Skip to content
Cofide Cofide

Cofide Connect API Reference (v0.47.1)

Protocol Documentation

Section titled “Protocol Documentation”

Table of Contents

Section titled “Table of Contents”

Top

proto/agent/v1alpha1/agent.proto

Section titled “proto/agent/v1alpha1/agent.proto”

This file defines the Agent message and related types representing Cofide Agents deployed in clusters registered with the Connect control plane.

Agent

Section titled “Agent”

Agent represents a Cofide Agent deployed in a cluster. The agent facilitates cluster registration with the Connect control plane and provides dynamic control plane functionality including federated service management.

FieldTypeLabelDescription
idstringoptional
cluster_idstringoptional
trust_zone_idstringoptional

AgentStatus

Section titled “AgentStatus”

AgentStatus reports the current operational status of a Cofide Agent.

FieldTypeLabelDescription
statusAgentStatusCodeoptional
status_messagestringoptional
last_updatedint64optionalUnix timestamp (seconds) of the last status update.

AgentStatusCode

Section titled “AgentStatusCode”

AgentStatusCode enumerates the possible operational states of a Cofide Agent.

NameNumberDescription
AGENT_STATUS_CODE_UNSPECIFIED0
AGENT_STATUS_CODE_RUNNING1
AGENT_STATUS_CODE_STOPPED2
AGENT_STATUS_CODE_ERROR3
AGENT_STATUS_CODE_STARTING4

Top

proto/ap_binding/v1alpha1/ap_binding.proto

Section titled “proto/ap_binding/v1alpha1/ap_binding.proto”

This file defines the APBinding message and related types representing attestation policy bindings in the Connect control plane. An APBinding associates an attestation policy with a trust zone, enabling identity issuance for matching workloads within that zone.

APBinding

Section titled “APBinding”

APBinding binds an attestation policy to a trust zone, enabling Connect to issue SPIFFE identities to workloads that match the policy within that zone. Optionally, federations can be specified to restrict which federated trust zones will be visible to matching workloads, allowing the same policy to be re-used across multiple trust zones.

FieldTypeLabelDescription
idstringoptional
org_idstringoptional
trust_zone_idstringoptional
policy_idstringoptional
federationsAPBindingFederationrepeatedThe federated trust zones which will be visible to workloads matching the policy in this binding.

APBindingFederation

Section titled “APBindingFederation”

APBindingFederation identifies a trust zone that is included in the federated scope of an attestation policy binding.

FieldTypeLabelDescription
trust_zone_idstringoptional

Top

proto/spire/api/types/selector.proto

Section titled “proto/spire/api/types/selector.proto”

Selector

Section titled “Selector”
FieldTypeLabelDescription
typestringThe type of the selector. This is typically the name of the plugin that produces the selector.
valuestringThe value of the selector.

SelectorMatch

Section titled “SelectorMatch”
FieldTypeLabelDescription
selectorsSelectorrepeatedThe set of selectors to match on.
matchSelectorMatch.MatchBehaviorHow to match the selectors.

SelectorMatch.MatchBehavior

Section titled “SelectorMatch.MatchBehavior”
NameNumberDescription
MATCH_BEHAVIOR_EXACT_UNSPECIFIED0Indicates that the selectors in this match are equal to the candidate selectors, independent of ordering. Example: Given: - ‘e1 { Selectors: [“a:1”, “b:2”, “c:3”]}’ - ‘e2 { Selectors: [“a:1”, “b:2”]}’ - ‘e3 { Selectors: [“a:1”]}’ Operation: - MATCH_EXACT [“a:1”, “b:2”] Entries that match: - ‘e2’
MATCH_BEHAVIOR_SUBSET1Indicates that all candidates which have a non-empty subset of the provided set of selectors will match. Example: Given: - ‘e1 { Selectors: [“a:1”, “b:2”, “c:3”]}’ - ‘e2 { Selectors: [“a:1”, “b:2”]}’ - ‘e3 { Selectors: [“a:1”]}’ Operation: - MATCH_SUBSET [“a:1”] Entries that match: - ‘e1’
MATCH_BEHAVIOR_SUPERSET2Indicates that all candidates which are a superset of the provided selectors will match. Example: Given: - ‘e1 { Selectors: [“a:1”, “b:2”, “c:3”]}’ - ‘e2 { Selectors: [“a:1”, “b:2”]}’ - ‘e3 { Selectors: [“a:1”]}’ Operation: - MATCH_SUPERSET [“a:1”, “b:2”] Entries that match: - ‘e1’ - ‘e2’
MATCH_BEHAVIOR_ANY3Indicates that all candidates which have at least one of the provided set of selectors will match. Example: Given: - ‘e1 { Selectors: [“a:1”, “b:2”, “c:3”]}’ - ‘e2 { Selectors: [“a:1”, “b:2”]}’ - ‘e3 { Selectors: [“a:1”]}’ Operation: - MATCH_ANY [“a:1”] Entries that match: - ‘e1’ - ‘e2’ - ‘e3’

Top

proto/attestation_policy/v1alpha1/attestation_policy.proto

Section titled “proto/attestation_policy/v1alpha1/attestation_policy.proto”

This file defines the AttestationPolicy message and related types used to specify the criteria for issuing SPIFFE identities to workloads. Supported policy types cover Kubernetes workload attestation (APKubernetes), static attestation (APStatic), and TPM-based node attestation (APTPMNode).

APKubernetes

Section titled “APKubernetes”

APKubernetes represents a Kubernetes attestation policy. Identities are managed dynamically in the control plane based on workload observations.

FieldTypeLabelDescription
namespace_selectorAPLabelSelectoroptional
pod_selectorAPLabelSelectoroptional
dns_name_templatesstringrepeated
spiffe_id_path_templatestringoptionalCustom SPIFFE ID path format for Connect identity issuance This defines the identity path appended to domain of the trust zone it is bound to

An example spiffe_id_path_template and corresponding SPIFFE ID: ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }} => spiffe://<trust_domain_of_trust_zone>/ns/…/sa/…

This is supported in both Connect and OSS SPIRE via spire-controller-manager Note that the supported templates are a subset of those in the SCM

Valid template components: {{ .ClusterName }} - Name of cluster {{ .PodMeta.Namespace }} - Namespace of the pod {{ index .PodMeta.Labels “key” }} - Pod label value of a provided key {{ index .PodMeta.Annotations “key” }} - Pod annotation value of a provided key {{ .PodSpec.ServiceAccountName }} - Service account of the pod |

APLabelSelector

Section titled “APLabelSelector”

This definition has been adapted from the LabelSelector message in Kubernetes. https://github.com/kubernetes/apimachinery/blob/master/pkg/apis/meta/v1/generated.proto

FieldTypeLabelDescription
match_labelsAPLabelSelector.MatchLabelsEntryrepeated
match_expressionsAPMatchExpressionrepeated

APLabelSelector.MatchLabelsEntry

Section titled “APLabelSelector.MatchLabelsEntry”
FieldTypeLabelDescription
keystring
valuestring

APMatchExpression

Section titled “APMatchExpression”

APMatchExpression represents a single label requirement using a key, operator, and set of values. Follows the Kubernetes LabelSelectorRequirement semantics.

FieldTypeLabelDescription
keystring
operatorstring
valuesstringrepeated

APStatic

Section titled “APStatic”

APStatic represents a static attestation policy No observations are required before identities can be issued to matching workloads.

FieldTypeLabelDescription
spiffe_idstringoptionalDeprecated.
spiffe_id_pathstringoptional
parent_id_pathstringoptional
selectorsspire.api.types.Selectorrepeated
dns_namesstringrepeated

APTPMNode

Section titled “APTPMNode”

APTPMNode represents a node (agent) attesting using a Trusted Platform Module (TPM).

FieldTypeLabelDescription
attestationTPMAttestation
selector_valuesstringrepeatedselector_values are the values of node selectors to use for this node. The key of the selectors will be “tpm”.

AttestationPolicy

Section titled “AttestationPolicy”

AttestationPolicy defines criteria used to issue a SPIFFE identity to a workload. Policies specify attributes of the workload that must be attested before an identity (SVID) is issued. Policies are bound to trust zones via APBindings and support Kubernetes, static, and TPM node attestation methods.

FieldTypeLabelDescription
idstringoptional
namestring
org_idstringoptional
kubernetesAPKubernetes
staticAPStatic
tpm_nodeAPTPMNode

TPMAttestation

Section titled “TPMAttestation”

TPMAttestation represents attestation requirements for a node (agent) attesting using a Trusted Platform Module (TPM).

FieldTypeLabelDescription
ek_hashstringoptionalek_hash is the SHA256 hash of the TPM’s Endorsement Key (EK).

Top

proto/trust_provider/v1alpha1/trust_provider.proto

Section titled “proto/trust_provider/v1alpha1/trust_provider.proto”

K8sPsatConfig

Section titled “K8sPsatConfig”
FieldTypeLabelDescription
enabledboolWhether to enable the k8s psat node attestor plugin with a Connect datasource.
allowed_service_accountsK8sPsatConfig.ServiceAccountrepeatedNamespace and name of service accounts agents can use tokens from to attest nodes in this cluster. At least 1 must be provided if the SPIRE server is outside the cluster.
allowed_node_label_keysstringrepeatedNode labels that can be used as selectors in this cluster.
allowed_pod_label_keysstringrepeatedPod labels that can be used as selectors in this cluster.
api_server_ca_certbytesCA certificate of the cluster’s API server. Optional, but required if the SPIRE server is outside the cluster and the cluster’s API server CA is not already trusted by the SPIRE server (very likely).
api_server_urlstringCluster’s API server URL. Required if the SPIRE server is outside the cluster.
api_server_tls_server_namestringAlternative TLS server name to verify the presented certificate with if the hostname of the API server URL is not in the presented certificate.
api_server_proxy_urlstringProxy URL of the API server (if running behind a proxy).
spire_server_audiencestringAudience the SPIRE server should use in the JWT presented to the cluster’s API server. Required if the SPIRE server is outside the cluster.

K8sPsatConfig.ServiceAccount

Section titled “K8sPsatConfig.ServiceAccount”
FieldTypeLabelDescription
namespacestring
service_account_namestring

TrustProvider

Section titled “TrustProvider”
FieldTypeLabelDescription
kindstringoptional
k8s_psat_configK8sPsatConfigConfiguration for the k8s psat node attestor plugin when using a Connect datasource with remote clusters.

Configuration for additional server plugins goes here. More than one may be enabled, to allow node attestation in a cluster to be done in multiple different ways. |

TrustProviderKind

Section titled “TrustProviderKind”
NameNumberDescription
TRUST_PROVIDER_KIND_UNSPECIFIED0
TRUST_PROVIDER_KIND_KUBERNETES1

Top

proto/cluster/v1alpha1/cluster.proto

Section titled “proto/cluster/v1alpha1/cluster.proto”

This file defines the Cluster message representing a single environment (e.g. a Kubernetes cluster) onboarded onto the Connect control plane.

Cluster

Section titled “Cluster”

Cluster represents a single environment (e.g. a Kubernetes cluster) onboarded onto Connect. Each cluster belongs to a trust zone.

FieldTypeLabelDescription
idstringoptional
namestringoptional
org_idstringoptional
trust_zone_idstringoptional
kubernetes_contextstringoptionalThe kubeconfig context name used to interact with this cluster.
trust_providerproto.trust_provider.v1alpha1.TrustProvideroptionalThe node attestation trust provider configuration for this cluster.
extra_helm_valuesgoogle.protobuf.StructoptionalAdditional Helm values to pass to the Cofide SPIRE chart deployment.
profilestringoptional
external_serverbooloptionalWhether the SPIRE server for this cluster’s trust zone is deployed externally (i.e. not within this cluster).
oidc_issuer_urlstringoptionalOIDC issuer URL for the Kubernetes API server, used for k8s_psat node attestation.
oidc_issuer_ca_certbytesoptionalPEM-encoded CA certificate for the OIDC issuer, if it uses a private CA.

Top

proto/federation/v1alpha1/federation.proto

Section titled “proto/federation/v1alpha1/federation.proto”

This file defines the Federation message representing a trust relationship between two trust zones in the Connect control plane. Federations allow workloads in each zone to present their SPIFFE identities to workloads in the other, enabling secure communication across zone boundaries.

Federation

Section titled “Federation”

Federation represents a trust relationship between two trust zones. It allows workloads in each zone to establish secure connections with workloads in the other, while keeping each zone’s root of trust securely isolated. Attestation policies on AP bindings determine which workloads are permitted to federate.

