v0.14.3

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

This release is a patch release, upgrading Go from 1.25.1 to 1.25.3, fixing a range of CVEs: CVE-2025-61724, CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186, CVE-2025-58185, CVE-2025-58188, and CVE-2025-61725.

Furthermore, additional go dependencies were upgraded where possible.

Full Changelog: v0.14.2...v0.14.3

v0.14.2

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

This patch release is built with Go 1.24.4 which fixes the following vulnerabilities: CVE-2025-22874 and CVE-2025-0913.

helm inspect chart cert-manager-istio-csr --repo https://charts.jetstack.io --version v0.14.2

What's Changed

Dependabot updates

• Bump the all group across 1 directory with 6 updates by @dependabot in #567
• Bump the all group across 1 directory with 10 updates by @dependabot in #559

makefile-modules updates

• [CI] Merge self-upgrade-main into main by @github-actions in #548
• [CI] Merge self-upgrade-main into main by @github-actions in #549
• [CI] Merge self-upgrade-main into main by @github-actions in #552
• [CI] Merge self-upgrade-main into main by @github-actions in #555
• [CI] Merge self-upgrade-main into main by @github-actions in #558
• [CI] Merge self-upgrade-main into main by @github-actions in #562
• [CI] Merge self-upgrade-main into main by @github-actions in #564

Full Changelog: v0.14.1...v0.14.2

v0.14.1

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

This is a patch release with dependency bumps, aiming to fix "vulnerabilities" reported by scanners. We don't know of any specific vulnerability in istio-csr, but we think it's important to make occasional releases with patched dependencies.

What's Changed

Features

• Add dependency licenses to repo and OCI image by @inteon in #539

Dependency upgrades

• Bump istio module dependency + fix jose vulnerability by @SgtCoDFish in #509
• Bump the all group across 1 directory with 13 updates by @dependabot in #511
• Bump the all group across 1 directory with 13 updates by @dependabot in #524
• Bump the all group across 1 directory with 2 updates by @dependabot in #529
• Bump the all group across 1 directory with 7 updates by @dependabot in #536

Makefile module upgrades

#485, #488, #489, #491, #492, #494, #495, #497, #498, #503, #506, #508, #512, #525, #527, #528, #530, #531, #535, #538, #540, #541, #542, #543, #544, #545, #547

Full Changelog: v0.14.0...v0.14.1

v0.14.0

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

v0.14.0 is a minor released focused around dependency upgrades and minor bugfixes. We recommend that all users upgrade to this latest version.

Importantly, this version of istio-csr depends on a patched version of cert-manager providing protections against GHSA-r4pg-vg54-wxx4 when parsing trust bundles - although exploitation would require an attacker to have privileged access inside your cluster and the effects of an exploit would be minimal.

What's Changed

Bug Fixes

• Use istiod- as the prefix for the DNS names for Istio revisions by @wallrj in #454
• Fix helm chart typos by @wallrj in #458
• Use specialised function for decoding trust bundles by @SgtCoDFish in #477
• Fix some more grammatical mistakes and typos in the comments of Helm chart values.yaml by @wallrj in #460

Other

• Add Helm chart OCI release to GH automation by @inteon in #457

Dependency Updates

• Bump the all group with 3 updates by @dependabot in #446
• Bump the all group across 1 directory with 3 updates by @dependabot in #455
• Bump the all group across 1 directory with 6 updates by @dependabot in #462
• Bump the all group across 1 directory with 2 updates by @dependabot in #467
• Bump istio.io/api from 1.24.1 to 1.24.2 in the all group by @dependabot in #468
• Bump the all group across 1 directory with 3 updates by @dependabot in #474
• Bump the all group across 1 directory with 9 updates by @dependabot in #483

Makefile Modules Upgrades

• [CI] Merge self-upgrade-main into main by @github-actions in #445
• [CI] Merge self-upgrade-main into main by @github-actions in #447
• [CI] Merge self-upgrade-main into main by @github-actions in #448
• [CI] Merge self-upgrade-main into main by @github-actions in #450
• [CI] Merge self-upgrade-main into main by @github-actions in #452
• [CI] Merge self-upgrade-main into main by @github-actions in #456
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #461
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #466
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #470
• [CI] Merge self-upgrade-main into main by @github-actions in #476
• [CI] Merge self-upgrade-main into main by @github-actions in #480
• [CI] Merge self-upgrade-main into main by @github-actions in #484

Full Changelog: v0.13.0...v0.14.0

v0.14.0-alpha.0

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

This pre-release is largely for testing some new automation behind the scenes. We don't recommend running this release.

