spiffe-enable

spiffe-enable is a Kubernetes Mutating Admission Webhook that simplifies the adoption of SPIFFE (Secure Production Identity Framework for Everyone). It automates the injection of sidecars and configurations into Kubernetes Pods, allowing applications to securely receive and use SPIFFE Verifiable Identity Documents (SVIDs) without requiring code changes.

Within Cofide Connect, spiffe-enable acts as the onboarding layer for workloads that are not natively SPIFFE-aware, automating what would otherwise require manual configuration or code changes.

Key Features

• Automated Injection: Automatically adds necessary components to Pods based on simple Kubernetes annotations.
• Multiple Integration Modes: Supports CSI, Helper, and Proxy modes to suit different workload requirements.
• Namespace-Level Control: Controlled via label selectors to ensure injection only occurs in authorized namespaces.
• Debug UI: Provides an optional web interface to inspect a workload’s identity status.

Installation

spiffe-enable is typically installed via Helm into the cofide namespace:

helm repo add cofide https://charts.cofide.dev
helm install spiffe-enable cofide/spiffe-enable \
  --namespace cofide \
  --create-namespace

Note

spiffe-enable requires cert-manager to be present in the cluster to secure the webhook’s own TLS communication.

Configuration

1. Enable Namespace Injection

To enable the webhook for a specific namespace, label it with spiffe.cofide.io/enabled=true:

kubectl label namespace <your-namespace> spiffe.cofide.io/enabled=true

2. Workload Annotations

Opt-in to specific features by adding the spiffe.cofide.io/inject annotation to your Pod template. This annotation accepts a comma-separated list of components:

Annotation	Value	Effect
spiffe.cofide.io/inject	csi	Mounts the SPIFFE CSI driver volume and sets SPIFFE_ENDPOINT_SOCKET.
spiffe.cofide.io/inject	helper	Injects the spiffe-helper sidecar to manage certificates on disk.
spiffe.cofide.io/inject	proxy	Injects an Envoy sidecar for mTLS (requires Cofide Connect Agent).
spiffe.cofide.io/debug	true	Injects the Debug UI (accessible via port 8080).

Example: CSI Injection

The simplest way to provide a workload with access to the SPIFFE Workload API is using the CSI driver:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
      annotations:
        spiffe.cofide.io/inject: "csi"
    spec:
      containers:
      - name: my-app
        image: my-app-image

This will automatically mount the SPIFFE CSI driver volume to all containers in the Pod and set the SPIFFE_ENDPOINT_SOCKET environment variable.

helper mode

The helper mode injects a spiffe-helper sidecar that retrieves SVIDs from the SPIFFE Workload API and writes the certificate, private key, and trust bundle to a shared volume, automatically renewing them before expiry. This is useful for workloads that expect credentials on disk rather than querying the Workload API directly.

proxy mode

The proxy mode injects an Envoy sidecar that transparently handles mTLS for inbound and outbound traffic. This allows workloads to securely communicate with Federated Services, including those in service meshes in other trust zones, without any application-level TLS or networking changes.

Note

Proxy mode requires the Cofide Agent to be deployed in the cluster, which receives configuration from the control plane and applies it to the Envoy sidecar via the xDS protocol.