Skip to content
Cofide Cofide

Cofide Workload Components

This page describes how to deploy the workload-level components of the Cofide Connect platform.

Before proceeding, add the Cofide Helm charts repository.

Terminal window
helm repo add cofide https://charts.cofide.dev

Cofide SPIRE agent

Section titled “Cofide SPIRE agent”

The Cofide SPIRE agent is a required component in all clusters. In most cases, there is one agent process per node. By default, it is installed alongside the Cofide SPIRE server.

Cofide Observer

Section titled “Cofide Observer”

The Cofide Observer is an optional component of the Connect platform. It is required when using Kubernetes attestation policies.

Install the observer with

Terminal window
helm install \
  cofide-observer cofide/cofide-observer \
  --version 0.3.3 \
  --kube-context <context> \
  --namespace cofide \
  --create-namespace \
  --set observer.connectURL=<your.connect.url> \
  --set observer.connectTrustDomain=<connect.trust.domain> \
  --wait

The Connect URL and trust domain parameters can be found in your local cofide.yaml file.

Cofide Agent

Section titled “Cofide Agent”

The Cofide Agent is an optional component of the Connect platform which programs the downstream network path (via xDS, or for meshes such as Istio) for seamless cross-boundary mTLS.

Use cofidectl to generate values for the Cofide Agent Helm chart:

Terminal window
./cofidectl connect agent helm values \
  --trust-zone <trust zone> \
  --cluster <cluster> \
  --output-file cofide-agent-values.yaml

Install Cofide Agent:

Terminal window
helm install \
  cofide-agent cofide/cofide-agent \
  --version 0.5.4 \
  --kube-context <context> \
  --namespace cofide \
  --create-namespace \
  --values cofide-agent-values.yaml \
  --wait

The generated values contain a short-lived join token that the agent uses to register itself with Connect. If the values file needs to be persisted unencrypted, it may be preferable to generate a join token and inject it separately. To do this, specify --generate-token=false when generating values, then generate a token:

Terminal window
./cofidectl connect agent join-token generate \
  --trust-zone <trust zone> \
  --cluster <cluster> \
  --output-file agent-token

The token can then be injected as a Helm value using --set agent.env.AGENT_TOKEN=<token>.

© 2026 Cofide Limited. All rights reserved.