What's Changed

• Use istiod- as the prefix for the DNS names for Istio revisions by @wallrj in #454
• Fix helm chart typos by @wallrj in #458
• Add Helm chart OCI release to GH automation by @inteon in #457
• Fix some more grammatical mistakes and typos in the comments of Helm chart values.yaml by @wallrj in #460

Other

• [CI] Merge self-upgrade-main into main by @github-actions in #445
• [CI] Merge self-upgrade-main into main by @github-actions in #447
• [CI] Merge self-upgrade-main into main by @github-actions in #448
• Bump the all group with 3 updates by @dependabot in #446
• [CI] Merge self-upgrade-main into main by @github-actions in #450
• [CI] Merge self-upgrade-main into main by @github-actions in #452
• [CI] Merge self-upgrade-main into main by @github-actions in #456
• Bump the all group across 1 directory with 3 updates by @dependabot in #455
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #461
• Bump the all group across 1 directory with 6 updates by @dependabot in #462
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #466

Full Changelog: v0.13.0...v0.14.0-alpha.0

v0.13.0

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

v0.13.0 includes a change to istio-csr so it works with the latest version of Istio (v1.24).

Specifically, the new version of istio requires that ALPN be set by clients, which istio-csr didn't previously set.

What's Changed

• ⭐ fix: expose ALPN in TLS handshake by @howardjohn in #422
• fix(helm): quote istiodAdditionalDNSNames to support wildcard domains by @ashithwilson in #425
• Use a default (but configurable) test file for istio-csr by @SgtCoDFish in #429
• Various e2e setup tweaks by @SgtCoDFish in #430

New Contributors

• @ashithwilson made their first contribution in #425 🚀
• @howardjohn made their first contribution in #422 🚀

Full Changelog: v0.12.0...v0.13.0

v0.13.0-alpha.0

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

v0.13.0-alpha.0 is a prerelease for testing changes to istio-csr with the new Istio 1.24. Specifically, the new version of istio requires that ALPN be set by clients, which istio-csr didn't previously set.

If you're having issues with istio-csr and Istio 1.24, try this prerelease and please let us know if it works for you!

IMPORTANT: The chart for this release might not be visible in the charts.jetstack.io repository as of when this release is published. You can use the chart attached to this release until it becomes visible.

What's Changed

• ⭐ fix: expose ALPN in TLS handshake by @howardjohn in #422
• fix(helm): quote istiodAdditionalDNSNames to support wildcard domains by @ashithwilson in #425
• Use a default (but configurable) test file for istio-csr by @SgtCoDFish in #429
• Various e2e setup tweaks by @SgtCoDFish in #430

New Contributors

• @ashithwilson made their first contribution in #425 🚀
• @howardjohn made their first contribution in #422 🚀

Full Changelog: v0.12.0...v0.13.0-alpha.0

v0.12.0

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

v0.12.0 introduces support for Istio Ambient Mode, expands upon the runtime configuration functionality introduced in previous releases, and includes various other improvements.

Features

Istio Ambient Mode Support

Istio Ambient Mode allows the use of Istio without requiring sidecar containers to run in your pods. This is powerful, but functions slightly differently and istio-csr previously didn't support this mode of operation.

Thanks to @paulwilljones istio-csr can now handle this mode of operation!

Istio Ambient Mode is enabled by setting the app.server.caTrustedNodeAccounts Helm value to a comma-separated list of namespace/service-accounts values indicating which service accounts are permitted to use node authentication, such as istio-system/ztunnel.

As this is a new feature, we'd be keen to hear your feedback and learn how this can be improved!