FieldTypeLabelDescription
idstringoptional
org_idstringoptional
trust_zone_idstringoptionalThe local trust zone that initiates the federation.
remote_trust_zone_idstringoptionalThe remote trust zone that this federation points to.

Top

proto/spire/api/types/bundle.proto

Section titled “proto/spire/api/types/bundle.proto”

Bundle

Section titled “Bundle”
FieldTypeLabelDescription
trust_domainstringThe name of the trust domain the bundle belongs to (e.g., “example.org”).
x509_authoritiesX509CertificaterepeatedX.509 authorities for authenticating X509-SVIDs.
jwt_authoritiesJWTKeyrepeatedJWT authorities for authenticating JWT-SVIDs.
refresh_hintint64A hint on how often the bundle should be refreshed from the bundle provider, in seconds. Can be zero (meaning no hint available).
sequence_numberuint64The sequence number of the bundle.

BundleMask

Section titled “BundleMask”
FieldTypeLabelDescription
x509_authoritiesboolx509_authorities field mask.
jwt_authoritiesbooljwt_authorities field mask.
refresh_hintboolrefresh_hint field mask.
sequence_numberboolsequence_number field mask.

JWTKey

Section titled “JWTKey”
FieldTypeLabelDescription
public_keybytesThe PKIX encoded public key.
key_idstringThe key identifier.
expires_atint64When the key expires (seconds since Unix epoch). If zero, the key does not expire.
taintedboolThis authority is no longer secure and must not be used

X509Certificate

Section titled “X509Certificate”
FieldTypeLabelDescription
asn1bytesThe ASN.1 DER encoded bytes of the X.509 certificate.
taintedboolThis authority is no longer secure and must not be used.

Top

proto/trust_zone/v1alpha1/trust_zone.proto

Section titled “proto/trust_zone/v1alpha1/trust_zone.proto”

This file defines the TrustZone message and related types representing a SPIFFE trust domain within the Connect control plane. A trust zone encompasses one or more clusters and/or nodes within a single trust boundary and can federate with other trust zones to enable secure cross-zone connectivity.

TrustZone

Section titled “TrustZone”

TrustZone represents one or more clusters and/or nodes within a single trust boundary. Each trust zone is a SPIFFE trust domain: workload identities (SVIDs) issued within the zone carry the trust domain as the root of their SPIFFE ID. Federations can be created between trust zones to allow selected workloads to establish secure connectivity across zone boundaries.

FieldTypeLabelDescription
namestring
trust_domainstringThe SPIFFE trust domain for this zone, e.g. “example.com”.
bundle_endpoint_urlstringoptionalURL of the SPIFFE bundle endpoint, used by remote trust zones to fetch this zone’s trust bundle for federation.
bundlespire.api.types.BundleoptionalThe current SPIRE trust bundle for this zone, containing the root CA certificates.
jwt_issuerstringoptionalJWT issuer URL for SVIDs issued within this trust zone.
bundle_endpoint_profileBundleEndpointProfileoptionalThe SPIFFE federation profile used to serve and consume trust bundles.
idstringoptional
is_management_zoneboolWhether this trust zone hosts the Connect management plane.
org_idstringoptional

BundleEndpointProfile

Section titled “BundleEndpointProfile”

BundleEndpointProfile specifies the SPIFFE federation profile used to serve and consume trust bundles for a trust zone.

NameNumberDescription
BUNDLE_ENDPOINT_PROFILE_UNSPECIFIED0
BUNDLE_ENDPOINT_PROFILE_HTTPS_SPIFFE1SPIFFE-authenticated bundle endpoint.
BUNDLE_ENDPOINT_PROFILE_HTTPS_WEB2Web PKI-authenticated bundle endpoint.

Top

proto/cofidectl/datasource_plugin/v1alpha2/plugin.proto

Section titled “proto/cofidectl/datasource_plugin/v1alpha2/plugin.proto”

AddAPBindingRequest

Section titled “AddAPBindingRequest”
FieldTypeLabelDescription
bindingproto.ap_binding.v1alpha1.APBindingoptional

AddAPBindingResponse

Section titled “AddAPBindingResponse”
FieldTypeLabelDescription
bindingproto.ap_binding.v1alpha1.APBindingoptional

AddAttestationPolicyRequest

Section titled “AddAttestationPolicyRequest”
FieldTypeLabelDescription
policyproto.attestation_policy.v1alpha1.AttestationPolicyoptional

AddAttestationPolicyResponse

Section titled “AddAttestationPolicyResponse”
FieldTypeLabelDescription
policyproto.attestation_policy.v1alpha1.AttestationPolicyoptional

AddClusterRequest

Section titled “AddClusterRequest”
FieldTypeLabelDescription
clusterproto.cluster.v1alpha1.Clusteroptional

AddClusterResponse

Section titled “AddClusterResponse”
FieldTypeLabelDescription
clusterproto.cluster.v1alpha1.Clusteroptional

AddFederationRequest

Section titled “AddFederationRequest”
FieldTypeLabelDescription
federationproto.federation.v1alpha1.Federationoptional

AddFederationResponse

Section titled “AddFederationResponse”
FieldTypeLabelDescription
federationproto.federation.v1alpha1.Federationoptional

AddTrustZoneRequest

Section titled “AddTrustZoneRequest”
FieldTypeLabelDescription
trust_zoneproto.trust_zone.v1alpha1.TrustZoneoptional

AddTrustZoneResponse

Section titled “AddTrustZoneResponse”
FieldTypeLabelDescription
trust_zoneproto.trust_zone.v1alpha1.TrustZoneoptional

DestroyAPBindingRequest

Section titled “DestroyAPBindingRequest”
FieldTypeLabelDescription
idstringoptional

DestroyAPBindingResponse

Section titled “DestroyAPBindingResponse”

DestroyAttestationPolicyRequest

Section titled “DestroyAttestationPolicyRequest”
FieldTypeLabelDescription
idstringoptional

DestroyAttestationPolicyResponse

Section titled “DestroyAttestationPolicyResponse”

DestroyClusterRequest

Section titled “DestroyClusterRequest”
FieldTypeLabelDescription
idstringoptional

DestroyClusterResponse

Section titled “DestroyClusterResponse”

DestroyFederationRequest

Section titled “DestroyFederationRequest”
FieldTypeLabelDescription
idstringoptional

DestroyFederationResponse

Section titled “DestroyFederationResponse”

DestroyTrustZoneRequest

Section titled “DestroyTrustZoneRequest”
FieldTypeLabelDescription
idstringoptional

DestroyTrustZoneResponse

Section titled “DestroyTrustZoneResponse”

GetAttestationPolicyByNameRequest

Section titled “GetAttestationPolicyByNameRequest”
FieldTypeLabelDescription
namestringoptional

GetAttestationPolicyByNameResponse

Section titled “GetAttestationPolicyByNameResponse”
FieldTypeLabelDescription
policyproto.attestation_policy.v1alpha1.AttestationPolicy

GetAttestationPolicyRequest

Section titled “GetAttestationPolicyRequest”
FieldTypeLabelDescription
idstringoptional

GetAttestationPolicyResponse

Section titled “GetAttestationPolicyResponse”
FieldTypeLabelDescription
policyproto.attestation_policy.v1alpha1.AttestationPolicy

GetClusterByNameRequest

Section titled “GetClusterByNameRequest”
FieldTypeLabelDescription
namestringoptional
trust_zone_idstringoptional

GetClusterByNameResponse

Section titled “GetClusterByNameResponse”
FieldTypeLabelDescription
clusterproto.cluster.v1alpha1.Clusteroptional

GetClusterRequest

Section titled “GetClusterRequest”
FieldTypeLabelDescription
idstringoptional

GetClusterResponse

Section titled “GetClusterResponse”
FieldTypeLabelDescription
clusterproto.cluster.v1alpha1.Clusteroptional

GetTrustZoneByNameRequest

Section titled “GetTrustZoneByNameRequest”
FieldTypeLabelDescription
namestringoptional

GetTrustZoneByNameResponse

Section titled “GetTrustZoneByNameResponse”
FieldTypeLabelDescription
trust_zoneproto.trust_zone.v1alpha1.TrustZoneoptional

GetTrustZoneRequest

Section titled “GetTrustZoneRequest”
FieldTypeLabelDescription
idstringoptional

GetTrustZoneResponse

Section titled “GetTrustZoneResponse”
FieldTypeLabelDescription
trust_zoneproto.trust_zone.v1alpha1.TrustZoneoptional

ListAPBindingsRequest

Section titled “ListAPBindingsRequest”
FieldTypeLabelDescription
filterListAPBindingsRequest.Filteroptional

ListAPBindingsRequest.Filter

Section titled “ListAPBindingsRequest.Filter”
FieldTypeLabelDescription
trust_zone_idstringoptional
policy_idstringoptional

ListAPBindingsResponse

Section titled “ListAPBindingsResponse”
FieldTypeLabelDescription
bindingsproto.ap_binding.v1alpha1.APBindingrepeated

ListAttestationPoliciesRequest

Section titled “ListAttestationPoliciesRequest”

ListAttestationPoliciesResponse

Section titled “ListAttestationPoliciesResponse”
FieldTypeLabelDescription
policiesproto.attestation_policy.v1alpha1.AttestationPolicyrepeated

ListClustersRequest

Section titled “ListClustersRequest”
FieldTypeLabelDescription
filterListClustersRequest.Filteroptional

ListClustersRequest.Filter

Section titled “ListClustersRequest.Filter”
FieldTypeLabelDescription
trust_zone_idstringoptional

ListClustersResponse

Section titled “ListClustersResponse”
FieldTypeLabelDescription
clustersproto.cluster.v1alpha1.Clusterrepeated

ListFederationsRequest

Section titled “ListFederationsRequest”
FieldTypeLabelDescription
filterListFederationsRequest.Filteroptional

ListFederationsRequest.Filter

Section titled “ListFederationsRequest.Filter”
FieldTypeLabelDescription
trust_zone_idstringoptional

ListFederationsResponse

Section titled “ListFederationsResponse”
FieldTypeLabelDescription
federationsproto.federation.v1alpha1.Federationrepeated

ListTrustZonesRequest

Section titled “ListTrustZonesRequest”

ListTrustZonesResponse

Section titled “ListTrustZonesResponse”
FieldTypeLabelDescription
trust_zonesproto.trust_zone.v1alpha1.TrustZonerepeated

UpdateClusterRequest

Section titled “UpdateClusterRequest”
FieldTypeLabelDescription
clusterproto.cluster.v1alpha1.Clusteroptional

UpdateClusterResponse

Section titled “UpdateClusterResponse”
FieldTypeLabelDescription
clusterproto.cluster.v1alpha1.Clusteroptional

UpdateTrustZoneRequest

Section titled “UpdateTrustZoneRequest”
FieldTypeLabelDescription
trust_zoneproto.trust_zone.v1alpha1.TrustZoneoptional

UpdateTrustZoneResponse

Section titled “UpdateTrustZoneResponse”
FieldTypeLabelDescription
trust_zoneproto.trust_zone.v1alpha1.TrustZoneoptional

ValidateRequest

Section titled “ValidateRequest”

ValidateResponse

Section titled “ValidateResponse”

DataSourcePluginService

Section titled “DataSourcePluginService”
Method NameRequest TypeResponse TypeDescription
ValidateValidateRequestValidateResponse
AddTrustZoneAddTrustZoneRequestAddTrustZoneResponse
DestroyTrustZoneDestroyTrustZoneRequestDestroyTrustZoneResponse
GetTrustZoneGetTrustZoneRequestGetTrustZoneResponse
GetTrustZoneByNameGetTrustZoneByNameRequestGetTrustZoneByNameResponse
ListTrustZonesListTrustZonesRequestListTrustZonesResponse
UpdateTrustZoneUpdateTrustZoneRequestUpdateTrustZoneResponse
AddClusterAddClusterRequestAddClusterResponse
DestroyClusterDestroyClusterRequestDestroyClusterResponse
GetClusterGetClusterRequestGetClusterResponse
GetClusterByNameGetClusterByNameRequestGetClusterByNameResponse
ListClustersListClustersRequestListClustersResponse
UpdateClusterUpdateClusterRequestUpdateClusterResponse
AddAttestationPolicyAddAttestationPolicyRequestAddAttestationPolicyResponse
DestroyAttestationPolicyDestroyAttestationPolicyRequestDestroyAttestationPolicyResponse
GetAttestationPolicyGetAttestationPolicyRequestGetAttestationPolicyResponse
GetAttestationPolicyByNameGetAttestationPolicyByNameRequestGetAttestationPolicyByNameResponse
ListAttestationPoliciesListAttestationPoliciesRequestListAttestationPoliciesResponse
AddAPBindingAddAPBindingRequestAddAPBindingResponse
DestroyAPBindingDestroyAPBindingRequestDestroyAPBindingResponse
ListAPBindingsListAPBindingsRequestListAPBindingsResponse
AddFederationAddFederationRequestAddFederationResponse
DestroyFederationDestroyFederationRequestDestroyFederationResponse
ListFederationsListFederationsRequestListFederationsResponse

