Skip to content
Cofide Cofide

How Cofide works

Cofide Connect is an enterprise platform for workload identity management. It enables workloads to be seamlessly and securely connected across multi- and hybrid cloud environments, building on open standards including SPIFFE and OpenID Connect (OIDC).

This page provides an overview of the key components in the Cofide Connect platform. For a more in-depth summary of the concepts associated with workload identity and the Connect platform, you can read the Concepts page.

Components

Section titled “Components”

The Cofide Connect platform comprises the following major components:

Cofide Connect

Section titled “Cofide Connect”

The central service which backs the platform is Connect. This acts as a control plane to manage resources and configurations, making the process of establishing and using zero trust methods such as mutual TLS (mTLS) between remote workloads robust and scalable. It performs a number of key tasks in enabling this:

  • Provides APIs to create and configure Cofide resources, including trust zones, federations and attestation policy (see Concepts for more details);
  • Management and serving of trust bundles for environments onboarded to the platform;
  • Provides service management and discovery capabilities for least-privilege networking across trust boundaries.

There are numerous ways to interact with Connect: via the Dashboard, cofidectl (the CLI), a Terraform provider, and directly via the gRPC API.

Cofide SPIRE Server

Section titled “Cofide SPIRE Server”

The Cofide SPIRE server is a Connect-optimised version of the SPIRE server. It has been enhanced to support enterprise deployment being backed by a Connect control plane instance. This removes the need to provision and administer per-server database structure. Managing each server with Connect allows for seamless configuration and scalability.

Cofide Observer

Section titled “Cofide Observer”

The Cofide Observer is a workload-level telemetry agent, which is responsible for collecting relevant information regarding workloads running in the Kubernetes cluster in which it is deployed. It is used in conjunction with the Cofide SPIRE Server to augment its capabilities, enabling advanced attestation policy cases (such as pod label selector policy).

Cofide Agent

Section titled “Cofide Agent”

The Cofide Agent is a lightweight process which connects securely to the Connect control plane, handling tasks like bundle updates, inbound/outbound federation, and programming the downstream network path (via xDS, or for meshes such as Istio) for seamless cross-boundary mTLS.

The Cofide Agent is installed by onboarding an environment using cofidectl with the Connect plugin, or more directly with the Agent Helm chart.

High-level architecture

Section titled “High-level architecture”

An architectural overview of Connect for a single trust zone deployment is provided below:

architecture-beta
    group api(cloud)[Connect]
    group tza(cloud)[Trust Zone]

    service connect(server)[Cofide Connect] in api

    service cofidespire(server)[Cofide SPIRE Server] in tza
    service cofideagent(server)[Cofide Agent] in tza
    service cofidespireagent(server)[SPIRE Agent] in tza
    service obsa(server)[Cofide Observer] in tza
    service wl(server)[Workload] in tza
    
    connect:R --> L:cofidespire
    wl:L --> R:obsa
    cofideagent:L --> T:connect
    cofidespireagent:T --> R:cofidespire
    obsa:L --> B:connect

© 2026 Cofide Limited. All rights reserved.