Runtime Configuration Improvements

Provisioning Resources

Runtime configuration allows istio-csr to be installed at the same time as cert-manager itself, which can simplify the cluster setup process. It also enables issuers to be changed on the fly, which makes rotation of CA certificates simpler and reduces the risk of downtime.

An issue we noticed was that istio-csr would always report as unhealthy until runtime configuration was available. On the face of it, this seems like expected behavior - without a configured issuer, istio-csr can't issue workload certs or provision the istio serving cert / istiod cert. The issue we found was that this causes the Helm install of istio-csr to hang until the runtime configuration ConfigMap was provided, forcing the need to handle runtime configuration then and there.

To make this process simpler, we've made a few Helm chart changes:

1. It's now possible to pass extraObjects as a Helm value specifying arbitrary resources to create alongside the istio-csr install. This enables creating an issuer during the Helm install, if desired.
2. There's a new .app.runtimeConfiguration.create value which, if set, will create a runtime configuration ConfigMap with the values specified in app.runtimeConfiguration.issuer.

Health Checks

In addition, we've changed how health checks work for istio-csr with runtime configuration. If using pure runtime configuration (app.certmanager.issuer is blank), the istio-csr health checks will report healthy until runtime configuration is available for the first time. After runtime configuration is first detected, the health checks will return to normal.

Other Fixes

We now also propagate annotations onto the dynamic istiod cert which is used with runtime configuration, and a few roles have been fixed to ensure that installing into different namespaces works as expected.

What's Changed

Istio Ambient Mode

• feat: Add support for impersonation for certificate requests by @paulwilljones in #336

Runtime Configuration

• feat: add ability to create runtime config configmap by @ThatsMrTalbot in #379
• feat: add ability to specify extra objects to apply along with the chart by @ThatsMrTalbot in #378
• fix: Handle initial issuer config for dynamic istiod cert by @SgtCoDFish in #399
• fix: Propagate dynamic istiod cert annotations by @SgtCoDFish in #396
• feat: allow "runtime-only" configuration without default issuer by @ThatsMrTalbot in #395
• fix: do not track "originalIssuerRef" if default issuer is disabled by @ThatsMrTalbot in #397
• fix: Tweak roles to fix permission errors by @SgtCoDFish in #398

Test Improvements / Other

• feat: Add security context to istio-csr deployment by @wtzhang23 in #369
• test: Add end to end test for client certificate authenticator by @wtzhang23 in #370
• test: Add Istio 1.23 tests by @paulwilljones in #387
• feat: Added labels and annotations to deployment and pod by @chanakya-svt in #372

New Contributors

• @paulwilljones made their first contribution in #387
• @chanakya-svt made their first contribution in #372

Full Changelog: v0.11.0...v0.12.0

v0.12.0-alpha.1

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

v0.12.0-alpha.1 is an initial pre-release of v0.12.0 to test new changes.

More complete release notes will be added with official release of v0.12.0

What's Changed

• Add Istio 1.23 tests by @paulwilljones in #387
• Add support for impersonation for certificate requests by @paulwilljones in #336
• feat: allow "runtime-only" configuration without default issuer by @ThatsMrTalbot in #395
• Propagate annotations by @SgtCoDFish in #396
• fix: do not track "originalIssuerRef" if default issuer is disabled by @ThatsMrTalbot in #397
• Tweak roles to fix permission errors by @SgtCoDFish in #398
• added labels and annotations to deployment and pod by @chanakya-svt in #372

New Contributors

• @paulwilljones made their first contribution in #387
• @chanakya-svt made their first contribution in #372

Full Changelog: v0.12.0-alpha.0...v0.12.0-alpha.1

v0.12.0-alpha.0

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

v0.12.0-alpha.0 is an initial pre-release of v0.12.0 to test new Helm chart changes which help with provisioning resources alongside istio-csr.

More complete release notes will be added with official release of v0.12.0

What's Changed

• Add security context to istio-csr deployment by @wtzhang23 in #369
• Add end to end test for client certificate authenticator by @wtzhang23 in #370
• feat: add ability to create runtime config configmap by @ThatsMrTalbot in #379
• feat: add ability to specify extra objects to apply along with the chart by @ThatsMrTalbot in #378

Full Changelog: v0.11.0...v0.12.0-alpha.0