Top

proto/cofidectl/provision_plugin/v1alpha2/plugin.proto

Section titled “proto/cofidectl/provision_plugin/v1alpha2/plugin.proto”

DeployRequest

Section titled “DeployRequest”
FieldTypeLabelDescription
data_sourceuint32optional
kube_cfg_filestringoptional
trust_zone_idsstringrepeated

DeployResponse

Section titled “DeployResponse”
FieldTypeLabelDescription
statusStatusoptional

GetHelmValuesRequest

Section titled “GetHelmValuesRequest”
FieldTypeLabelDescription
data_sourceuint32optional
cluster_idstringoptional

GetHelmValuesResponse

Section titled “GetHelmValuesResponse”
FieldTypeLabelDescription
helm_valuesgoogle.protobuf.Structoptional

Status

Section titled “Status”
FieldTypeLabelDescription
stagestringoptional
messagestringoptional
donebooloptional
errorstringoptional

TearDownRequest

Section titled “TearDownRequest”
FieldTypeLabelDescription
data_sourceuint32optional
kube_cfg_filestringoptional
trust_zone_idsstringrepeated

TearDownResponse

Section titled “TearDownResponse”
FieldTypeLabelDescription
statusStatusoptional

ValidateRequest

Section titled “ValidateRequest”

ValidateResponse

Section titled “ValidateResponse”

ProvisionPluginService

Section titled “ProvisionPluginService”
Method NameRequest TypeResponse TypeDescription
ValidateValidateRequestValidateResponse
DeployDeployRequestDeployResponse stream
TearDownTearDownRequestTearDownResponse stream
GetHelmValuesGetHelmValuesRequestGetHelmValuesResponse

Top

proto/cofidectl_plugin/v1alpha1/plugin.proto

Section titled “proto/cofidectl_plugin/v1alpha1/plugin.proto”

AddAPBindingRequest

Section titled “AddAPBindingRequest”
FieldTypeLabelDescription
bindingproto.ap_binding.v1alpha1.APBindingoptional

AddAPBindingResponse

Section titled “AddAPBindingResponse”
FieldTypeLabelDescription
bindingproto.ap_binding.v1alpha1.APBindingoptional

AddAttestationPolicyRequest

Section titled “AddAttestationPolicyRequest”
FieldTypeLabelDescription
policyproto.attestation_policy.v1alpha1.AttestationPolicyoptional

AddAttestationPolicyResponse

Section titled “AddAttestationPolicyResponse”
FieldTypeLabelDescription
policyproto.attestation_policy.v1alpha1.AttestationPolicyoptional

AddClusterRequest

Section titled “AddClusterRequest”
FieldTypeLabelDescription
clusterproto.cluster.v1alpha1.Clusteroptional

AddClusterResponse

Section titled “AddClusterResponse”
FieldTypeLabelDescription
clusterproto.cluster.v1alpha1.Clusteroptional

AddFederationRequest

Section titled “AddFederationRequest”
FieldTypeLabelDescription
federationproto.federation.v1alpha1.Federationoptional

AddFederationResponse

Section titled “AddFederationResponse”
FieldTypeLabelDescription
federationproto.federation.v1alpha1.Federationoptional

AddTrustZoneRequest

Section titled “AddTrustZoneRequest”
FieldTypeLabelDescription
trust_zoneproto.trust_zone.v1alpha1.TrustZoneoptional

AddTrustZoneResponse

Section titled “AddTrustZoneResponse”
FieldTypeLabelDescription
trust_zoneproto.trust_zone.v1alpha1.TrustZoneoptional

DestroyAPBindingRequest

Section titled “DestroyAPBindingRequest”
FieldTypeLabelDescription
bindingproto.ap_binding.v1alpha1.APBindingoptional

DestroyAPBindingResponse

Section titled “DestroyAPBindingResponse”

DestroyAttestationPolicyRequest

Section titled “DestroyAttestationPolicyRequest”
FieldTypeLabelDescription
namestringoptional

DestroyAttestationPolicyResponse

Section titled “DestroyAttestationPolicyResponse”

DestroyClusterRequest

Section titled “DestroyClusterRequest”
FieldTypeLabelDescription
namestringoptional
trust_zonestringoptional

DestroyClusterResponse

Section titled “DestroyClusterResponse”

DestroyFederationRequest

Section titled “DestroyFederationRequest”
FieldTypeLabelDescription
federationproto.federation.v1alpha1.Federationoptional

DestroyFederationResponse

Section titled “DestroyFederationResponse”

DestroyTrustZoneRequest

Section titled “DestroyTrustZoneRequest”
FieldTypeLabelDescription
namestringoptional

DestroyTrustZoneResponse

Section titled “DestroyTrustZoneResponse”

GetAttestationPolicyRequest

Section titled “GetAttestationPolicyRequest”
FieldTypeLabelDescription
namestringoptional

GetAttestationPolicyResponse

Section titled “GetAttestationPolicyResponse”
FieldTypeLabelDescription
policyproto.attestation_policy.v1alpha1.AttestationPolicy

GetClusterRequest

Section titled “GetClusterRequest”
FieldTypeLabelDescription
namestringoptional
trust_zonestringoptional

GetClusterResponse

Section titled “GetClusterResponse”
FieldTypeLabelDescription
clusterproto.cluster.v1alpha1.Clusteroptional

GetTrustZoneRequest

Section titled “GetTrustZoneRequest”
FieldTypeLabelDescription
namestringoptional

GetTrustZoneResponse

Section titled “GetTrustZoneResponse”
FieldTypeLabelDescription
trust_zoneproto.trust_zone.v1alpha1.TrustZoneoptional

ListAPBindingsRequest

Section titled “ListAPBindingsRequest”
FieldTypeLabelDescription
filterListAPBindingsRequest.Filteroptional

ListAPBindingsRequest.Filter

Section titled “ListAPBindingsRequest.Filter”
FieldTypeLabelDescription
trust_zone_namestringoptional
policy_namestringoptional

ListAPBindingsResponse

Section titled “ListAPBindingsResponse”
FieldTypeLabelDescription
bindingsproto.ap_binding.v1alpha1.APBindingrepeated

ListAttestationPoliciesRequest

Section titled “ListAttestationPoliciesRequest”

ListAttestationPoliciesResponse

Section titled “ListAttestationPoliciesResponse”
FieldTypeLabelDescription
policiesproto.attestation_policy.v1alpha1.AttestationPolicyrepeated

ListClustersRequest

Section titled “ListClustersRequest”
FieldTypeLabelDescription
trust_zonestringoptional

ListClustersResponse

Section titled “ListClustersResponse”
FieldTypeLabelDescription
clustersproto.cluster.v1alpha1.Clusterrepeated

ListFederationsByTrustZoneRequest

Section titled “ListFederationsByTrustZoneRequest”
FieldTypeLabelDescription
trust_zone_namestringoptional

ListFederationsByTrustZoneResponse

Section titled “ListFederationsByTrustZoneResponse”
FieldTypeLabelDescription
federationsproto.federation.v1alpha1.Federationrepeated

ListFederationsRequest

Section titled “ListFederationsRequest”

ListFederationsResponse

Section titled “ListFederationsResponse”
FieldTypeLabelDescription
federationsproto.federation.v1alpha1.Federationrepeated

ListTrustZonesRequest

Section titled “ListTrustZonesRequest”

ListTrustZonesResponse

Section titled “ListTrustZonesResponse”
FieldTypeLabelDescription
trust_zonesproto.trust_zone.v1alpha1.TrustZonerepeated

UpdateClusterRequest

Section titled “UpdateClusterRequest”
FieldTypeLabelDescription
clusterproto.cluster.v1alpha1.Clusteroptional

UpdateClusterResponse

Section titled “UpdateClusterResponse”
FieldTypeLabelDescription
clusterproto.cluster.v1alpha1.Clusteroptional

UpdateTrustZoneRequest

Section titled “UpdateTrustZoneRequest”
FieldTypeLabelDescription
trust_zoneproto.trust_zone.v1alpha1.TrustZoneoptional

UpdateTrustZoneResponse

Section titled “UpdateTrustZoneResponse”
FieldTypeLabelDescription
trust_zoneproto.trust_zone.v1alpha1.TrustZoneoptional

ValidateRequest

Section titled “ValidateRequest”

ValidateResponse

Section titled “ValidateResponse”

DataSourcePluginService

Section titled “DataSourcePluginService”
Method NameRequest TypeResponse TypeDescription
ValidateValidateRequestValidateResponse
AddTrustZoneAddTrustZoneRequestAddTrustZoneResponse
DestroyTrustZoneDestroyTrustZoneRequestDestroyTrustZoneResponse
GetTrustZoneGetTrustZoneRequestGetTrustZoneResponse
ListTrustZonesListTrustZonesRequestListTrustZonesResponse
UpdateTrustZoneUpdateTrustZoneRequestUpdateTrustZoneResponse
AddClusterAddClusterRequestAddClusterResponse
DestroyClusterDestroyClusterRequestDestroyClusterResponse
GetClusterGetClusterRequestGetClusterResponse
ListClustersListClustersRequestListClustersResponse
UpdateClusterUpdateClusterRequestUpdateClusterResponse
AddAttestationPolicyAddAttestationPolicyRequestAddAttestationPolicyResponse
DestroyAttestationPolicyDestroyAttestationPolicyRequestDestroyAttestationPolicyResponse
GetAttestationPolicyGetAttestationPolicyRequestGetAttestationPolicyResponse
ListAttestationPoliciesListAttestationPoliciesRequestListAttestationPoliciesResponse
AddAPBindingAddAPBindingRequestAddAPBindingResponse
DestroyAPBindingDestroyAPBindingRequestDestroyAPBindingResponse
ListAPBindingsListAPBindingsRequestListAPBindingsResponse
AddFederationAddFederationRequestAddFederationResponse
DestroyFederationDestroyFederationRequestDestroyFederationResponse
ListFederationsListFederationsRequestListFederationsResponse
ListFederationsByTrustZoneListFederationsByTrustZoneRequestListFederationsByTrustZoneResponse

Top

proto/plugins/v1alpha1/plugins.proto

Section titled “proto/plugins/v1alpha1/plugins.proto”

Plugins

Section titled “Plugins”
FieldTypeLabelDescription
data_sourcestringoptional
provisionstringoptional

Top

proto/config/v1alpha1/config.proto

Section titled “proto/config/v1alpha1/config.proto”

Config

Section titled “Config”
FieldTypeLabelDescription
trust_zonesproto.trust_zone.v1alpha1.TrustZonerepeated
clustersproto.cluster.v1alpha1.Clusterrepeated
attestation_policiesproto.attestation_policy.v1alpha1.AttestationPolicyrepeated
plugin_configConfig.PluginConfigEntryrepeated
pluginsproto.plugins.v1alpha1.Pluginsoptional
federationsproto.federation.v1alpha1.Federationrepeated
ap_bindingsproto.ap_binding.v1alpha1.APBindingrepeated

Config.PluginConfigEntry

Section titled “Config.PluginConfigEntry”
FieldTypeLabelDescription
keystring
valuegoogle.protobuf.Struct

Top

proto/federated_service/v1alpha1/federated_service.proto

Section titled “proto/federated_service/v1alpha1/federated_service.proto”

This file defines the FederatedService message and related types used to describe services that are exposed for secure cross-zone connectivity. A federated service enables workloads in remote trust zones to discover and connect to a service using mTLS.

FederatedService

Section titled “FederatedService”

FederatedService simplifies secure connectivity between workloads in different trust zones. Combined with a federation, the Cofide Agent facilitates discovery of and mTLS connectivity to this service from remote trust zones. Connectivity is available via xDS (Envoy) and the Cofide Go SDK. FederatedServices are typically created from a Kubernetes Custom Resource applied to the cluster in which the service runs.

