Deploy SPIRE
This page provides details on how to install the SPIRE server backing the Cofide Connect Control Plane.
Deploy Control Plane SPIRE server
Section titled “Deploy Control Plane SPIRE server”Deploy the SPIRE CRDs and SPIRE chart in the cluster.
helm repo add spire-hardened https://spiffe.github.io/helm-charts-hardened/ --force-updatehelm install spire-crds spire-hardened/spire-crds \ --namespace spire-mgmt \ --create-namespace \ --version 0.5.0 \ --wait \ --timeout 60shelm install spire spire-hardened/spire \ --values values.yaml \ --namespace spire-mgmt \ --create-namespace \ --version 0.27.1 \ --wait \ --timeout 120sAn example values file for deploying onto GKE with CloudSQL Postgres as the datastore, GCP KMS as the key manager and GCP Private CA as the upstream authority is provided below. Adapt this to your desired setup.
global: spire: namespaces: create: true recommendations: enabled: true priorityClassName: false clusterName: connect strictMode: true trustDomain: connect.example.cofide.dev jwtIssuer: https://oidc-discovery.example.cofide.dev caSubject: country: UK organization: Example commonName: example.cofide.devspiffe-oidc-discovery-provider: autoscaling: enabled: true minReplicas: 2 maxReplicas: 3 service: type: LoadBalancer # Using external-dns and gke's loadbalancer controller to provision load balancers and setup DNS records pointing at them annotations: networking.gke.io/load-balancer-type: External external-dns.alpha.kubernetes.io/hostname: oidc-discovery.example.cofide.dev tls: # Cert-managed is used instead of SPIRE to secure the OIDC discovery endpoint spire: enabled: false # Using cert-manager to issue certificates for the OIDC discovery endpoint certManager: enabled: true issuer: create: false certificate: issuerRef: kind: ClusterIssuer name: letsencrypt dnsNames: - oidc-discovery.example.cofide.dev namespaceOverride: connectspire-server: kind: statefulset replicaCount: 2 serviceAccount: annotations: # Identity of a service account in GCP with access to required cloud services persistence: storageClass: hyperdisk-balanced size: 4Gi upstreamAuthority: disk: enabled: false controllerManager: identities: clusterSPIFFEIDs: default: enabled: false # Allow connect control plane components to obtain SPIFFE IDs namespace-connect: dnsNameTemplates: - '{{ .PodSpec.ServiceAccountName }}.{{ .PodMeta.Namespace }}.{{ .TrustDomain }}' namespaceSelector: matchLabels: kubernetes.io/metadata.name: connect keyManager: disk: enabled: false nodeAttestor: k8sPSAT: audience: - spire-server telemetry: prometheus: enabled: true # Using a postgres database in CloudSQL as the datastore for SPIRE dataStore: sql: databaseType: postgres databaseName: spire host: 127.0.0.1 port: 5432 password: unused options: - sslmode: disable extraContainers: - name: cloud-sql-proxy image: gcr.io/cloud-sql-connectors/cloud-sql-proxy:2.14.1 args: - --auto-iam-authn - --port=5432 - --psc - --structured-logs - cofide-example:europe-west1:connect securityContext: runAsNonRoot: true runAsUser: 65532 runAsGroup: 65532 allowPrivilegeEscalation: false capabilities: drop: - ALL seccompProfile: type: RuntimeDefault unsupportedBuiltInPlugins: # Using GCP KMS as the key management keyManager: gcp_kms: plugin_data: key_ring: projects/cofide-example/locations/europe-west1/keyRings/spire key_identifier_file: /run/spire/data/key_id upstreamAuthority: # Using GCP Private CA as the certificate authority gcp_cas: plugin_data: root_cert_spec: project_name: cofide-example region_name: europe-west1 ca_pool: spire label_key: ca_type label_value: spire-root© 2026 Cofide Limited. All rights reserved.