cofide · markgoddard · Oct 21, 2025 · Oct 13, 2025
diff --git a/README.md b/README.md
@@ -23,6 +23,8 @@ The modes that are currently available:
 | `helper`  | A `spiffe-helper` sidecar container will be injected to retrieve and automatically renew the SVID and bundle. `csi` mode is implicitly enabled. |
 | `proxy`   | An Envoy sidecar container will be injected. `csi` mode is implicitly enabled. Note: this is used in conjuction with [Cofide's Connect Agent](#production-use-cases) |
 
+When using the `proxy` component, the log level for the Envoy sidecar can be configured using the `spiffe.cofide.io/envoy-log-level` annotation.
+
 ### Debug UI
 
 `spiffe-enable` also provides a basic UI to help user's debug the configuration and credentials that have been received by the workload identity provider - eg the SVID and the trust bundle. 

diff --git a/internal/const/const.go b/internal/const/const.go
@@ -2,8 +2,9 @@ package constants
 
 // Pod annotations
 const (
-	InjectAnnotation = "spiffe.cofide.io/inject"
-	DebugAnnotation  = "spiffe.cofide.io/debug"
+	InjectAnnotation        = "spiffe.cofide.io/inject"
+	DebugAnnotation         = "spiffe.cofide.io/debug"
+	EnvoyLogLevelAnnotation = "spiffe.cofide.io/envoy-log-level"
 )
 
 // Components that can be injected

diff --git a/internal/proxy/config.go b/internal/proxy/config.go
@@ -156,15 +156,15 @@ func (e *Envoy) GetInitContainer() corev1.Container {
 	}
 }
 
-func (e *Envoy) GetSidecarContainer() corev1.Container {
+func (e *Envoy) GetSidecarContainer(logLevel string) corev1.Container {
 	configFilePath := filepath.Join(EnvoyConfigMountPath, EnvoyConfigFileName)
 
 	return corev1.Container{
 		Name:            EnvoySidecarContainerName,
 		Image:           IstioImage,
 		ImagePullPolicy: corev1.PullIfNotPresent,
 		Command:         []string{"envoy"},
-		Args:            []string{"-c", configFilePath},
+		Args:            []string{"-c", configFilePath, "-l", logLevel},
 		VolumeMounts: []corev1.VolumeMount{
 			{Name: EnvoyConfigVolumeName, MountPath: EnvoyConfigMountPath},
 			workload.GetSPIFFEVolumeMount(),

diff --git a/internal/webhook/webhook.go b/internal/webhook/webhook.go
@@ -150,7 +150,14 @@ func (a *spiffeEnableWebhook) Handle(ctx context.Context, req admission.Request)
 				// Add the Envoy container as a sidecar
 				if !workload.ContainerExists(pod.Spec.Containers, proxy.EnvoySidecarContainerName) {
 					logger.Info("Adding Envoy proxy sidecar container", "containerName", proxy.EnvoySidecarContainerName)
-					pod.Spec.Containers = append(pod.Spec.Containers, envoy.GetSidecarContainer())
+
+					// Check for a log level annotation
+					logLevel := pod.Annotations[constants.EnvoyLogLevelAnnotation]
+					if logLevel == "" {
+						logLevel = "info"
+					}
+
+					pod.Spec.Containers = append(pod.Spec.Containers, envoy.GetSidecarContainer(logLevel))
 				}
 
 			case constants.InjectAnnotationHelper: