	No*

*Only one of minAvailable or maxUnavailable can be specified for podDisruptionBudget

Cloud Provider Configuration

AWS Configuration

Parameter	Description	Default	Required
`aws.kmsKeyARN`	KMS key ARN for encrypting sensitive state. Required if AWS configuration is used.	`""`	No*
`aws.endpoints.kms`	Custom KMS endpoint. Optional when using AWS configuration.	`""`	No

*Required if AWS configuration is used

Azure Configuration

Parameter	Description	Default	Required
`azure.keyVault.url`	Azure Key Vault URL. Required if Azure configuration is used.	`""`	No*
`azure.keyVault.keyName`	Key name in Azure Key Vault. Required if Azure configuration is used.	`""`	No*
`azure.keyVault.keyVersion`	Key version in Azure Key Vault. Optional when using Azure configuration.	`""`	No

*Required if Azure configuration is used

Google Cloud Configuration

Parameter	Description	Default	Required
`gcp.projectID`	GCP project ID. Required if GCP configuration is used.	`""`	No*
`gcp.location`	GCP location. Required if GCP configuration is used.	`""`	No*
`gcp.kms.keyRing`	KMS key ring name. Required if GCP configuration is used.	`""`	No*
`gcp.kms.keyName`	KMS key name. Required if GCP configuration is used.	`""`	No*

*Required if GCP configuration is used

Note: Only one cloud provider configuration (AWS, Azure, or GCP) can be used at a time. If none are configured, the key encryption key will be stored in a Kubernetes secret.

Telemetry Configuration

Parameter	Description	Default	Required
`telemetry.enabled`	Enable telemetry	`false`	No
`telemetry.collectors.grpc.emmitLatencyMetrics`	Enable gRPC latency metrics	`false`	No
`telemetry.metricsAPI.port`	Port for metrics endpoint	`9090`	No

Overview​

Complete Configuration Schema​

Configuration Sections​

Basic Settings​

Deployment Configuration​

Cloud Provider Configuration​

AWS Configuration​

Azure Configuration​

Google Cloud Configuration​

Telemetry Configuration​