Releases: cert-manager/csi-driver-spiffe
v0.10.1
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
This release is a patch release, upgrading Go from 1.25.1 to 1.25.3, fixing a range of CVEs: CVE-2025-61724, CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186, CVE-2025-58185, CVE-2025-58188, and CVE-2025-61725.
Furthermore, additional go dependencies were upgraded where possible.
Full Changelog: v0.10.0...v0.10.1
v0.10.0
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
This version upgrades the csi-lib dependency, introducing support for fsGroup.
What's Changed
- Add
securityContext.fsGroupsupport by @inteon in cert-manager/csi-lib#72
Dependency upgrades
- Bump the all group across 1 directory with 2 updates by @dependabot in #308
- Bump github.com/cert-manager/csi-lib from 0.8.1 to 0.9.0 in the all group by @dependabot in #309
Full Changelog: v0.9.2...v0.10.0
Contributors
Assets 2
v0.9.2
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
This release contains miscellaneous bug fixes and dependency updates.
It is built with Go 1.24.4 which fixes the following vulnerabilities: CVE-2025-22874, CVE-2025-0913, and CVE-2025-4673.
helm inspect chart cert-manager-csi-driver-spiffe --repo https://charts.jetstack.io --version v0.9.2
What's Changed
Dependabot
- Bump the all group across 1 directory with 6 updates by @dependabot in #279
- Bump the all group across 1 directory with 6 updates by @dependabot in #304
- Bump the all group across 1 directory with 8 updates by @dependabot in #299
makefile-modules
- [CI] Merge self-upgrade-main into main by @github-actions in #286
- [CI] Merge self-upgrade-main into main by @github-actions in #287
- [CI] Merge self-upgrade-main into main by @github-actions in #288
- [CI] Merge self-upgrade-main into main by @github-actions in #289
- [CI] Merge self-upgrade-main into main by @github-actions in #290
- [CI] Merge self-upgrade-main into main by @github-actions in #291
- [CI] Merge self-upgrade-main into main by @github-actions in #292
- [CI] Merge self-upgrade-main into main by @github-actions in #295
- [CI] Merge self-upgrade-main into main by @github-actions in #298
- [CI] Merge self-upgrade-main into main by @github-actions in #300
- [CI] Merge self-upgrade-main into main by @github-actions in #301
- [CI] Merge self-upgrade-main into main by @github-actions in #303
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #293
New Contributors
Full Changelog: v0.9.1...v0.9.2
Contributors
Assets 2
v0.9.1
SgtCoDFish
Ashley Davis
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
This release fixes a mistake in the DaemonSet security context for csi-driver-spiffe. Users should avoid v0.9.0 and use this version instead.
What's Changed
- Fix bad security context on DaemonSet by @SgtCoDFish in #284
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #281
- Add dependency licenses to repo and OCI image by @inteon in #282
- [CI] Merge self-upgrade-main into main by @github-actions in #285
Full Changelog: v0.9.0...v0.9.1
Contributors
Assets 2
v0.9.0
SgtCoDFish
Ashley Davis
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
v0.9.0 is a release mainly for dependency bumps and fixes for reported CVEs. There's also a minor improvement to logging in certain configurations included via #270.
All users are recommended to upgrade when possible to ensure they're running with the latest updates.