FieldTypeLabelDescription
idstring
namestring
namespacestring
cluster_namestring
trust_domainstringThe SPIFFE trust domain of the cluster in which this service runs.
workload_labelsFederatedService.WorkloadLabelsEntryrepeatedKubernetes labels used to select the pods backing this service.
exported_trust_domainsstringrepeatedThe remote trust domains to which this service is exported.
portuint32
gateway_entriesGatewayEntryrepeatedGateway entries discovered automatically by the Cofide Agent.
gateway_specsGatewaySpecrepeatedGateway addresses manually specified in the FederatedService resource.
tls_modeTLSMode

FederatedService.WorkloadLabelsEntry

Section titled “FederatedService.WorkloadLabelsEntry”
FieldTypeLabelDescription
keystring
valuestring

GatewayEntry

Section titled “GatewayEntry”

GatewayEntry is a gateway address discovered automatically by the Cofide Agent for routing traffic to a federated service.

FieldTypeLabelDescription
hostnamestring
typestring
ipstring
portint32

GatewaySpec

Section titled “GatewaySpec”

GatewaySpec is a manually specified gateway address for a federated service, provided when automatic gateway discovery is not available or sufficient.

FieldTypeLabelDescription
hostnamestring
typestring
ipstring
portint32

TLSMode

Section titled “TLSMode”

TLSMode specifies the mutual TLS mode used for a federated service connection.

NameNumberDescription
TLS_MODE_UNSPECIFIED0
TLS_MODE_MTLS1Standard SPIFFE mTLS using SPIRE-issued SVIDs.
TLS_MODE_ISTIO_MTLS2Istio-managed mTLS, for clusters using an Istio service mesh.

Top

proto/connect/agent_service/v1alpha1/agent_service.proto

Section titled “proto/connect/agent_service/v1alpha1/agent_service.proto”

This file defines the AgentService gRPC service, which is used by Cofide Agents to register with the Connect control plane and to manage the federated services running in their cluster.

CreateAgentJoinTokenRequest

Section titled “CreateAgentJoinTokenRequest”
FieldTypeLabelDescription
trust_zone_idstringoptional
cluster_idstringoptional

CreateAgentJoinTokenResponse

Section titled “CreateAgentJoinTokenResponse”
FieldTypeLabelDescription
agent_tokenstringoptional

DeregisterFederatedServiceRequest

Section titled “DeregisterFederatedServiceRequest”
FieldTypeLabelDescription
service_idstring

DeregisterFederatedServiceResponse

Section titled “DeregisterFederatedServiceResponse”
FieldTypeLabelDescription
service_idstring

GetFederatedServiceRequest

Section titled “GetFederatedServiceRequest”
FieldTypeLabelDescription
service_idstring

GetFederatedServiceResponse

Section titled “GetFederatedServiceResponse”
FieldTypeLabelDescription
serviceproto.federated_service.v1alpha1.FederatedService

ListFederatedServicesRequest

Section titled “ListFederatedServicesRequest”
FieldTypeLabelDescription
org_idstring

ListFederatedServicesResponse

Section titled “ListFederatedServicesResponse”
FieldTypeLabelDescription
servicesproto.federated_service.v1alpha1.FederatedServicerepeated

RegisterFederatedServiceRequest

Section titled “RegisterFederatedServiceRequest”
FieldTypeLabelDescription
serviceproto.federated_service.v1alpha1.FederatedService

RegisterFederatedServiceResponse

Section titled “RegisterFederatedServiceResponse”
FieldTypeLabelDescription
service_idstring

UpdateAgentStatusRequest

Section titled “UpdateAgentStatusRequest”
FieldTypeLabelDescription
statusproto.agent.v1alpha1.AgentStatus

UpdateAgentStatusResponse

Section titled “UpdateAgentStatusResponse”

UpdateFederatedServiceRequest

Section titled “UpdateFederatedServiceRequest”
FieldTypeLabelDescription
serviceproto.federated_service.v1alpha1.FederatedService

UpdateFederatedServiceResponse

Section titled “UpdateFederatedServiceResponse”
FieldTypeLabelDescription
service_idstring

AgentService

Section titled “AgentService”

AgentService is used by Cofide Agents to register with the Connect control plane and to manage the federated services running in their cluster.

Method NameRequest TypeResponse TypeDescription
CreateAgentJoinTokenCreateAgentJoinTokenRequestCreateAgentJoinTokenResponseCreateAgentJoinToken generates a one-time token that a Cofide Agent uses to join a specific trust zone and cluster.
UpdateAgentStatusUpdateAgentStatusRequestUpdateAgentStatusResponseUpdateAgentStatus reports the current operational status of a Cofide Agent to the Connect control plane.
RegisterFederatedServiceRegisterFederatedServiceRequestRegisterFederatedServiceResponseRegisterFederatedService registers a federated service discovered by the agent, making it available for cross-zone connectivity.
DeregisterFederatedServiceDeregisterFederatedServiceRequestDeregisterFederatedServiceResponseDeregisterFederatedService removes a previously registered federated service.
UpdateFederatedServiceUpdateFederatedServiceRequestUpdateFederatedServiceResponseUpdateFederatedService updates the configuration of a registered federated service.
GetFederatedServiceGetFederatedServiceRequestGetFederatedServiceResponseGetFederatedService retrieves a federated service by ID.
ListFederatedServicesListFederatedServicesRequestListFederatedServicesResponseListFederatedServices lists all federated services for an organization.

Top

proto/connect/ap_binding_service/v1alpha1/ap_binding_service.proto

Section titled “proto/connect/ap_binding_service/v1alpha1/ap_binding_service.proto”

This file defines the APBindingService gRPC service for managing attestation policy bindings in the Connect control plane. Bindings associate an attestation policy with a trust zone, enabling SPIFFE identity issuance for workloads matching the policy within that zone.

CreateAPBindingRequest

Section titled “CreateAPBindingRequest”
FieldTypeLabelDescription
bindingproto.ap_binding.v1alpha1.APBindingoptional

CreateAPBindingResponse

Section titled “CreateAPBindingResponse”
FieldTypeLabelDescription
bindingproto.ap_binding.v1alpha1.APBindingoptional

DestroyAPBindingRequest

Section titled “DestroyAPBindingRequest”
FieldTypeLabelDescription
binding_idstringoptional

DestroyAPBindingResponse

Section titled “DestroyAPBindingResponse”

GetAPBindingRequest

Section titled “GetAPBindingRequest”
FieldTypeLabelDescription
binding_idstringoptional

GetAPBindingResponse

Section titled “GetAPBindingResponse”
FieldTypeLabelDescription
bindingproto.ap_binding.v1alpha1.APBindingoptional

ListAPBindingsRequest

Section titled “ListAPBindingsRequest”
FieldTypeLabelDescription
filterListAPBindingsRequest.Filteroptional

ListAPBindingsRequest.Filter

Section titled “ListAPBindingsRequest.Filter”
FieldTypeLabelDescription
org_idstringoptional
trust_zone_idstringoptional
policy_idstringoptional

ListAPBindingsResponse

Section titled “ListAPBindingsResponse”
FieldTypeLabelDescription
bindingsproto.ap_binding.v1alpha1.APBindingrepeated

UpdateAPBindingRequest

Section titled “UpdateAPBindingRequest”
FieldTypeLabelDescription
bindingproto.ap_binding.v1alpha1.APBindingoptional

UpdateAPBindingResponse

Section titled “UpdateAPBindingResponse”
FieldTypeLabelDescription
bindingproto.ap_binding.v1alpha1.APBindingoptional

APBindingService

Section titled “APBindingService”

APBindingService manages attestation policy bindings. Bindings associate an attestation policy with a trust zone, enabling Connect to issue SPIFFE identities to workloads that match the policy within that zone. Bindings can also specify federated trust zones to provide the bundles of federated trust zones to matching workloads.

Method NameRequest TypeResponse TypeDescription
CreateAPBindingCreateAPBindingRequestCreateAPBindingResponseCreateAPBinding creates a new attestation policy binding.
DestroyAPBindingDestroyAPBindingRequestDestroyAPBindingResponseDestroyAPBinding deletes an attestation policy binding by ID.
GetAPBindingGetAPBindingRequestGetAPBindingResponseGetAPBinding retrieves an attestation policy binding by ID.
ListAPBindingsListAPBindingsRequestListAPBindingsResponseListAPBindings returns all attestation policy bindings matching the optional filter.
UpdateAPBindingUpdateAPBindingRequestUpdateAPBindingResponseUpdateAPBinding updates an existing attestation policy binding.

Top

proto/connect/attestation_policy_service/v1alpha1/attestation_policy_service.proto

Section titled “proto/connect/attestation_policy_service/v1alpha1/attestation_policy_service.proto”

This file defines the AttestationPolicyService gRPC service for managing attestation policies in the Connect control plane. Attestation policies specify the criteria used to issue SPIFFE identities to workloads and support Kubernetes, static, and TPM node attestation types.

CreateAttestationPolicyRequest

Section titled “CreateAttestationPolicyRequest”
FieldTypeLabelDescription
policyproto.attestation_policy.v1alpha1.AttestationPolicyoptional

CreateAttestationPolicyResponse

Section titled “CreateAttestationPolicyResponse”
FieldTypeLabelDescription
policyproto.attestation_policy.v1alpha1.AttestationPolicyoptional

DestroyAttestationPolicyRequest

Section titled “DestroyAttestationPolicyRequest”
FieldTypeLabelDescription
policy_idstringoptional

DestroyAttestationPolicyResponse

Section titled “DestroyAttestationPolicyResponse”

GetAttestationPolicyRequest

Section titled “GetAttestationPolicyRequest”
FieldTypeLabelDescription
policy_idstringoptional

GetAttestationPolicyResponse

Section titled “GetAttestationPolicyResponse”
FieldTypeLabelDescription
policyproto.attestation_policy.v1alpha1.AttestationPolicyoptional

ListAttestationPoliciesRequest

Section titled “ListAttestationPoliciesRequest”
FieldTypeLabelDescription
filterListAttestationPoliciesRequest.Filteroptional

ListAttestationPoliciesRequest.Filter

Section titled “ListAttestationPoliciesRequest.Filter”
FieldTypeLabelDescription
namestringoptional
org_idstringoptional
trust_zone_idstringoptional
kindAttestationPolicyKindoptional
tpm_nodeListAttestationPoliciesRequest.TPMNodeFilteroptional

ListAttestationPoliciesRequest.TPMNodeFilter

Section titled “ListAttestationPoliciesRequest.TPMNodeFilter”
FieldTypeLabelDescription
ek_hashstringoptional

ListAttestationPoliciesResponse

Section titled “ListAttestationPoliciesResponse”
FieldTypeLabelDescription
policiesproto.attestation_policy.v1alpha1.AttestationPolicyrepeated

UpdateAttestationPolicyRequest

Section titled “UpdateAttestationPolicyRequest”
FieldTypeLabelDescription
policyproto.attestation_policy.v1alpha1.AttestationPolicyoptional

UpdateAttestationPolicyResponse

Section titled “UpdateAttestationPolicyResponse”
FieldTypeLabelDescription
policyproto.attestation_policy.v1alpha1.AttestationPolicyoptional

AttestationPolicyKind

Section titled “AttestationPolicyKind”

AttestationPolicyKind enumerates the supported attestation policy types.

NameNumberDescription
ATTESTATION_POLICY_KIND_UNSPECIFIED0
ATTESTATION_POLICY_KIND_KUBERNETES1
ATTESTATION_POLICY_KIND_STATIC2
ATTESTATION_POLICY_KIND_TPM_NODE3

AttestationPolicyService

Section titled “AttestationPolicyService”

AttestationPolicyService manages attestation policies. Attestation policies define the criteria (namespace selectors, pod labels, TPM EK hashes, etc.) used to issue SPIFFE identities to workloads. Policies are bound to trust zones via the APBindingService.

Method NameRequest TypeResponse TypeDescription
CreateAttestationPolicyCreateAttestationPolicyRequestCreateAttestationPolicyResponseCreateAttestationPolicy creates a new attestation policy.
DestroyAttestationPolicyDestroyAttestationPolicyRequestDestroyAttestationPolicyResponseDestroyAttestationPolicy deletes an attestation policy by ID.
GetAttestationPolicyGetAttestationPolicyRequestGetAttestationPolicyResponseGetAttestationPolicy retrieves an attestation policy by ID.
ListAttestationPoliciesListAttestationPoliciesRequestListAttestationPoliciesResponseListAttestationPolicies returns all attestation policies matching the optional filter.
UpdateAttestationPolicyUpdateAttestationPolicyRequestUpdateAttestationPolicyResponseUpdateAttestationPolicy updates an existing attestation policy.

