Skip to content
Cofide Cofide

Cofide Workload Components

This page describes how to deploy the workload-level components of the Cofide Connect platform.

Before proceeding, add the Cofide Helm charts repository.

Terminal window
helm repo add cofide https://charts.cofide.dev

Cofide SPIRE agent

Section titled “Cofide SPIRE agent”

The Cofide SPIRE agent is a required component in all clusters. In most cases, there is one agent process per node. By default, it is installed alongside the Cofide SPIRE server.

Cofide Observer

Section titled “Cofide Observer”

The Cofide Observer is an optional component of the Connect platform. It is required when using Kubernetes attestation policies.

Install the observer with

Terminal window
helm install \
  cofide-observer cofide/cofide-observer \
  --version 0.3.3 \
  --kube-context <context> \
  --namespace cofide \
  --create-namespace \
  --set observer.connectURL=<your.connect.url> \
  --set observer.connectTrustDomain=<connect.trust.domain> \
  --wait

The Connect URL and trust domain parameters can be found in your local cofide.yaml file.

Cofide Agent

Section titled “Cofide Agent”

The Cofide Agent is an optional component of the Connect platform which programs the downstream network path (via xDS, or for meshes such as Istio) for seamless cross-boundary mTLS.

Use cofidectl to generate values for the Cofide Agent Helm chart:

Terminal window
./cofidectl connect agent helm values \
  --trust-zone <trust zone> \
  --cluster <cluster> \
  --output-file cofide-agent-values.yaml

Install Cofide Agent:

Terminal window
helm install \
  cofide-agent cofide/cofide-agent \
  --version 0.5.4 \
  --kube-context <context> \
  --namespace cofide \
  --create-namespace \
  --values cofide-agent-values.yaml \
  --wait

When using Cofide SPIRE, a join token is not required for Cofide Agent.

If using OSS SPIRE, a join token is required to establish federation between a workload trust zone and Connect. In this case, pass --generate-token=true when generating values to include a short-lived join token directly in the values file. Alternatively, generate one separately:

Terminal window
./cofidectl connect agent join-token generate \
  --trust-zone <trust zone> \
  --cluster <cluster> \
  --output-file agent-token

The token can then be injected as a Helm value using --set agent.env.AGENT_TOKEN=<token>.

© 2026 Cofide Limited. All rights reserved.