What's Changed
Features / Improvements
- Only watch for runtime configuration if provided by @SgtCoDFish in #270
Makefile Modules Bumps
- Manual makefile-modules upgrade by @SgtCoDFish in #246
- [CI] Merge self-upgrade-main into main by @github-actions in #245
- [CI] Merge self-upgrade-main into main by @github-actions in #248
- [CI] Merge self-upgrade-main into main by @github-actions in #251
- [CI] Merge self-upgrade-main into main by @github-actions in #252
- [CI] Merge self-upgrade-main into main by @github-actions in #253
- [CI] Merge self-upgrade-main into main by @github-actions in #254
- [CI] Merge self-upgrade-main into main by @github-actions in #257
- [CI] Merge self-upgrade-main into main by @github-actions in #259
- [CI] Merge self-upgrade-main into main by @github-actions in #262
- [CI] Merge self-upgrade-main into main by @github-actions in #271
- [CI] Merge self-upgrade-main into main by @github-actions in #272
- [CI] Merge self-upgrade-main into main by @github-actions in #273
- [CI] Merge self-upgrade-main into main by @github-actions in #275
- [CI] Merge self-upgrade-main into main by @github-actions in #276
- [CI] Merge self-upgrade-main into main by @github-actions in #278
Dependency Bumps
- Bump go-jose to v4 to fix CVE-2024-28180 and CVE-2025-27144 by @SgtCoDFish in #260
- Bump the all group across 1 directory with 9 updates by @dependabot in #261
- Bump the all group across 1 directory with 10 updates by @dependabot in #269
- Bump x/net to fix CVE-2025-22872 reported by trivy by @SgtCoDFish in #280
- Bump github.com/onsi/gomega from 1.36.3 to 1.37.0 in the all group by @dependabot in #274
- Bump the all group across 1 directory with 5 updates by @dependabot in #250
Full Changelog: v0.8.2...v0.9.0
Contributors
Assets 2
v0.8.2
SgtCoDFish
Ashley Davis
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
v0.8.2 is another simple dependency bump update, importantly fixing several CVEs reported by vulnerability scanners. We don't actually believe that csi-driver-spiffe was vulnerable to any of the CVEs though.
What's Changed
Release Process / Admin
- Update OWNERS file to use OWNERS_ALIASES by @inteon in #225
- Add Helm chart OCI release to GH automation by @inteon in #226
Dependency Updates / Fixes
- Bump the all group with 2 updates by @dependabot in #184
- Update busybox sha to match upstream by @inteon in #186
- Update busybox SHAs to match upstream by @SgtCoDFish in #192
- Bump the all group across 1 directory with 13 updates by @dependabot in #213
- Bump the all group across 1 directory with 3 updates by @dependabot in #216
- Update busybox shas due to upstream change by @inteon in #224
- Bump the all group across 1 directory with 5 updates by @dependabot in #229
- Bump the all group across 1 directory with 2 updates by @dependabot in #222
- Fix digests for busybox images by @SgtCoDFish in #242
- Update other images, add release note section by @SgtCoDFish in #243
- Bump the all group across 1 directory with 9 updates by @dependabot in #240
Makefile Modules Updates
- [CI] Merge self-upgrade-main into main by @github-actions in #185
- [CI] Merge self-upgrade-main into main by @github-actions in #187
- [CI] Merge self-upgrade-main into main by @github-actions in #188
- [CI] Merge self-upgrade-main into main by @github-actions in #189
- [CI] Merge self-upgrade-main into main by @github-actions in #191
- [CI] Merge self-upgrade-main into main by @github-actions in #195
- [CI] Merge self-upgrade-main into main by @github-actions in #198
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #199
- [CI] Merge self-upgrade-main into main by @github-actions in #201
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #203
- [CI] Merge self-upgrade-main into main by @github-actions in #206
- [CI] Merge self-upgrade-main into main by @github-actions in #209
- [CI] Merge self-upgrade-main into main by @github-actions in #210
- [CI] Merge self-upgrade-main into main by @github-actions in #211
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #212
- [CI] Merge self-upgrade-main into main by @github-actions in #214
- [CI] Merge self-upgrade-main into main by @github-actions in #217
- [CI] Merge self-upgrade-main into main by @github-actions in #218
- [CI] Merge self-upgrade-main into main by @github-actions in #220
- [CI] Merge self-upgrade-main into main by @github-actions in #221
- [CI] Merge self-upgrade-main into main by @github-actions in #223
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #228
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #230
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #231
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #232
- [CI] Merge self-upgrade-main into main by @github-actions in #237
- [CI] Merge self-upgrade-main into main by @github-actions in #239
- [CI] Merge self-upgrade-main into main by @github-actions in #241
Full Changelog: v0.8.1...v0.8.2
Contributors
Assets 2
v0.8.1
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
v0.8.1 is a simple dependency bump update.
