Concepts

This page summarises the key concepts and resources associated with the Cofide Connect platform to issue workloads with cryptographic identity. A more general overview of workload identity conforming to the SPIFFE standard can be found here.

Cluster

A cluster is a single environment (e.g. a Kubernetes cluster) onboarded onto Connect. Each cluster will have a Cofide Agent deployed to it, which facilitates both the registration of the environment and dynamic control plane functionality of the platform.

Trust Zone

A trust zone represents a single cluster or collection of clusters within a single trust boundary. Each trust zone is a single SPIFFE trust domain, and workload identities that are issued in a trust zone will have the trust domain as the root of the minted SVID.

Attestation Policy

Attestation policies map identities to workloads by specifying attributes of the workload that must be attested in order for an identity to be issued. Attestation policies are defined and bound to trust zones with an attestation policy binding. This allows for the re-use of common policy across trust zones.

Federation

A federation is a trust relationship between two trust zones, allowing for trust to be established between workloads across each of these.

This maintains multiple securely isolated trust zones (each with their own root of trust), while enabling selected workloads to communicate. Attestation policies are used in conjunction with federations to select which workloads are allowed to federate.

Federated Service

A federated service simplifies connectivity between workloads in different trust zones, making it easier to securely discover and communicate with a service in a remote trust zone. Combined with a federation, the Cofide Agent facilitates discovery and secure connectivity to this service - this is currently available via xDS (Envoy) and the Cofide Go SDK.