Deploy API
Now that we have provisioned a suitable Kubernetes cluster and installed SPIRE onto it, we are now ready to install the Cofide Connect Control Plane.
Trust Bundle Storage
Section titled “Trust Bundle Storage”Connect currently supports S3 or GCS as a backend for trust bundle storage.
Follow the Cloud Integrations setup for your chosen trust bundle storage backend.
Connect tags all objects with Service=Connect for easy identification of objects it manages.
The bucket also needs to be exposed via a URL for workload clusters to retrieve trust bundles from it. This can be done in various ways. For example, when using S3 a common pattern is to expose it using CloudFront.
Control Plane Datastore
Section titled “Control Plane Datastore”Connect requires a Postgres datastore. You can use an in-cluster database (e.g. by using the CNPG operator) - doing so allows it to be issued a SPIFFE ID and secure communication using mTLS. Alternatively, the sqlConnectionString can include the full connection string to authenticate with other databases.
If using a cloud provider managed database follow the Cloud Integrations setup for your managed database service.
Control Plane webPKI certificate
Section titled “Control Plane webPKI certificate”The Connect API terminates TLS at the pod; therefore you must create a secret in the same namespace as the Connect server (default is connect) that holds the TLS certificate and key. Set this using envoy.auth.tlsSecretName in the Helm values when deploying the Connect API chart.
Deploy Control Plane API
Section titled “Deploy Control Plane API”Deploy the Connect helm chart to the connect namespace in the cluster. This deploys the API server.
helm repo add cofide https://cofide.github.io/helm-charts --force-updatehelm install cofide-connect-api cofide/cofide-connect \ --values values.yaml \ --namespace connect \ --create-namespace \ --version 0.11.3 \ --wait \ --timeout 120sAn example values file is below, adapt it to suit your deployment.
connect: # Expected audience from OIDC token from Cofide spire server in workload clusters connectPSATAudience: connect urlBase: example.cofide.dev allowedOrigins: # Domain on which the UI will be available - https://app.example.cofide.dev # Must line up with SPIRE trust domain created earlier trustDomain: connect.example.cofide.dev # Domain the object storage of trust zone certificate bundles is exposed on for read connectTrustBundleStoreURL: federate.example.cofide.dev # Using GCS as the object storage for trust zone certificate bundles trustBundleStoreBackend: s3: enabled: false gcs: enabled: true bucket: connect-example oidc: workloadIdentityProvider: projects/123456789/locations/global/workloadIdentityPools/connect/providers/connect audience: https://connect.example.cofide.dev # Using CloudSQL as the database provider datastore: sqlConnectionString: enabled: false cloudSQL: enabled: true instance: cofide-example:europe-west1:connect databaseName: connect pscEnabled: true oidc: workloadIdentityProvider: projects/123456789/locations/global/workloadIdentityPools/connect/providers/connect audience: https://connect.example.cofide.dev # Configure your initial admins here initialRBAC: version: 1 roleBindings: - resourceID: global resourceType: System roleID: admin user: subject: my-initial-admin-user-subject-from-my-oauth-providerenvoy: auth: # Configure this with your OAuth provider for user auth issuer: https://example-oauth-provider-issuer.com jwksUri: https://example-oauth-provider-jwksuri.com/.well-known/jwks.json # Secret must contain the certificate to be presented when clients use web PKI - e.g. provisioned by cert-manager tlsSecretName: envoy-tls audiences: - https://connect.example.cofide.devservice: port: 443 # Using external-dns and gke's loadbalancer controller to provision load balancers and setup DNS records pointing at them annotations: networking.gke.io/load-balancer-type: External external-dns.alpha.kubernetes.io/hostname: connect.example.cofide.dev© 2026 Cofide Limited. All rights reserved.