Top

proto/connect/cluster_service/v1alpha1/cluster_service.proto

Section titled “proto/connect/cluster_service/v1alpha1/cluster_service.proto”

This file defines the ClusterService gRPC service for managing clusters registered with the Connect control plane. Each cluster belongs to a trust zone.

CreateClusterRequest

Section titled “CreateClusterRequest”
FieldTypeLabelDescription
clusterproto.cluster.v1alpha1.Clusteroptional

CreateClusterResponse

Section titled “CreateClusterResponse”
FieldTypeLabelDescription
clusterproto.cluster.v1alpha1.Clusteroptional

DestroyClusterRequest

Section titled “DestroyClusterRequest”
FieldTypeLabelDescription
cluster_idstringoptional

DestroyClusterResponse

Section titled “DestroyClusterResponse”

GetClusterRequest

Section titled “GetClusterRequest”
FieldTypeLabelDescription
cluster_idstringoptional

GetClusterResponse

Section titled “GetClusterResponse”
FieldTypeLabelDescription
clusterproto.cluster.v1alpha1.Clusteroptional

ListClustersRequest

Section titled “ListClustersRequest”
FieldTypeLabelDescription
filterListClustersRequest.Filteroptional

ListClustersRequest.Filter

Section titled “ListClustersRequest.Filter”
FieldTypeLabelDescription
namestringoptional
org_idstringoptional
trust_zone_idstringoptional

ListClustersResponse

Section titled “ListClustersResponse”
FieldTypeLabelDescription
clustersproto.cluster.v1alpha1.Clusterrepeated

UpdateClusterRequest

Section titled “UpdateClusterRequest”
FieldTypeLabelDescription
clusterproto.cluster.v1alpha1.Clusteroptional

UpdateClusterResponse

Section titled “UpdateClusterResponse”
FieldTypeLabelDescription
clusterproto.cluster.v1alpha1.Clusteroptional

ClusterService

Section titled “ClusterService”

ClusterService manages clusters registered with the Connect control plane. Each cluster belongs to a trust zone.

Method NameRequest TypeResponse TypeDescription
CreateClusterCreateClusterRequestCreateClusterResponseCreateCluster registers a new cluster with the Connect control plane.
DestroyClusterDestroyClusterRequestDestroyClusterResponseDestroyCluster removes a cluster from the Connect control plane.
GetClusterGetClusterRequestGetClusterResponseGetCluster retrieves a cluster by ID.
ListClustersListClustersRequestListClustersResponseListClusters returns all clusters matching the optional filter.
UpdateClusterUpdateClusterRequestUpdateClusterResponseUpdateCluster updates the configuration of an existing cluster.

Top

proto/connect/datastore_service/v1alpha1/datastore.proto

Section titled “proto/connect/datastore_service/v1alpha1/datastore.proto”

AttestedNode

Section titled “AttestedNode”

Represents an attested SPIRE agent

FieldTypeLabelDescription
org_idstringOrganisation ID
trust_zone_idstringTrust zone ID
spiffe_idstringNode SPIFFE ID
attestation_data_typestringAttestation data type
cert_serial_numberstringNode certificate serial number
cert_not_afterint64Node certificate not_after (seconds since unix epoch)
new_cert_serial_numberstringNode certificate serial number
new_cert_not_afterint64Node certificate not_after (seconds since unix epoch)
selectorsSelectorrepeatedNode selectors
can_reattestboolCanReattest field (can the attestation safely be deleted and recreated automatically)

Selector

Section titled “Selector”

A type which describes the conditions under which a registration entry is matched.

FieldTypeLabelDescription
typestringA selector type represents the type of attestation used in attesting the entity (Eg: AWS, K8).
valuestringThe value to be attested.

Selectors

Section titled “Selectors”

Represents a type with a list of Selector.

FieldTypeLabelDescription
entriesSelectorrepeatedA list of Selector.

Top

proto/connect/datastore_service/v1alpha1/datastore_service.proto

Section titled “proto/connect/datastore_service/v1alpha1/datastore_service.proto”

AttestedNodeMask

Section titled “AttestedNodeMask”
FieldTypeLabelDescription
attestation_data_typebool
cert_serial_numberbool
cert_not_afterbool
new_cert_serial_numberbool
new_cert_not_afterbool
can_reattestbool

CountAttestedNodesRequest

Section titled “CountAttestedNodesRequest”

Node operations request/response messages

FieldTypeLabelDescription
trust_zone_idstringoptional

CountAttestedNodesResponse

Section titled “CountAttestedNodesResponse”
FieldTypeLabelDescription
countint32

CreateAttestedNodeRequest

Section titled “CreateAttestedNodeRequest”
FieldTypeLabelDescription
nodeAttestedNode
trust_zone_idstringoptional

CreateAttestedNodeResponse

Section titled “CreateAttestedNodeResponse”
FieldTypeLabelDescription
nodeAttestedNode

DeleteAttestedNodeRequest

Section titled “DeleteAttestedNodeRequest”
FieldTypeLabelDescription
spiffe_idstring
trust_zone_idstringoptional

DeleteAttestedNodeResponse

Section titled “DeleteAttestedNodeResponse”
FieldTypeLabelDescription
nodeAttestedNodeoptional

FetchAttestedNodeRequest

Section titled “FetchAttestedNodeRequest”
FieldTypeLabelDescription
spiffe_idstring
trust_zone_idstringoptional

FetchAttestedNodeResponse

Section titled “FetchAttestedNodeResponse”
FieldTypeLabelDescription
nodeAttestedNodeoptional

GetNodeSelectorsRequest

Section titled “GetNodeSelectorsRequest”

Node Selector operations request/response messages

FieldTypeLabelDescription
spiffe_idstring
trust_zone_idstringoptional

GetNodeSelectorsResponse

Section titled “GetNodeSelectorsResponse”
FieldTypeLabelDescription
spiffe_idstring
selectorsSelectorrepeated

ListAttestedNodesRequest

Section titled “ListAttestedNodesRequest”
FieldTypeLabelDescription
by_attestation_typestringoptionalFilters nodes by attestation type
by_bannedbooloptionalFilters nodes by banned status
by_expires_beforeint64optionalFilters nodes that expire before the specified timestamp
by_selector_matchListAttestedNodesRequest.BySelectorsoptional
fetch_selectorsbooloptionalWhether to fetch selectors with nodes
by_can_reattestbooloptionalFilters nodes by ability to re-attest
trust_zone_idstringoptional

ListAttestedNodesRequest.BySelectors

Section titled “ListAttestedNodesRequest.BySelectors”

Filters nodes by selectors

FieldTypeLabelDescription
selectorsSelectorrepeated
matchListAttestedNodesRequest.MatchBehavior

ListAttestedNodesResponse

Section titled “ListAttestedNodesResponse”
FieldTypeLabelDescription
nodesAttestedNoderepeated

ListNodeSelectorsRequest

Section titled “ListNodeSelectorsRequest”
FieldTypeLabelDescription
valid_atint64optional
trust_zone_idstringoptional

ListNodeSelectorsResponse

Section titled “ListNodeSelectorsResponse”
FieldTypeLabelDescription
selectorsListNodeSelectorsResponse.SelectorsEntryrepeated

ListNodeSelectorsResponse.NodeSelectors

Section titled “ListNodeSelectorsResponse.NodeSelectors”
FieldTypeLabelDescription
selectorsSelectorrepeated

ListNodeSelectorsResponse.SelectorsEntry

Section titled “ListNodeSelectorsResponse.SelectorsEntry”
FieldTypeLabelDescription
keystring
valueListNodeSelectorsResponse.NodeSelectors

PruneAttestedExpiredNodesRequest

Section titled “PruneAttestedExpiredNodesRequest”
FieldTypeLabelDescription
trust_zone_idstring
expired_beforegoogle.protobuf.Timestamp
include_non_reattestablebool

PruneAttestedExpiredNodesResponse

Section titled “PruneAttestedExpiredNodesResponse”

SetNodeSelectorsRequest

Section titled “SetNodeSelectorsRequest”
FieldTypeLabelDescription
spiffe_idstring
selectorsSelectorrepeated
trust_zone_idstringoptional

SetNodeSelectorsResponse

Section titled “SetNodeSelectorsResponse”

UpdateAttestedNodeRequest

Section titled “UpdateAttestedNodeRequest”
FieldTypeLabelDescription
nodeAttestedNode
maskAttestedNodeMask
trust_zone_idstringoptional

UpdateAttestedNodeResponse

Section titled “UpdateAttestedNodeResponse”
FieldTypeLabelDescription
nodeAttestedNodeoptional

ListAttestedNodesRequest.MatchBehavior

Section titled “ListAttestedNodesRequest.MatchBehavior”
NameNumberDescription
MATCH_BEHAVIOR_EXACT_UNSPECIFIED0
MATCH_BEHAVIOR_SUBSET1
MATCH_BEHAVIOR_SUPERSET2
MATCH_BEHAVIOR_MATCH_ANY3

DataStoreService

Section titled “DataStoreService”

DataStoreService defines the gRPC service for the SPIRE server DataStore interface

Method NameRequest TypeResponse TypeDescription
CountAttestedNodesCountAttestedNodesRequestCountAttestedNodesResponseNode operations
CreateAttestedNodeCreateAttestedNodeRequestCreateAttestedNodeResponse
DeleteAttestedNodeDeleteAttestedNodeRequestDeleteAttestedNodeResponse
FetchAttestedNodeFetchAttestedNodeRequestFetchAttestedNodeResponse
UpdateAttestedNodeUpdateAttestedNodeRequestUpdateAttestedNodeResponse
ListAttestedNodesListAttestedNodesRequestListAttestedNodesResponse
PruneAttestedExpiredNodesPruneAttestedExpiredNodesRequestPruneAttestedExpiredNodesResponse
GetNodeSelectorsGetNodeSelectorsRequestGetNodeSelectorsResponseNode Selector operations
SetNodeSelectorsSetNodeSelectorsRequestSetNodeSelectorsResponse
ListNodeSelectorsListNodeSelectorsRequestListNodeSelectorsResponse

Top

proto/exchange_policy/v1alpha1/exchange_policy.proto

Section titled “proto/exchange_policy/v1alpha1/exchange_policy.proto”

ExchangePolicy

Section titled “ExchangePolicy”

ExchangePolicy defines a rule for permitting or denying Credex token exchanges within a trust zone

FieldTypeLabelDescription
idstringThe unique ID of the exchange policy. Generated by the server.
org_idstringOrganization to which the exchange policy belongs. Derived from the trust zone by the API service.
namestring
trust_zone_idstringTrust zone to which this policy applies. Immutable after creation.
actionExchangePolicyActionoptionalAction to take when all conditions match. Defaults to ALLOW when unset.
subject_identityStringSetMatch conditions on the inbound subject token
subject_issuerStringSet
actor_identityStringSetMatch conditions on the optional inbound actor
actor_issuerStringSet
client_idStringSetMatch condition on the OAuth client_id presenting the exchange request
target_audienceStringSetMatch condition on the requested target audience
outbound_scopesstringrepeatedOutbound scopes to grant. Only relevant when action is ALLOW.

StringMatcher

Section titled “StringMatcher”
FieldTypeLabelDescription
exactstringExact string equality.
globstringGlob pattern (e.g. spiffe://trust.domain/ns//sa/).

StringSet

Section titled “StringSet”

StringSet holds a collection of StringMatchers evaluated with OR semantics.

FieldTypeLabelDescription
matchersStringMatcherrepeated

ExchangePolicyAction

Section titled “ExchangePolicyAction”

ExchangePolicyAction determines whether a Credex token exchange is permitted when all conditions of an ExchangePolicy match.

