Deploy Cofide SPIRE
Onboarding workloads to the Cofide Connect platform happens in a few logically distinct stages. This guide will walk through these stages for a new Connect user.
Define Trust Boundaries
Section titled “Define Trust Boundaries”First, you need to decide on one or more sensible trust zones for your organization. Each one will require a Kubernetes cluster to host the trust zone’s Cofide SPIRE server deployment and each node (i.e. workload host) in the trust zone will run a Cofide SPIRE agent.
In the simplest case, a trust zone may consist of a single Kubernetes cluster hosting Cofide SPIRE components and all workloads; in a more complex environment, a single trust zone could contain multiple clusters, as well as public cloud-provider VMs and on-premise bare-metal nodes.
Create API Resources
Section titled “Create API Resources”The Cofide Connect platform currently offers a number of different open-source tools for interacting with the Connect API. These include:
- The cofidectl command line interface.
- The official Cofide Terraform provider.
- The Cofide API SDK for direct, low-level gRPC calls.
- The Connect Dashboard (read only).
Having chosen logical trust zone boundaries, the next step is to create corresponding Trust Zone Connect API resources. In this guide we will use the cofidectl CLI for simplicity; however, an Infrastructure as Code process using the Terraform provider is a better choice for production use cases. The Cofide API SDK allows Connect users to build their own custom tooling around the API if required.
In general, some resources such as trust zones and clusters are likely to be fairly static, while others such as attestation policies may be more dynamic and follow workload life cycles.
A trust zone can be created with the following command:
cofidectl trust-zone add \ my-first-trust-zone \ --trust-domain example.comFor additional configuration options, see cofidectl trust-zone add -h.
Next, for each trust zone, decide which Kubernetes cluster should host the Cofide SPIRE server and create a corresponding Cluster resource in the Connect API. For example:
cofidectl cluster add \ my-workload-cluster \ --trust-zone my-first-trust-zone \ --kubernetes-context <context-of-k8s-cluster> \ --kubernetes-oidc-issuer https://<cluster-oidc-issuer-url>The above command uses Kubernetes OIDC functionality to allow the trust zone’s Cofide SPIRE server to authenticate with Connect. Alternative authentication methods are also available.
For additional configuration options, see cofidectl cluster add -h.
Deploy Cofide SPIRE server
Section titled “Deploy Cofide SPIRE server”Having created the trust zone and cluster(s) entries for your workload identity infrastructure, the next step is to deploy the Cofide SPIRE server to a Kubernetes cluster in each trust zone using the Cofide SPIRE Helm charts and Cofide Helm charts. For convenience, cofidectl provides commands to help populate the Helm values for these charts based on the configuration in Connect.
Before proceeding, install the Cofide Helm charts repository.
helm repo add cofide https://charts.cofide.devThen use cofidectl to generate values for the Cofide SPIRE Helm charts:
cofidectl trust-zone helm values \ my-first-trust-zone \ --output-file spire-values.yamlInspect the generated values and make any changes or additions as required, then install Cofide SPIRE on your Connect-registered cluster:
helm install spire cofide/spire \ --version 0.28.3-cofide.0 \ --kube-context <context> \ --namespace spire-mgmt \ --create-namespace \ --values spire-values.yaml \ --waitOnce complete, the Cofide SPIRE server is ready to start issuing SPIFFE identities to your workloads in the trust zone.
Your next step will be workloads overview.
© 2026 Cofide Limited. All rights reserved.