What's Changed
Dependency Bumps
- Bump the all group across 1 directory with 8 updates by @dependabot in #168
- Bump the all group across 1 directory with 2 updates by @dependabot in #172
- Bump the all group across 1 directory with 9 updates by @dependabot in #180
- chore: update csi-node-driver-registrar to v2.12.0 by @ThatsMrTalbot in #183
Makefile Modules Updates
- [CI] Merge self-upgrade-main into main by @github-actions in #169
- [CI] Merge self-upgrade-main into main by @github-actions in #171
- [CI] Merge self-upgrade-main into main by @github-actions in #174
- [CI] Merge self-upgrade-main into main by @github-actions in #176
- [CI] Merge self-upgrade-main into main by @github-actions in #179
- [CI] Merge self-upgrade-main into main by @github-actions in #181
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #182
Full Changelog: v0.8.0...v0.8.1
Contributors
Assets 3
v0.8.0
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
What's Changed
- Bump github.com/cert-manager/cert-manager from 1.15.0 to 1.15.1 in the all group by @dependabot in #158
- chore: update csi-node-driver-registrar by @ThatsMrTalbot in #165
Full Changelog: v0.7.0...v0.8.0
Contributors
Assets 3
v0.7.0
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
What's Changed
- [CI] Merge self-upgrade-main into main by @github-actions in #148
- Bump the all group across 1 directory with 5 updates by @dependabot in #152
- Bump the all group across 1 directory with 8 updates by @dependabot in #157
- [CI] Merge self-upgrade-main into main by @github-actions in #153
- feat: add RBAC for OpenShift SecurityContextConstraints by @ThatsMrTalbot in #159
Full Changelog: v0.6.0...v0.7.0
Contributors
Assets 3
v0.6.0
SgtCoDFish
Ashley Davis
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
v0.6.0 includes a variety of new features which make csi-driver-spiffe easier to work with and easier to set up, as well as the usual dependency bumps and tool upgardes.
Possibly Breaking Changes: Read Before Upgrading!
-
The default for the
app.approver.signerNameHelm value changed to allow approval for all signers by default. Previously, any built-in cert-managerClusterIssuerwas allowed. This change makes it simpler to use other types of issuer with csi-driver-spiffe.The impact of this change should be nonexistant for the vast majority of csi-driver-spiffe use cases but there are some very specific scenarios in which this change could have a security impact. For more information, see the relevant feature overview below.
-
The name of the DaemonSet installed by the Helm chart changed from a default of "cert-manager-csi-driver-spiffe" to "cert-manager-csi-driver-spiffe-driver". We don't anticipate this should be a huge change for anyone, but it's worth noting that upgrading will change the name. This change helps with tab completion when debugging csi-driver-spiffe.
Feature Overview
Runtime Issuer Configuration
The headline feature of this release is the ability to configure which issuer to use at runtime, rather than only being able to configure at install time.
Previously, changing the issuer configuration for csi-driver-spiffe required that it be restarted, which could lead to downtime and could block pods from getting the identities they need. It also meant there was a need to install csi-driver-spiffe after cert-manager was already installed and an issuer was configured, which complicated the installation process for users who wanted to simply install a series of Helm charts and configure them afterwards.
It's now possible to configure a ConfigMap in the installation namespace of csi-driver-spiffe which specifies which issuer to use. csi-driver-spiffe will watch that ConfigMap and adapt quickly to any changes in issuer, allowing issuer updates with zero downtime.
To use the feature, set the app.runtimeIssuanceConfigMap Helm value to the name of the ConfigMap you'll use to configure issuer details.
A default issuer can still be specified using the app.issuer.* Helm values, and this default issuer be used if the ConfigMap is invalid, missing or deleted. Alternatively, to require runtime configuration these values can be manually set to be blank as in the example below. [1]
If no issuer is configured, pods mounting csi-driver-spiffe volumes will fail to start as csi-driver-spiffe won't be able to create CertificateRequests for them.