NameNumberDescription
EXCHANGE_POLICY_ACTION_UNSPECIFIED0treated as ALLOW
EXCHANGE_POLICY_ACTION_ALLOW1
EXCHANGE_POLICY_ACTION_DENY2

Top

proto/connect/exchange_policy_service/v1alpha1/exchange_policy_service.proto

Section titled “proto/connect/exchange_policy_service/v1alpha1/exchange_policy_service.proto”

CreateExchangePolicyRequest

Section titled “CreateExchangePolicyRequest”
FieldTypeLabelDescription
exchange_policyproto.exchange_policy.v1alpha1.ExchangePolicy

CreateExchangePolicyResponse

Section titled “CreateExchangePolicyResponse”
FieldTypeLabelDescription
exchange_policyproto.exchange_policy.v1alpha1.ExchangePolicy

DestroyExchangePolicyRequest

Section titled “DestroyExchangePolicyRequest”
FieldTypeLabelDescription
exchange_policy_idstring

DestroyExchangePolicyResponse

Section titled “DestroyExchangePolicyResponse”

GetExchangePolicyRequest

Section titled “GetExchangePolicyRequest”
FieldTypeLabelDescription
exchange_policy_idstring

GetExchangePolicyResponse

Section titled “GetExchangePolicyResponse”
FieldTypeLabelDescription
exchange_policyproto.exchange_policy.v1alpha1.ExchangePolicyoptional

ListExchangePoliciesRequest

Section titled “ListExchangePoliciesRequest”
FieldTypeLabelDescription
filterListExchangePoliciesRequest.Filter

ListExchangePoliciesRequest.Filter

Section titled “ListExchangePoliciesRequest.Filter”
FieldTypeLabelDescription
namestring
org_idstring
trust_zone_idstring

ListExchangePoliciesResponse

Section titled “ListExchangePoliciesResponse”
FieldTypeLabelDescription
exchange_policiesproto.exchange_policy.v1alpha1.ExchangePolicyrepeated

UpdateExchangePolicyRequest

Section titled “UpdateExchangePolicyRequest”
FieldTypeLabelDescription
exchange_policyproto.exchange_policy.v1alpha1.ExchangePolicy
update_maskUpdateExchangePolicyRequest.UpdateMaskThe list of fields to be updated. If not provided a full replacement will be made.

UpdateExchangePolicyRequest.UpdateMask

Section titled “UpdateExchangePolicyRequest.UpdateMask”
FieldTypeLabelDescription
nameboolSet to true to update the name field.
actionboolSet to true to update the action field.
subject_identityboolSet to true to update the subject_identity field.
subject_issuerboolSet to true to update the subject_issuer field.
actor_identityboolSet to true to update the actor_identity field.
actor_issuerboolSet to true to update the actor_issuer field.
client_idboolSet to true to update the client_id field.
target_audienceboolSet to true to update the target_audience field.
outbound_scopesboolSet to true to update the outbound_scopes field.

UpdateExchangePolicyResponse

Section titled “UpdateExchangePolicyResponse”
FieldTypeLabelDescription
exchange_policyproto.exchange_policy.v1alpha1.ExchangePolicy

ExchangePolicyService

Section titled “ExchangePolicyService”

ExchangePolicyService manages exchange policies that govern Credex token exchanges within a trust zone. Each policy defines conditions on the inbound token (subject, issuer, actor, client ID, target audience) and determines whether the exchange is allowed or denied.

Method NameRequest TypeResponse TypeDescription
CreateExchangePolicyCreateExchangePolicyRequestCreateExchangePolicyResponseCreateExchangePolicy creates a new exchange policy.
DestroyExchangePolicyDestroyExchangePolicyRequestDestroyExchangePolicyResponseDestroyExchangePolicy deletes an exchange policy by ID.
GetExchangePolicyGetExchangePolicyRequestGetExchangePolicyResponseGetExchangePolicy retrieves an exchange policy by ID.
ListExchangePoliciesListExchangePoliciesRequestListExchangePoliciesResponseListExchangePolicies returns all exchange policies matching the optional filter.
UpdateExchangePolicyUpdateExchangePolicyRequestUpdateExchangePolicyResponseUpdateExchangePolicy updates an existing exchange policy. An optional update mask specifies which fields to update; if omitted, a full replacement is made.

Top

proto/connect/federation_service/v1alpha1/federation_service.proto

Section titled “proto/connect/federation_service/v1alpha1/federation_service.proto”

This file defines the FederationService gRPC service for managing federations between trust zones in the Connect control plane. Federations establish trust relationships that allow workloads in each zone to present their SPIFFE identities to workloads in the other, enabling secure connectivity across zone boundaries.

CreateFederationRequest

Section titled “CreateFederationRequest”
FieldTypeLabelDescription
federationproto.federation.v1alpha1.Federation

CreateFederationResponse

Section titled “CreateFederationResponse”
FieldTypeLabelDescription
federationproto.federation.v1alpha1.Federation

DestroyFederationRequest

Section titled “DestroyFederationRequest”
FieldTypeLabelDescription
federation_idstringoptional

DestroyFederationResponse

Section titled “DestroyFederationResponse”

GetFederationRequest

Section titled “GetFederationRequest”
FieldTypeLabelDescription
federation_idstring

GetFederationResponse

Section titled “GetFederationResponse”
FieldTypeLabelDescription
federationproto.federation.v1alpha1.Federation

ListFederationsRequest

Section titled “ListFederationsRequest”
FieldTypeLabelDescription
filterListFederationsRequest.Filteroptional

ListFederationsRequest.Filter

Section titled “ListFederationsRequest.Filter”
FieldTypeLabelDescription
org_idstringoptional
trust_zone_idstringoptional
remote_trust_zone_idstringoptional

ListFederationsResponse

Section titled “ListFederationsResponse”
FieldTypeLabelDescription
federationsproto.federation.v1alpha1.Federationrepeated

FederationService

Section titled “FederationService”

FederationService manages federations between trust zones. A federation establishes a trust relationship that allows workloads in each zone to present their SPIFFE identities to workloads in the other, enabling secure connectivity across zone boundaries. Attestation policy bindings control which workloads can federate.

Method NameRequest TypeResponse TypeDescription
CreateFederationCreateFederationRequestCreateFederationResponseCreateFederation creates a new federation between two trust zones.
DestroyFederationDestroyFederationRequestDestroyFederationResponseDestroyFederation removes a federation by ID.
ListFederationsListFederationsRequestListFederationsResponseListFederations returns all federations matching the optional filter.
GetFederationGetFederationRequestGetFederationResponseGetFederation retrieves a federation by ID.

Top

proto/identity/v1alpha1/identity.proto

Section titled “proto/identity/v1alpha1/identity.proto”

This file defines the Identity message and related types representing SPIFFE identities (SVIDs) issued by Connect to workloads on attested nodes. Each identity records the SPIFFE ID, attestation selectors, and federation configuration for a workload matched by an attestation policy.

Identity

Section titled “Identity”

Identity represents a SPIFFE identity (SVID) issued by Connect to a workload on an attested node. Each identity is derived from a matching attestation policy and carries the SPIFFE ID, attestation selectors, and optional federation configuration for the workload.

FieldTypeLabelDescription
idstring
org_idstring
trust_zone_idstring
cluster_idstring
attestation_policy_idstringThe attestation policy that matched this workload.
ap_binding_idstringThe attestation policy binding through which this identity was issued.
workload_idstringThe workload to which this identity was issued.
spiffe_idstringThe SPIFFE ID issued to the workload, e.g. spiffe://trust-domain/ns/foo/sa/bar.
parent_idstringThe SPIFFE ID of the SPIRE agent node that attested this workload.
selectorsSelectorrepeatedAttestation selectors produced by workload attestation plugins (e.g. k8s, unix).
dns_namesstringrepeatedDNS names to include as DNS Subject Alternative Names (SANs).
federationsIdentityFederationrepeatedFederated trust zones or trust domains with which this identity is shared.
created_atgoogle.protobuf.Timestamp

IdentityFederation

Section titled “IdentityFederation”

IdentityFederation specifies a federated trust zone or trust domain with which an identity is shared, enabling the workload to present its SVID to workloads in the remote zone.

FieldTypeLabelDescription
trust_zone_idstring
trust_domainstring

Selector

Section titled “Selector”

Selector is an attestation selector produced by a workload attestation plugin (e.g. k8s, unix, docker). Selectors are used to match a workload against attestation policies to determine which SPIFFE ID to issue.

FieldTypeLabelDescription
typestringThe attestation plugin type, e.g. “k8s”, “unix”, “docker”.
valuestringThe selector value, e.g. “ns:foo”, “user:1000”.

Top

proto/connect/identity_service/v1alpha1/identity_service.proto

Section titled “proto/connect/identity_service/v1alpha1/identity_service.proto”

This file defines the IdentityService gRPC service, which provides read-only access to SPIFFE identities (SVIDs) issued by Connect. Identities are derived from attestation policy bindings and record the SPIFFE ID, attestation selectors, and federation configuration for each attested workload.

GetIdentityRequest

Section titled “GetIdentityRequest”
FieldTypeLabelDescription
identity_idstring

GetIdentityResponse

Section titled “GetIdentityResponse”
FieldTypeLabelDescription
identityproto.identity.v1alpha1.Identity

ListIdentitiesRequest

Section titled “ListIdentitiesRequest”
FieldTypeLabelDescription
filterListIdentitiesRequest.Filteroptional

ListIdentitiesRequest.Filter

Section titled “ListIdentitiesRequest.Filter”
FieldTypeLabelDescription
org_idstringoptional
trust_zone_idstringoptional
cluster_idstringoptional
attestation_policy_idstringoptional
ap_binding_idstringoptional
workload_idstringoptional
spiffe_idstringoptional

ListIdentitiesResponse

Section titled “ListIdentitiesResponse”
FieldTypeLabelDescription
identitiesproto.identity.v1alpha1.Identityrepeated

IdentityService

Section titled “IdentityService”

IdentityService provides read-only access to the SPIFFE identities (SVIDs) issued by Connect to workloads on attested nodes. Identities are derived from attestation policy bindings and carry the SPIFFE ID, selectors, and federation configuration for each workload.

Method NameRequest TypeResponse TypeDescription
GetIdentityGetIdentityRequestGetIdentityResponseGetIdentity retrieves a SPIFFE identity by ID.
ListIdentitiesListIdentitiesRequestListIdentitiesResponseListIdentities returns all identities matching the optional filter.

Top

proto/organization/v1alpha1/organization.proto

Section titled “proto/organization/v1alpha1/organization.proto”

This file defines the Organization message representing the top-level grouping of resources in the Connect control plane. Trust zones, attestation policies, and role bindings are all scoped to an organization.

Organization

Section titled “Organization”

Organization is the top-level grouping of Connect resources. Trust zones, attestation policies, and role bindings are all scoped to an organization.

FieldTypeLabelDescription
idstring
namestring

Top

proto/connect/organization_service/v1alpha1/organization_service.proto

Section titled “proto/connect/organization_service/v1alpha1/organization_service.proto”

This file defines the OrganizationService gRPC service, which provides read-only access to organizations in the Connect control plane. Organizations are the top-level grouping of resources: trust zones and attestation policies are scoped to an organization.

GetOrganizationRequest

Section titled “GetOrganizationRequest”
FieldTypeLabelDescription
org_idstringoptional

GetOrganizationResponse

Section titled “GetOrganizationResponse”
FieldTypeLabelDescription
organizationproto.organization.v1alpha1.Organizationoptional

ListOrganizationsRequest

Section titled “ListOrganizationsRequest”
FieldTypeLabelDescription
filterListOrganizationsRequest.Filteroptional

ListOrganizationsRequest.Filter

Section titled “ListOrganizationsRequest.Filter”
FieldTypeLabelDescription
namestringoptional

ListOrganizationsResponse

Section titled “ListOrganizationsResponse”
FieldTypeLabelDescription
organizationsproto.organization.v1alpha1.Organizationrepeated

OrganizationService

Section titled “OrganizationService”

OrganizationService provides read-only access to organizations. Organizations are the top-level grouping of Connect resources: trust zones and attestation policies are scoped to an organization.

Method NameRequest TypeResponse TypeDescription
GetOrganizationGetOrganizationRequestGetOrganizationResponseGetOrganization retrieves an organization by ID.
ListOrganizationsListOrganizationsRequestListOrganizationsResponseListOrganizations returns all organizations matching the optional filter.

Top

proto/role_binding/v1alpha1/role_binding.proto

Section titled “proto/role_binding/v1alpha1/role_binding.proto”

This file defines the RoleBinding message and related types used by Connect’s Role-Based Access Control (RBAC) system. Role bindings associate a principal (user or group) with a predefined role on a specific resource, with permissions inherited down the resource hierarchy. RBAC is enforced server-side.

Group

Section titled “Group”

Group identifies a set of principals by a group claim value in the JWT presented by users. This allows role bindings to be applied to all members of a group as managed by the configured identity provider.

