Configuring SPIKE
You can use environment variables to configure the SPIKE components.
The following table lists the environment variables that you can use to configure the SPIKE components:
| Component | Environment Variable | Description | Default Value |
|---|---|---|---|
| All | SPIFFE_ENDPOINT_SOCKET | The Unix domain socket path used for SPIFFE Workload API | "unix:///tmp/spire-agent/public/api.sock" |
| All | SPIKE_BANNER_ENABLED | Whether to display the SPIKE banner on startup. Set to true to enable. | true |
| All | SPIKE_HTTP_CLIENT_DIALER_KEEP_ALIVE | Keep-alive duration for HTTP client’s network dialer connections. | "30s" |
| All | SPIKE_HTTP_CLIENT_DIALER_TIMEOUT | Timeout for establishing new HTTP client network connections. | "30s" |
| All | SPIKE_HTTP_CLIENT_EXPECT_CONTINUE_TIMEOUT | Timeout for HTTP client to wait for Expect: 100-continue responses from servers. | "5s" |
| All | SPIKE_HTTP_CLIENT_IDLE_CONN_TIMEOUT | Maximum duration an idle HTTP connection will remain open before closing. | "30s" |
| All | SPIKE_HTTP_CLIENT_MAX_CONNS_PER_HOST | Maximum number of HTTP connections allowed per host. | 10 |
| All | SPIKE_HTTP_CLIENT_MAX_IDLE_CONNS | Maximum number of idle HTTP connections across all hosts. | 100 |
| All | SPIKE_HTTP_CLIENT_MAX_IDLE_CONNS_PER_HOST | Maximum number of idle HTTP connections per host. | 10 |
| All | SPIKE_HTTP_CLIENT_RESPONSE_HEADER_TIMEOUT | Timeout for HTTP client waiting for server’s response headers. | "10s" |
| All | SPIKE_HTTP_CLIENT_TIMEOUT | Overall timeout for HTTP client requests (includes connection, request, and response time). | "60s" |
| All | SPIKE_HTTP_CLIENT_TLS_HANDSHAKE_TIMEOUT | Timeout for completing TLS handshakes in HTTP client connections. | "10s" |
| All | SPIKE_HTTP_SERVER_READ_HEADER_TIMEOUT | Timeout for reading HTTP request headers on the server side. Helps prevent slowloris attacks. | "10s" |
| All | SPIKE_NEXUS_API_URL | The URL where SPIKE Nexus can be reached | "https://localhost:8553" |
| All | SPIKE_SPIFFE_SOURCE_TIMEOUT | Timeout for creating SPIFFE X509Source and fetching initial SVID from Workload API. Prevents indefinite blocking on socket issues. | "30s" |
| All | SPIKE_STACK_TRACES_ON_LOG_FATAL | Whether to print stack traces when log.FatalLn is called. Set to true to enable for development/testing. Disabled by default for production safety. | false |
| All | SPIKE_SYSTEM_LOG_LEVEL | The log level for all SPIKE components ("DEBUG", "INFO", "WARN", "ERROR"). | "WARN" |
| All | SPIKE_TRUST_ROOT | The SPIFFE trust root used within the SPIKE trust boundary. Can be a single entry, or a comma-delimited list of suitable trust roots. | "spike.ist" |
| All | SPIKE_TRUST_ROOT_BOOTSTRAP | The SPIFFE trust root used for SPIKE Bootstrap. Can be a single entry, or a comma-delimited list of suitable trust roots. | "spike.ist" |
| All | SPIKE_TRUST_ROOT_KEEPER | The SPIFFE trust root used for SPIKE Keeper instances. Can be a single entry, or a comma-delimited list of suitable trust roots. | "spike.ist" |
| All | SPIKE_TRUST_ROOT_LITE_WORKLOAD | The SPIFFE trust root used for lite workload instances. Can be a single entry, or a comma-delimited list of suitable trust roots. | "spike.ist" |
| All | SPIKE_TRUST_ROOT_NEXUS | The SPIFFE trust root used for SPIKE Nexus instances. Can be a single entry, or a comma-delimited list of suitable trust roots. | "spike.ist" |
