Installing and configuring cofidectl

Having provisioned (or been given access to a Cofide-hosted) Connect Control Plane, it is now time to start making use of the Connect platform to secure your workloads using modern, cryptographically-verifiable workload identity primitives.

This page explains how to set up your local environment in order to start working with the Cofide Connect platform.

Command-line interface (CLI)

The open-source cofidectl tool provides a command-line interface to deploy and configure workload identity resources in Kubernetes clusters. Cofide also maintain a proprietary Connect-enabled version of cofidectl to securely interact with the Connect control plane. Cofide partners and customers should use the proprietary version.

The key difference between the two cofidectl versions is that the former uses a local cofide.yaml file to store all workload identity configuration, whereas the Connect-enabled CLI uses the production-ready Connect control plane as a data store and the local cofide.yaml file simply stores the minimal configuration required to talk to Connect. From a user’s perspective, the simplest way to tell which CLI version you are using is to check whether there’s a cofidectl connect subcommand available.

There is a quickstart script which will retrieve the latest stable binaries to use the Connect-enabled CLI:

curl -sfL https://get.cofide.dev/cofidectl.sh --output get.sh

This will download the script locally, ready to be run with:

bash ./get.sh

Security

Please feel free to inspect the contents of this script before you run it for the first time. Its remit is only to pull binaries and make them available to your local filesystem.

The script is interactive and will prompt you to confirm the version to install. Once downloaded, you will be offered the option to move cofidectl to /usr/local/bin for system-wide access, or it will remain in the current directory. The resulting cofidectl binary is the Connect-enabled CLI, ready to use with a Connect control plane instance.

Initialisation

To configure the CLI to use your Connect control plane, run cofidectl connect init. This will create a local Connect configuration file named cofide.yaml in the current working directory, containing configuration parameters for subsequent cofidectl commands.

The following flags are always required for cofidectl connect init:

• --connect-url: host and port of the Connect instance
• --connect-trust-domain: Trust domain of the Connect instance
• --connect-bundle-host: URL from which to fetch Connect’s trust bundle
• --authorization-client-id: OpenID Connect client ID used to authenticate with the Connect API

Important

If you have a Cofide-hosted instance of Connect, please get in contact to receive cofidectl connect init configuration details.

Additionally, in certain cases, there is a need to use an alternative authentication method of a join token by passing in --use-join-token. See here for further information on authentication.

Login to Connect

Once initialised, you’ll need to login with the identity provider (IdP) backing Cofide Connect. This can be done with:

cofidectl connect login

before following the browser prompt. Credentials are stored by default at ~/.cofide/credentials.