Managed Configuration

Managed Configuration is the centralized mechanism for configuring Defakto features. Configuration is applied live without modifying Helm values, CLI flags, or restarting agents or servers.

How It Works

Configuration is expressed as YAML documents, each targeting a specific feature area (a section). Each document has three top-level fields:

section: AgentAttestation   # which feature this configures
schema: v1                  # document version
spec:                       # section-specific configuration
  policies:
    - name: my_policy
      requiredAttestors:
        - type: k8s_token
          config:
            issuerURL: https://oidc.eks.us-east-1.amazonaws.com/id/ABCDEF123456

Configuration documents are scoped to an entity in the Defakto hierarchy. Different sections apply at different scopes:

Section	Scope
`AgentAttestation`	Cluster
`AttributeRedaction`	Cluster
`SVIDPolicy` *	Cluster
`WorkloadAttestation`	Cluster
`KeyManager`	Trust Domain Deployment
`UpstreamAuthority`	Trust Domain Deployment

* SVIDPolicy is coming end of April 2026. It replaces the per-cluster configuration for SPIFFE ID Templates, X.509-SVID Customization, and JWT-SVID Customization with a managed configuration section. Existing customization methods remain supported.

Applying Configuration

Using spirlctl

Apply one or more section documents to a cluster:

spirlctl config set cluster --id <cluster-id> config.yaml

Multiple documents can be applied in a single command:

spirlctl config set cluster --id <cluster-id> agent-attestation.yaml attribute-redaction.yaml

Apply to a trust domain deployment:

spirlctl config set trust-domain-deployment --id <deployment-id> key-manager.yaml

Using Terraform

resource "spirl_cluster_config" "example" {
  cluster_id = spirl_cluster.my_cluster.id
  sections = {
    AgentAttestation = <<-YAML
      section: AgentAttestation
      schema: v1
      spec:
        policies:
          - name: k8s_policy
            requiredAttestors:
              - type: k8s_token
                config:
                  issuerURL: https://oidc.eks.us-east-1.amazonaws.com/id/ABCDEF123456
    YAML
  }
}

Propagation

Once a configuration document passes validation and is stored, the Defakto control plane syncs it to your Trust Domain Servers automatically. From there, any agent-relevant configuration is further synced to agents. No server or agent restart is required for most configuration changes.

Some settings require a restart (noted on each feature's configuration page).

Validation

Each section has its own validation rules. If a document is invalid, spirlctl returns structured error messages describing the failure before any change is stored.

How It Works​

Applying Configuration​

Using spirlctl​

Using Terraform​

Propagation​

Validation​