| All | SPIKE_TRUST_ROOT_PILOT | The SPIFFE trust root used for SPIKE Pilot instances. Can be a single entry, or a comma-delimited list of suitable trust roots. | "spike.ist" |
| SPIKE Bootstrap | SPIKE_BOOTSTRAP_FORCE | Whether to force SPIKE Bootstrap to run even if the system has already bootstrapped before. | false |
| SPIKE Keeper | SPIKE_KEEPER_TLS_PORT | The TLS port the current SPIKE Keeper instance listens on. | ":8443" |
| SPIKE Nexus | SPIKE_NEXUS_BACKEND_STORE | The backend store SPIKE Nexus uses to store secrets (memory, lite, sqlite). | "sqlite" |
| SPIKE Nexus | SPIKE_NEXUS_CRYPTO_MAX_CIPHERTEXT_SIZE | The maximum allowed ciphertext size in bytes for encryption operations. | 65536 |
| SPIKE Nexus | SPIKE_NEXUS_DATA_DIR | Custom directory for Nexus data storage. Falls back to ~/.spike/data or /tmp/.spike-$USER/data. | ~/.spike/data |
| SPIKE Nexus | SPIKE_NEXUS_DB_BUSY_TIMEOUT_MS | The timeout for the database to wait for a lock. | 1000 |
| SPIKE Nexus | SPIKE_NEXUS_DB_CONN_MAX_LIFETIME | The maximum lifetime of a database connection. | "1h" |
| SPIKE Nexus | SPIKE_NEXUS_DB_INITIALIZATION_TIMEOUT | The maximum initialization time for SPIKE Nexus DB before bailing out | 30s |
| SPIKE Nexus | SPIKE_NEXUS_DB_JOURNAL_MODE | The journal mode for the SQLite database. | "WAL" |
| SPIKE Nexus | SPIKE_NEXUS_DB_MAX_IDLE_CONNS | The maximum number of idle connections to the database. | 5 |
| SPIKE Nexus | SPIKE_NEXUS_DB_MAX_OPEN_CONNS | The maximum number of open connections to the database. | 10 |
| SPIKE Nexus | SPIKE_NEXUS_DB_OPERATION_TIMEOUT | The timeout for database operations. | "15s" |
| SPIKE Nexus | SPIKE_NEXUS_DB_SKIP_SCHEMA_CREATION | If set to true, skip creating SPIKE Nexus backing store. When set to true, the operator will manually have to create the initial backing store. | false |
| SPIKE Nexus | SPIKE_NEXUS_KEEPER_PEERS | A mapping that contains a comma-delimited list of URLs for all SPIKE Keepers that SPIKE Nexus knows about. | “” (check ./hack/bare-metal/startup/start-nexus.sh for usage examples. |
| SPIKE Nexus | SPIKE_NEXUS_KEEPER_UPDATE_INTERVAL | The duration between SPIKE Nexus updates SPIKE Keepers with the relevant shard information. | 5m |
| SPIKE Nexus | SPIKE_NEXUS_MAX_SECRET_VERSIONS | The maximum number of versions of a secret that SPIKE Nexus stores. | 10 |
| SPIKE Nexus | SPIKE_NEXUS_PBKDF2_ITERATION_COUNT | The number of iterations for the PBKDF2 key derivation function. | 600000 |
| SPIKE Nexus | SPIKE_NEXUS_RECOVERY_MAX_INTERVAL | Maximum interval between retries the recovery operation’s backing off algorithm | 60s |
| SPIKE Nexus | SPIKE_NEXUS_SHAMIR_MAX_SHARE_COUNT | The maximum allowed number of shares in Shamir’s Secret Sharing. Also limits the maximum number of SPIKE Keeper instances a deployment can support. | 1000 |
| SPIKE Nexus | SPIKE_NEXUS_SHAMIR_SHARES | The total number of shares used for secret sharding, this should be equal to the number of SPIKE Keepers too. | 3 |
| SPIKE Nexus | SPIKE_NEXUS_SHAMIR_THRESHOLD | The minimum number of shares to be able to reconstruct the root key. | 2 |
| SPIKE Nexus | SPIKE_NEXUS_TLS_PORT | The TLS port SPIKE Nexus listens on. | ":8553" |
| SPIKE Pilot | SPIKE_PILOT_RECOVERY_DIR | Custom directory for Pilot recovery shards. Falls back to ~/.spike/recover or /tmp/.spike-$USER/recover. | "" |
| SPIKE Pilot | SPIKE_PILOT_SHOW_MEMORY_WARNING | Whether to show a warning when the system cannot lock memory for security. | false |
We’ll add more configuration options in the future. Stay tuned.