FieldTypeLabelDescription
claim_valuestringFor users this is matched against the list of values in the “groups” claim of the JWT presented by a user.

Resource

Section titled “Resource”

Resource identifies the target of a role binding. Role bindings can be applied to System, Organization, Trust Zone, or Cluster resources. Permissions are inherited down the resource hierarchy from the bound resource.

FieldTypeLabelDescription
typestringtype can be one of the following: AttestationPolicyBinding AttestationPolicy Cluster FederatedService Federation Organization System TrustZone
idstring

RoleBinding

Section titled “RoleBinding”

RoleBinding associates a principal (user or group) with a role on a specific resource. Permissions defined by the role are granted on the target resource and inherited by all child resources in the resource hierarchy. Connect’s RBAC policies are enforced server-side.

FieldTypeLabelDescription
idstring
role_idstringThe role granted by this binding. See the Connect access control documentation for the list of available roles.
userUser
groupGroup
resourceResource

User

Section titled “User”

User identifies an individual principal by the “sub” (subject) claim of the JWT presented by that user to the configured identity provider.

FieldTypeLabelDescription
subjectstringThis is matched against the “sub” claim of the JWT presented by a user.

Top

proto/connect/role_binding_service/v1alpha1/role_binding_service.proto

Section titled “proto/connect/role_binding_service/v1alpha1/role_binding_service.proto”

This file defines the RoleBindingService gRPC service for managing role bindings in Connect’s RBAC system. Role bindings associate a principal (user or group) with a predefined role on a resource, granting permissions on that resource and all child resources in the hierarchy. Policies are enforced server-side.

CreateRoleBindingRequest

Section titled “CreateRoleBindingRequest”
FieldTypeLabelDescription
role_bindingproto.role_binding.v1alpha1.RoleBinding

CreateRoleBindingResponse

Section titled “CreateRoleBindingResponse”
FieldTypeLabelDescription
role_bindingproto.role_binding.v1alpha1.RoleBinding

DestroyRoleBindingRequest

Section titled “DestroyRoleBindingRequest”
FieldTypeLabelDescription
role_binding_idstring

DestroyRoleBindingResponse

Section titled “DestroyRoleBindingResponse”

GetRoleBindingRequest

Section titled “GetRoleBindingRequest”
FieldTypeLabelDescription
role_binding_idstring

GetRoleBindingResponse

Section titled “GetRoleBindingResponse”
FieldTypeLabelDescription
role_bindingproto.role_binding.v1alpha1.RoleBindingoptional

ListRoleBindingsRequest

Section titled “ListRoleBindingsRequest”
FieldTypeLabelDescription
filterListRoleBindingsRequest.Filteroptional

ListRoleBindingsRequest.Filter

Section titled “ListRoleBindingsRequest.Filter”
FieldTypeLabelDescription
role_idstringoptional
user_subjectstringoptional
group_claim_valuestringoptional
resource_typestringoptional
resource_idstringoptional

ListRoleBindingsResponse

Section titled “ListRoleBindingsResponse”
FieldTypeLabelDescription
role_bindingsproto.role_binding.v1alpha1.RoleBindingrepeated

UpdateRoleBindingRequest

Section titled “UpdateRoleBindingRequest”
FieldTypeLabelDescription
role_bindingproto.role_binding.v1alpha1.RoleBinding

UpdateRoleBindingResponse

Section titled “UpdateRoleBindingResponse”
FieldTypeLabelDescription
role_bindingproto.role_binding.v1alpha1.RoleBinding

RoleBindingService

Section titled “RoleBindingService”

RoleBindingService manages role bindings for Connect’s role-based access control (RBAC) system. Role bindings associate a principal (user or group) with a predefined role on a specific resource, granting the permissions defined by that role on the resource and all child resources in the hierarchy. RBAC policies are enforced server-side.

Method NameRequest TypeResponse TypeDescription
CreateRoleBindingCreateRoleBindingRequestCreateRoleBindingResponseCreateRoleBinding creates a new role binding.
DestroyRoleBindingDestroyRoleBindingRequestDestroyRoleBindingResponseDestroyRoleBinding removes a role binding by ID.
GetRoleBindingGetRoleBindingRequestGetRoleBindingResponseGetRoleBinding retrieves a role binding by ID.
ListRoleBindingsListRoleBindingsRequestListRoleBindingsResponseListRoleBindings returns all role bindings matching the optional filter.
UpdateRoleBindingUpdateRoleBindingRequestUpdateRoleBindingResponseUpdateRoleBinding updates an existing role binding.

Top

proto/trust_zone_server/v1alpha1/trust_zone_server.proto

Section titled “proto/trust_zone_server/v1alpha1/trust_zone_server.proto”

This file defines the TrustZoneServer message and related types describing how the SPIRE server managing a trust zone should be deployed. It includes lifecycle status tracking and configuration for k8s_psat node attestation when using the Connect datasource with remote clusters.

ConnectK8sPsatConfig

Section titled “ConnectK8sPsatConfig”
FieldTypeLabelDescription
audiencesstringrepeatedAudiences that can be presented by SPIRE agents in remote clusters to perform node attestation when this server is using the k8s psat plugin with the Connect datasource. At least 1 must be provided if there are remote clusters in the trust zone.
spire_server_spiffe_id_pathstringPath to use for the SPIFFE ID in the JWT presented by the SPIRE server to the cluster’s API server when this server is using the k8s psat plugin with the Connect datasource. This must be configured to be an allowed subject in the remote cluster’s API server.

TrustZoneServer

Section titled “TrustZoneServer”

TrustZoneServer defines how the server managing a trust zone should be deployed.

FieldTypeLabelDescription
idstringThe unique ID of the server. Generated by the server.
trust_zone_idstringTrust Zone managed by this server. Immutable after creation.
cluster_idstringCluster in which the server should be deployed. Immutable after creation.
kubernetes_namespacestringKubernetes namespace in which the server should be deployed. If not provided the API service should set this.
kubernetes_service_accountstringName of kubernetes service account to deploy with the server. If not provided the API service should set this.
org_idstringOrganization to which the server belongs. Derived from the trust zone by the API service.
helm_valuesgoogle.protobuf.StructHelm values to configure the server install with.
statusTrustZoneServer.StatusCurrent status of the trust zone server
created_atgoogle.protobuf.TimestampTime of resource creation by user.
last_updated_atgoogle.protobuf.TimestampTimes of last resource update by user.
deleted_atgoogle.protobuf.TimestampTime of resource deletion by user.
connect_k8s_psat_configConnectK8sPsatConfigConfiguration for the k8s psat node attestor plugin when using a Connect datasource with remote clusters.

TrustZoneServer.Status

Section titled “TrustZoneServer.Status”
FieldTypeLabelDescription
statusTrustZoneServerStatusLast reported status of the trust zone server.
last_transition_timegoogle.protobuf.TimestampWhen the status of the trust zone server last changed.

TrustZoneServerStatus

Section titled “TrustZoneServerStatus”

Status of a trust zone server

NameNumberDescription
TRUST_ZONE_SERVER_STATUS_UNSPECIFIED0
TRUST_ZONE_SERVER_STATUS_PROVISIONING1Provisioning / Deleting statuses are only applicable for managed trust zone servers
TRUST_ZONE_SERVER_STATUS_PROVISIONED2
TRUST_ZONE_SERVER_STATUS_PROVISIONING_ERROR3
TRUST_ZONE_SERVER_STATUS_DELETING4
TRUST_ZONE_SERVER_STATUS_DELETED5
TRUST_ZONE_SERVER_STATUS_DELETING_ERROR6

Top

proto/connect/trust_zone_server_service/v1alpha1/trust_zone_server_service.proto

Section titled “proto/connect/trust_zone_server_service/v1alpha1/trust_zone_server_service.proto”

This file defines the TrustZoneServerService gRPC service for managing TrustZoneServers in the Connect control plane. A TrustZoneServer describes how the SPIRE server for a trust zone should be deployed into a cluster, including its lifecycle status and node attestation configuration.

CreateTrustZoneServerRequest

Section titled “CreateTrustZoneServerRequest”
FieldTypeLabelDescription
trust_zone_serverproto.trust_zone_server.v1alpha1.TrustZoneServer

CreateTrustZoneServerResponse

Section titled “CreateTrustZoneServerResponse”
FieldTypeLabelDescription
trust_zone_serverproto.trust_zone_server.v1alpha1.TrustZoneServer

DestroyTrustZoneServerRequest

Section titled “DestroyTrustZoneServerRequest”
FieldTypeLabelDescription
trust_zone_server_idstring

DestroyTrustZoneServerResponse

Section titled “DestroyTrustZoneServerResponse”

GetTrustZoneServerRequest

Section titled “GetTrustZoneServerRequest”
FieldTypeLabelDescription
trust_zone_server_idstring

GetTrustZoneServerResponse

Section titled “GetTrustZoneServerResponse”
FieldTypeLabelDescription
trust_zone_serverproto.trust_zone_server.v1alpha1.TrustZoneServeroptional

ListTrustZoneServersRequest

Section titled “ListTrustZoneServersRequest”
FieldTypeLabelDescription
filterListTrustZoneServersRequest.Filter

ListTrustZoneServersRequest.Filter

Section titled “ListTrustZoneServersRequest.Filter”
FieldTypeLabelDescription
trust_zone_idstring
cluster_idstring
org_idstring

ListTrustZoneServersResponse

Section titled “ListTrustZoneServersResponse”
FieldTypeLabelDescription
trust_zone_serversproto.trust_zone_server.v1alpha1.TrustZoneServerrepeated

UpdateTrustZoneServerRequest

Section titled “UpdateTrustZoneServerRequest”
FieldTypeLabelDescription
trust_zone_serverproto.trust_zone_server.v1alpha1.TrustZoneServer
update_maskUpdateTrustZoneServerRequest.UpdateMaskoptionalThe list of fields to be updated. If not provided a full replacement will be made.

UpdateTrustZoneServerRequest.UpdateMask

Section titled “UpdateTrustZoneServerRequest.UpdateMask”
FieldTypeLabelDescription
helm_valuesboolSet to true to update helm values of trust zone server to those provided.

UpdateTrustZoneServerResponse

Section titled “UpdateTrustZoneServerResponse”
FieldTypeLabelDescription
trust_zone_serverproto.trust_zone_server.v1alpha1.TrustZoneServer

UpdateTrustZoneServerStatusRequest

Section titled “UpdateTrustZoneServerStatusRequest”
FieldTypeLabelDescription
trust_zone_server_idstring
statusproto.trust_zone_server.v1alpha1.TrustZoneServerStatus

UpdateTrustZoneServerStatusResponse

Section titled “UpdateTrustZoneServerStatusResponse”

TrustZoneServerService

Section titled “TrustZoneServerService”

TrustZoneServerService manages TrustZoneServers.

Method NameRequest TypeResponse TypeDescription
CreateTrustZoneServerCreateTrustZoneServerRequestCreateTrustZoneServerResponseCreate a TrustZoneServer for the given trust zone in the specified cluster. In the submitted resource the ID should not be set and will be generated by the server API.
DestroyTrustZoneServerDestroyTrustZoneServerRequestDestroyTrustZoneServerResponseDestroy a TrustZoneServer. For managed TrustZoneServers this should soft delete the API resource until the managed server is deprovisioned.
GetTrustZoneServerGetTrustZoneServerRequestGetTrustZoneServerResponseGet a TrustZoneServer by ID.
ListTrustZoneServersListTrustZoneServersRequestListTrustZoneServersResponseList TrustZoneServers.
UpdateTrustZoneServerUpdateTrustZoneServerRequestUpdateTrustZoneServerResponseUpdate a TrustZoneServer. Server implementations may prevent some fields from being updated.
UpdateTrustZoneServerStatusUpdateTrustZoneServerStatusRequestUpdateTrustZoneServerStatusResponseUpdate the status of a trust zone server.

Top

proto/connect/trust_zone_service/v1alpha1/trust_zone_service.proto

Section titled “proto/connect/trust_zone_service/v1alpha1/trust_zone_service.proto”

This file defines the TrustZoneService gRPC service for managing trust zones and handling the registration of agents and SPIRE servers. Trust zones represent SPIFFE trust domains within the Connect platform; each has its own root of trust and can federate with other zones.

Agent

Section titled “Agent”

Agent identifies a Cofide Agent during registration with the trust zone service.

