Authentication

This page provides details on the various authentication options available when provisioning and onboarding Connect components onto the platform.

Important

These methods are concerned with bootstrap authentication onto Connect during installation of the platform. All connections after this phase (and for all enabled workloads) are SPIFFE-enabled mTLS

Cofide SPIRE Server

When using the Cofide SPIRE Server (as outlined with cofidectl here), there are two options for onboarding to Connect.

OpenID Connect

The default method for securely introducing (onboarding) a Cofide SPIRE server to Connect relies on OpenID Connect (OIDC).

In this process, the Cofide SPIRE server first obtains a Projected Service Account Token (PSAT) from the workload Kubernetes cluster it is running on. The Kubernetes cluster itself acts as the OIDC Identity Provider (IdP).

For this introduction to work, the Kubernetes cluster must expose a public OIDC endpoint. When the Cofide SPIRE server presents its PSAT to Connect, Connect uses this public endpoint to retrieve the OIDC discovery information and public keys (via JWKS) needed to validate the token’s signature and claims. This verifies the server’s identity and allows it to be securely onboarded.

Trust zones making use of this method will need the relevant configuration fields set:

cofidectl trust-zone add
...
  --kubernetes-oidc-issuer <your-kube-oidc-issuer>
  --kubernetes-ca-cert /path/to/your/ca/cert

• --kubernetes-oidc-issuer: OIDC issuer URL for the Kubernetes cluster
• --kubernetes-ca-cert: (Optional) Path to the CA certificate of the Kubernetes OIDC issuer

Important

Depending on the Kubernetes distribution of the workload cluster, the OIDC issuer might need to be configured on the API server itself. Cloud providers may also make this automatically available when provisioning.

Join token

As an alternative to the PSAT approach, a short-lived join token may be generated during deployment and then used by the Cofide SPIRE Server to identify itself to Connect at onboarding time.

cofidectl connect init \
...
  --use-join-token

Caution

Join token bootstrapping of the Cofide SPIRE server is not self-healing, and requires a re-deploy of the server with a newly generated token in the event of an extended loss of connectivity with Connect

Refresh of the join token for re-onboarding can be done with the CLI with a subsequent run of the cofidectl up command.

If deploying the Cofide SPIRE server using Helm, a new token can be generated directly with the command:

cofidectl connect server join-token generate \
  --trust-zone <trust zone> \
  --cluster <cluster> \
  --output-file server-token