Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/cert-manager/csi-driver-spiffe

A Kubernetes CSI plugin to automatically mount SPIFFE certificates to Pods using ephemeral volumes
https://github.com/cert-manager/csi-driver-spiffe

Last synced: 3 days ago
JSON representation

A Kubernetes CSI plugin to automatically mount SPIFFE certificates to Pods using ephemeral volumes

Host: GitHub
URL: https://github.com/cert-manager/csi-driver-spiffe
Owner: cert-manager
License: apache-2.0
Created: 2021-10-04T09:25:03.000Z (about 3 years ago)
Default Branch: main
Last Pushed: 2024-04-08T21:46:44.000Z (7 months ago)
Last Synced: 2024-04-14T02:23:09.217Z (7 months ago)
Language: Go
Homepage: https://cert-manager.io/docs/usage/csi-driver-spiffe/
Size: 720 KB
Stars: 60
Watchers: 10
Forks: 15
Open Issues: 8
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Security: SECURITY.md

Awesome Lists containing this project

awesome-spiffe-spire - cert-manager csi-driver-spiffe

README

# csi-driver-spiffe

csi-driver-spiffe is a Container Storage Interface (CSI) driver plugin for
Kubernetes, designed to work alongside [cert-manager](https://cert-manager.io/).

It transparently delivers [SPIFFE](https://spiffe.io/) [SVIDs](https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-verifiable-identity-document-svid)
(in the form of X.509 certificate key pairs) to mounting Kubernetes Pods.

The end result is that any and all Pods running in Kubernetes can securely request
a SPIFFE identity document from a Trust Domain with minimal configuration.

These documents in turn have the following properties:

- automatically renewed ✔️
- private key never leaves the node's virtual memory ✔️
- each Pod's document is unique ✔️
- the document shares the same life cycle as the Pod and is destroyed on Pod termination ✔️

```yaml
...
volumeMounts:
- mountPath: "/var/run/secrets/spiffe.io"
name: spiffe
volumes:
- name: spiffe
csi:
driver: spiffe.csi.cert-manager.io
readOnly: true
```

SPIFFE documents can then be used by Pods for mutual TLS (mTLS) or other authentication within their Trust Domain.

## Documentation

Please follow the documentation at [cert-manager.io](https://cert-manager.io/docs/projects/csi-driver-spiffe/)
for installing and using csi-driver-spiffe.

## Release Process

The release process is documented in [RELEASE.md](RELEASE.md).