FieldTypeLabelDescription
agent_idstring
cluster_idstring
trust_zone_idstring

CreateTrustZoneRequest

Section titled “CreateTrustZoneRequest”
FieldTypeLabelDescription
trust_zoneproto.trust_zone.v1alpha1.TrustZone

CreateTrustZoneResponse

Section titled “CreateTrustZoneResponse”
FieldTypeLabelDescription
trust_zoneproto.trust_zone.v1alpha1.TrustZone

DestroyTrustZoneRequest

Section titled “DestroyTrustZoneRequest”
FieldTypeLabelDescription
trust_zone_idstringoptional

DestroyTrustZoneResponse

Section titled “DestroyTrustZoneResponse”

GetTrustZoneRequest

Section titled “GetTrustZoneRequest”
FieldTypeLabelDescription
trust_zone_idstringoptional

GetTrustZoneResponse

Section titled “GetTrustZoneResponse”
FieldTypeLabelDescription
trust_zoneproto.trust_zone.v1alpha1.TrustZoneoptional

ListTrustZonesRequest

Section titled “ListTrustZonesRequest”
FieldTypeLabelDescription
filterListTrustZonesRequest.Filteroptional

ListTrustZonesRequest.Filter

Section titled “ListTrustZonesRequest.Filter”
FieldTypeLabelDescription
namestringoptional
org_idstringoptional
trust_domainstringoptional

ListTrustZonesResponse

Section titled “ListTrustZonesResponse”
FieldTypeLabelDescription
trust_zonesproto.trust_zone.v1alpha1.TrustZonerepeated

RegisterAgentRequest

Section titled “RegisterAgentRequest”
FieldTypeLabelDescription
agentAgent
agent_tokenstring
bundlespire.api.types.Bundle

RegisterAgentResponse

Section titled “RegisterAgentResponse”
FieldTypeLabelDescription
agent_idstring

RegisterTrustZoneServerRequest

Section titled “RegisterTrustZoneServerRequest”
FieldTypeLabelDescription
trust_zone_serverTrustZoneServerTo be deprecated, registration of a trust zone server by just specifying the cluster ID Consumers should provide a trust zone server ID instead
bundlespire.api.types.Bundle
trust_zone_server_idstring

RegisterTrustZoneServerResponse

Section titled “RegisterTrustZoneServerResponse”

Empty for the moment

TrustZoneServer

Section titled “TrustZoneServer”

TrustZoneServer identifies a SPIRE server by its cluster during registration. Deprecated: use trust_zone_server_id in RegisterTrustZoneServerRequest instead.

FieldTypeLabelDescription
cluster_idstring

UpdateTrustZoneBundleRequest

Section titled “UpdateTrustZoneBundleRequest”
FieldTypeLabelDescription
bundlespire.api.types.Bundle
trust_zone_idstring

UpdateTrustZoneBundleResponse

Section titled “UpdateTrustZoneBundleResponse”

UpdateTrustZoneRequest

Section titled “UpdateTrustZoneRequest”
FieldTypeLabelDescription
trust_zoneproto.trust_zone.v1alpha1.TrustZone

UpdateTrustZoneResponse

Section titled “UpdateTrustZoneResponse”
FieldTypeLabelDescription
trust_zoneproto.trust_zone.v1alpha1.TrustZone

TrustZoneService

Section titled “TrustZoneService”

TrustZoneService manages trust zones and handles the registration of agents and servers. Trust zones represent SPIFFE trust domains within the Connect platform; each zone has its own root of trust and can federate with other zones.

Method NameRequest TypeResponse TypeDescription
CreateTrustZoneCreateTrustZoneRequestCreateTrustZoneResponseCreateTrustZone creates a new trust zone.
DestroyTrustZoneDestroyTrustZoneRequestDestroyTrustZoneResponseDestroyTrustZone removes a trust zone by ID.
GetTrustZoneGetTrustZoneRequestGetTrustZoneResponseGetTrustZone retrieves a trust zone by ID.
ListTrustZonesListTrustZonesRequestListTrustZonesResponseListTrustZones returns all trust zones matching the optional filter.
UpdateTrustZoneUpdateTrustZoneRequestUpdateTrustZoneResponseUpdateTrustZone updates the configuration of an existing trust zone.
RegisterAgentRegisterAgentRequestRegisterAgentResponseRegisterAgent registers a Cofide Agent with its trust zone after it has joined using a token from CreateAgentJoinToken. The agent provides its SPIRE bundle for storage in the control plane.
RegisterTrustZoneServerRegisterTrustZoneServerRequestRegisterTrustZoneServerResponseRegisterTrustZoneServer registers the SPIRE server for a trust zone, storing its bundle in the control plane.
UpdateTrustZoneBundleUpdateTrustZoneBundleRequestUpdateTrustZoneBundleResponseUpdateTrustZoneBundle updates the stored SPIRE trust bundle for a trust zone. Called by Cofide SPIRE server or Cofide Agent when the SPIRE server rotates its bundle.

Top

proto/workload/v1alpha1/workload.proto

Section titled “proto/workload/v1alpha1/workload.proto”

This file defines the Workload message and related types representing processes and containers observed by Cofide Observer on attested nodes. Workload data is streamed to the Connect control plane and used to match workloads against attestation policies for SPIFFE identity issuance.

KubernetesContainer

Section titled “KubernetesContainer”

KubernetesContainer describes a single container within a Kubernetes pod workload.

FieldTypeLabelDescription
namestring
imagestring

KubernetesMetadata

Section titled “KubernetesMetadata”

KubernetesMetadata contains standard Kubernetes object metadata for a workload.

FieldTypeLabelDescription
uidstring
namestring
namespacestring
labelsKubernetesMetadata.LabelsEntryrepeated
annotationsKubernetesMetadata.AnnotationsEntryrepeated
creation_timestampgoogle.protobuf.Timestamp

KubernetesMetadata.AnnotationsEntry

Section titled “KubernetesMetadata.AnnotationsEntry”
FieldTypeLabelDescription
keystring
valuestring

KubernetesMetadata.LabelsEntry

Section titled “KubernetesMetadata.LabelsEntry”
FieldTypeLabelDescription
keystring
valuestring

KubernetesPod

Section titled “KubernetesPod”

KubernetesPod contains the runtime details of a Kubernetes pod workload as observed by the Cofide Observer via the kubelet API.

FieldTypeLabelDescription
metadataKubernetesMetadata
service_account_namestring
node_namestring
node_uidstring
containersKubernetesContainerrepeated
start_timegoogle.protobuf.Timestamp

Observation

Section titled “Observation”

Observation is a structured data point describing the security posture of the workload.

FieldTypeLabelDescription
type_urlstring
valuegoogle.protobuf.Value

Workload

Section titled “Workload”

Workload represents a process, container, or unit of software running on an attested node. Workloads are observed by the Cofide Observer and reported to the Connect control plane. A SPIFFE identity (SVID) can be issued to a workload if it matches an active attestation policy binding within its trust zone.

FieldTypeLabelDescription
idstring
org_idstring
trust_zone_idstring
cluster_idstring
typeWorkloadType
kubernetes_podKubernetesPod
observationsObservationrepeatedSecurity posture observations.
observed_timestampgoogle.protobuf.TimestampWhen this workload was last observed by the Cofide Observer.
deletedboolWhether this workload has been deleted since it was last observed.

WorkloadType

Section titled “WorkloadType”

WorkloadType enumerates the supported workload runtime types.

NameNumberDescription
WORKLOAD_TYPE_UNSPECIFIED0
WORKLOAD_TYPE_KUBERNETES_POD1

Top

proto/connect/workload_service/v1alpha1/workload_service.proto

Section titled “proto/connect/workload_service/v1alpha1/workload_service.proto”

This file defines the WorkloadService gRPC service for accessing workloads observed by Cofide Observers. Observers stream workload observations from the kubelet to the Connect control plane, where they are stored and matched against attestation policies for SPIFFE identity issuance.

ListWorkloadsRequest

Section titled “ListWorkloadsRequest”
FieldTypeLabelDescription
filterListWorkloadsRequest.Filteroptional

ListWorkloadsRequest.Filter

Section titled “ListWorkloadsRequest.Filter”
FieldTypeLabelDescription
org_idstringoptional
trust_zone_idstringoptional
cluster_idstringoptional
max_agegoogle.protobuf.Durationoptionalmax_age filters workloads to those last observed within this duration.

ListWorkloadsResponse

Section titled “ListWorkloadsResponse”
FieldTypeLabelDescription
workloadsproto.workload.v1alpha1.Workloadrepeated

PublishWorkloadsRequest

Section titled “PublishWorkloadsRequest”
FieldTypeLabelDescription
workloadsproto.workload.v1alpha1.Workloadrepeated

PublishWorkloadsResponse

Section titled “PublishWorkloadsResponse”

WorkloadService

Section titled “WorkloadService”

WorkloadService provides access to workloads observed by Cofide Observers. Observers stream workload observations from the kubelet to the Connect control plane, where they are stored and made available for query. Workloads can be matched against attestation policies to determine which SPIFFE identity to issue.

Method NameRequest TypeResponse TypeDescription
ListWorkloadsListWorkloadsRequestListWorkloadsResponseListWorkloads returns all workloads matching the optional filter.
PublishWorkloadsPublishWorkloadsRequest streamPublishWorkloadsResponsePublishWorkloads is a client-streaming RPC used by Cofide Observers to report observed workloads to the Connect control plane.

Top

proto/provision_plugin/v1alpha1/plugin.proto

Section titled “proto/provision_plugin/v1alpha1/plugin.proto”

DeployRequest

Section titled “DeployRequest”
FieldTypeLabelDescription
data_sourceuint32optional
kube_cfg_filestringoptional
trust_zone_namesstringrepeated

DeployResponse

Section titled “DeployResponse”
FieldTypeLabelDescription
statusStatusoptional

GetHelmValuesRequest

Section titled “GetHelmValuesRequest”
FieldTypeLabelDescription
data_sourceuint32optional
trust_zone_namestringoptional
cluster_namestringoptional

GetHelmValuesResponse

Section titled “GetHelmValuesResponse”
FieldTypeLabelDescription
helm_valuesgoogle.protobuf.Structoptional

Status

Section titled “Status”
FieldTypeLabelDescription
stagestringoptional
messagestringoptional
donebooloptional
errorstringoptional

TearDownRequest

Section titled “TearDownRequest”
FieldTypeLabelDescription
data_sourceuint32optional
kube_cfg_filestringoptional
trust_zone_namesstringrepeated

TearDownResponse

Section titled “TearDownResponse”
FieldTypeLabelDescription
statusStatusoptional

ValidateRequest

Section titled “ValidateRequest”

ValidateResponse

Section titled “ValidateResponse”

ProvisionPluginService

Section titled “ProvisionPluginService”
Method NameRequest TypeResponse TypeDescription
ValidateValidateRequestValidateResponse
DeployDeployRequestDeployResponse stream
TearDownTearDownRequestTearDownResponse stream
GetHelmValuesGetHelmValuesRequestGetHelmValuesResponse

Scalar Value Types

Section titled “Scalar Value Types”
.proto TypeNotesC++JavaPythonGoC#PHPRuby
doubledoubledoublefloatfloat64doublefloatFloat
floatfloatfloatfloatfloat32floatfloatFloat
int32Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead.int32intintint32intintegerBignum or Fixnum (as required)
int64Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead.int64longint/longint64longinteger/stringBignum
uint32Uses variable-length encoding.uint32intint/longuint32uintintegerBignum or Fixnum (as required)
uint64Uses variable-length encoding.uint64longint/longuint64ulonginteger/stringBignum or Fixnum (as required)
sint32Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s.int32intintint32intintegerBignum or Fixnum (as required)
sint64Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s.int64longint/longint64longinteger/stringBignum
fixed32Always four bytes. More efficient than uint32 if values are often greater than 2^28.uint32intintuint32uintintegerBignum or Fixnum (as required)
fixed64Always eight bytes. More efficient than uint64 if values are often greater than 2^56.uint64longint/longuint64ulonginteger/stringBignum
sfixed32Always four bytes.int32intintint32intintegerBignum or Fixnum (as required)
sfixed64Always eight bytes.int64longint/longint64longinteger/stringBignum
boolboolbooleanbooleanboolboolbooleanTrueClass/FalseClass
stringA string must always contain UTF-8 encoded or 7-bit ASCII text.stringStringstr/unicodestringstringstringString (UTF-8)
bytesMay contain any arbitrary sequence of bytes.stringByteStringstr[]byteByteStringstringString (ASCII-8BIT)

© 2026 Cofide Limited. All rights reserved.