CLI

This page outlines how to use the Connect-enabled cofidectl CLI tool to configure and manage Cofide resources, all backed by the Connect platform. It assumes the installation instructions have been followed.

Define Resources in Connect API

Add a Trust Zone

A trust zone can be created with the following command:

cofidectl trust-zone add \
  <trust-zone-name> \
  --trust-domain <trust-domain>

• --trust-domain: The trust domain used in this trust zone

A cluster can then be added to the trust zone with the following command:

cofidectl cluster add \
  <cluster-name> \
  --trust-zone <trust-zone-name> \
  --kubernetes-context <context-of-k8s-cluster> \
  --profile kubernetes

• --kubernetes-context: (optional) The context of the target Kubernetes cluster
• --profile: The trust profile to use (options: kubernetes, istio)

There are multiple options for authenticating Cofide SPIRE with Connect. If using OpenID Connect, add the --kubernetes-oidc-issuer flag to the cofidectl cluster add command:

cofidectl cluster add \
...
  --kubernetes-oidc-issuer <your.kubernetes.oidc.issuer>

See here for further information on authentication.

Add a Federation

If multiple trust zones exist, then they may be federated, allowing for a trust relationship to be established.

cofidectl federation add \
  --trust-zone <local trust zone> \
  --remote-trust-zone <remote trust zone>

The trust relationship is unidirectional - the local trust zone trusts the remote, but it is not necessarily reciprocated. Bidirectional trust is required for mutual TLS, and may be established by adding a second federation with the arguments reversed.

Add an Attestation Policy

Kubernetes attestation policies can be defined at the namespace and/or pod label level. Creating a namespace attestation policy and binding it to the new trust zone can be done with:

cofidectl attestation-policy add kubernetes \
  --name <name-of-ap> \
  --namespace <namespace>

• --name: Name of the policy
• --namespace: Namespace to issue identities for

cofidectl attestation-policy-binding add \
  --trust-zone <trust-zone-name> \
  --attestation-policy <name-of-ap>

• --trust-zone: Trust zone to bind the policy to
• --attestation-policy: Attestation policy to bind

Similarly, a pod label attestation policy can be created with:

cofidectl attestation-policy add kubernetes \
  --name <name-of-another-ap> \
  --pod-label <pod-label>

• --name: Name of the policy
• --pod-label: Pod label to issue identities for

and bound to the trust zone in the same way as above.

Important

Cofide SPIRE does not support Kubernetes attestation policies without use of the accompanying Cofide Observer component. Static attestation policies must be used to issue identities in kubernetes clusters that are not running the Cofide Observer.

In a trust zone with federations, workloads do not automatically trust workloads in other trust zones - they must opt in. This can be done using the --federates-with argument when creating an attestation policy binding:

cofidectl attestation-policy-binding add \
  --trust-zone <trust-zone-name> \
  --attestation-policy <name-of-ap> \
  --federates-with <federated trust zone>