Below is an example of installing csi-driver-spiffe with runtime configuration:
kubectl create configmap spiffe-issuer -n cert-manager \
--from-literal=issuer-name=my-issuer-name \
--from-literal=issuer-kind=ClusterIssuer \
--from-literal=issuer-group=cert-manager.io
helm upgrade -i -n cert-manager cert-manager-csi-driver-spiffe jetstack/cert-manager-csi-driver-spiffe --wait \
--set "app.logLevel=1" \
--set "app.trustDomain=my.trust.domain" \
--set "app.issuer.name=" \
--set "app.issuer.kind=" \
--set "app.issuer.group=" \
--set "app.runtimeIssuanceConfigMap=spiffe-issuer"The logs for the csi-driver-spiffe DaemonSet pods should produce output like the following to show that the ConfigMap was picked up:
I0516 11:57:44.655854 1 driver.go:410] "Changed active issuerRef in response to runtime configuration ConfigMap" logger="csi.runtime-config-watcher" config-map-name="spiffe-issuer" config-map-namespace="cert-manager" issuer-name="my-issuer-name" issuer-kind="ClusterIssuer" issuer-group="cert-manager.io"
Simpler Install with no signerName
Previously, to use any kind of issuer that wasn't a cert-manager ClusterIssuer would require configuring not just issuer settings but also allowlisting the use of that issuer through the app.approver.signerName Helm value.
The impact of this change should be nonexistant for the vast majority of csi-driver-spiffe use cases (beyond making it easier to configure) - but there are some extremely specific scenarios in which this change could have a security impact. Specifically, if you run another approver (such as approver-policy) in the cluster and you require that the csi-driver-spiffe-approver and the other approver are allowed to approve for distinct types of issuer. In practice, most clusters won't have this requirement even if they run multiple approvers - it's easier to restrict the approvers via their own configuration rather than using RBAC.
For more information, read the rationale about why this was changed in approver-policy. If you're concerned, see also the relevant approver-policy release notes which explain what actions you might want to take. Most users should need to take no action.
Approver Simplification
In earlier csi-driver-spiffe versions, the csi-driver-spiffe-approver component would check that the issuer configured for created CertificateRequests matched the one configured for the csi-driver-spiffe DaemonSet at install time. This introduces a race condition whenever that issuer needs to be updated (such as rotation), since it wasn't possible to specify multiple issuers and it wasn't easy to ensure that both the DaemonSet and the approver could be restarted at the same time to ensure they both picked up the change.
This check didn't provide much value, and would have made runtime configuration of issuers incredibly difficult, and so it was removed in csi-driver-spiffe v0.6.0. Now, the approver doesn't look at the issuerRef field of CertificateRequest resources and instead checks for the spiffe.csi.cert-manager.io/identity annotation which the driver sets on all CertificateRequests it creates.
Together with runtime issuer configuration, this makes issuer rotation simpler, safer and less error prone.
What's Changed
New Features
- Allow runtime configuration of issuers by @SgtCoDFish in #141
Helm Chart
⚠️ Allow use of all signers by default by @SgtCoDFish in #131- Add 'crds.enabled' and 'crds.keep' options to generated CRDs by @inteon in #91
- Enable helm-tool linter and schema generator by @inteon in #80
- Use same include statement for labels everywhere & add labels to pod templates by @inteon in #97
- Helm Add commonLabels option by @inteon in #98
- Added tolerations, nodeSelector, affinity, topologySpreadConstraints by @saydulaev and @maelvls in #50
Tests / CI
- Update digests of upstream busybox docker image by @inteon in #103
- Add go module and replace oci-image with oci-build and oci-publish by @inteon in #110
- Fix linters by @inteon in #111
- Fix gosec issues and enable gosec linter by @inteon in #122
- Increase timeouts for camanager test by @SgtCoDFish in #126
- Move parsing of custom annotations to testable function by @SgtCoDFish in #130
- Add env var for focusing on individual e2e tests by @SgtCoDFish in #135
- Add e2e util package to abstract common e2e tasks by @SgtCoDFish in #136
- Change approval of e2e issuer to use cmctl by @SgtCoDFish in #144
- Tweak camanager testing by @SgtCoDFish in #143
Other
⚠️ Rename DaemonSet for easier tab completion by @SgtCoDFish in #124- Use exit code from recommended range by @SgtCoDFish in #95
- Add design for runtime configuration of issuers by @SgtCoDFish in #94
- Remove issuerRef from approver by @SgtCoDFish in #125
- Two minor tweaks (default container annotation!) by @SgtCoDFish in #123
- docs: add RELEASE.md documenting the release process by @ThatsMrTalbot in #146
New Contributors
- @saydulaev made their first contribution in #50
- @maelvls made their first contribution in #50
Full Changelog: v0.5.0...v0.6.0
Other Notes
[1]: A future change may set the default issuer to be blank in all cases. Today, the default is t...
