https://github.com/cert-manager/csi-driver-spiffe

A Kubernetes CSI plugin to automatically mount SPIFFE certificates to Pods using ephemeral volumes
https://github.com/cert-manager/csi-driver-spiffe

Last synced: 4 months ago
JSON representation

A Kubernetes CSI plugin to automatically mount SPIFFE certificates to Pods using ephemeral volumes

• Host: GitHub
• URL: https://github.com/cert-manager/csi-driver-spiffe
• Owner: cert-manager
• License: apache-2.0
• Created: 2021-10-04T09:25:03.000Z (over 4 years ago)
• Default Branch: main
• Last Pushed: 2026-02-18T14:38:59.000Z (4 months ago)
• Last Synced: 2026-02-18T18:39:19.036Z (4 months ago)
• Language: Go
• Homepage: https://cert-manager.io/docs/usage/csi-driver-spiffe/
• Size: 1.52 MB
• Stars: 85
• Watchers: 8
• Forks: 21
• Open Issues: 6
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Security: SECURITY.md

Awesome Lists containing this project

• awesome-spiffe-spire - cert-manager csi-driver-spiffe

README

          


  

  


  

  



# csi-driver-spiffe

csi-driver-spiffe is a Container Storage Interface (CSI) driver plugin for

Kubernetes, designed to work alongside [cert-manager](https://cert-manager.io/).

It transparently delivers [SPIFFE](https://spiffe.io/) [SVIDs](https://spiffe.io/docs/latest/spiffe-about/spiffe-concepts/#spiffe-verifiable-identity-document-svid)

(in the form of X.509 certificate key pairs) to mounting Kubernetes Pods.

The end result is that any and all Pods running in Kubernetes can securely request

a SPIFFE identity document from a Trust Domain with minimal configuration.

These documents in turn have the following properties:

- automatically renewed ✔️

- private key never leaves the node's virtual memory ✔️

- each Pod's document is unique ✔️

- the document shares the same life cycle as the Pod and is destroyed on Pod termination ✔️

```yaml

...

          volumeMounts:

          - mountPath: "/var/run/secrets/spiffe.io"

            name: spiffe

      volumes:

        - name: spiffe

          csi:

            driver: spiffe.csi.cert-manager.io

            readOnly: true

```

SPIFFE documents can then be used by Pods for mutual TLS (mTLS) or other authentication within their Trust Domain.

## Documentation

Please follow the documentation at [cert-manager.io](https://cert-manager.io/docs/projects/csi-driver-spiffe/)

for installing and using csi-driver-spiffe.

## Release Process

The release process is documented in [RELEASE.md](RELEASE.md).