CSI driver for SPIFFE releases¶
CSI driver for SPIFFE is a straightforward way to get SPIFFE (Secure Production Identity Framework for Everyone) IDs for your Kubernetes pods.
Learn about current and past releases of CSI driver for SPIFFE.
Latest release¶
The latest stable version of CSI driver for SPIFFE is v0.8.1.
Downloads¶
- Container Image:
private-registry.venafi.cloud/csi-driver-spiffe/cert-manager-csi-driver-spiffe:v0.8.1
- FIPS Image:
private-registry.venafi.cloud/csi-driver-spiffe/csi-driver-spiffe-fips:v0.8.1
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.8.1
- Helm Chart:
oci://private-registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.8.1
- Container Image:
private-registry.venafi.eu/csi-driver-spiffe/cert-manager-csi-driver-spiffe:v0.8.1
- Container Image:
private-registry.venafi.eu/csi-driver-spiffe/csi-driver-spiffe-fips:v0.8.1
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.8.1
- Helm Chart:
oci://private-registry.venafi.eu/charts/cert-manager-csi-driver-spiffe:v0.8.1
Release v0.8.1¶
CSI driver for SPIFFE v0.8.1 was released on August 29, 2024.
Key features¶
- Release v0.8.1 of the CSI driver for SPIFFE updates the
csi-node-registrar-version
Helm value to v2.12.0. - The following dependencies were also upgraded in this release:
- cert-manager was upgraded to v1.15.3
- github.com/onsi/ginkgo/v2 was upgraded to v2.20.1
- k8s.io/api was upgraded to v0.31.0
- k8s.io/cli-runtime was upgraded to v0.31.0
- k8s.io/component-base was upgraded to v0.31.0
- k8s.io/kubectl was upgraded to v0.31.0
- sigs.k8s.io/controller-runtime was upgraded to v.0.19.0
Downloads
- Docker Image:
private-registry.venafi.cloud/csi-driver-spiffe/cert-manager-csi-driver-spiffe:v0.8.1
- FIPS Image:
private-registry.venafi.cloud/csi-driver-spiffe/csi-driver-spiffe-fips:v0.8.1
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.8.1
- Helm Chart:
oci://private-registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.8.1
- Docker Image:
private-registry.venafi.eu/csi-driver-spiffe/cert-manager-csi-driver-spiffe:v0.8.1
- Container Image:
private-registry.venafi.eu/csi-driver-spiffe/csi-driver-spiffe-fips:v0.8.1
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.8.1
- Helm Chart:
oci://private-registry.venafi.eu/charts/cert-manager-csi-driver-spiffe:v0.8.1
- Helm Chart:
Release v0.8.0¶
CSI driver for SPIFFE v0.8.0 was released on July 22, 2024.
Key features¶
- Release v0.8.0 of the CSI driver for SPIFFE updates the
csi-node-driver-registrar
image to v2.11.1, including updated dependencies with fixes for several vulnerabilities. Learn more - The release also updates the cert-manage dependency to v1.15.1.
Downloads
- Docker Image:
private-registry.venafi.cloud/csi-driver-spiffe/cert-manager-csi-driver-spiffe:v0.8.0
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.8.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.8.0
- Docker Image:
private-registry.venafi.eu/csi-driver-spiffe/cert-manager-csi-driver-spiffe:v0.8.0
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.8.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/cert-manager-csi-driver-spiffe:v0.8.0
Release v0.7.0¶
CSI driver for SPIFFE v0.7.0 was released on July 2, 2024.
Key features¶
- This release updates the CSI driver Helm chart values to include RBAC for OpenShift SecurityContextConstraints. Learn more
- Release v.0.7.0 of CSI driver for SPIFFE updates the following dependencies:
- cert-manager was updated to v.1.15.0 .
- github.com/go-logr/logr was updated to v.1.4.2.
- github.com/onsi/ginkgo/v2 was updated to v.2.19.0.
- k8s.io/api was updated to v.0.30.2.
- k8s.io/cli-runtime was updated to v.0.30.2.
- k8s.io/component-base was updated to v.0.30.2.
- sigs.k8s.io/controller-runtime was updated to v.0.18.4.
- k8s.io/utils was updated to v.0.0.0-20240502163921-fe8a2dddb1d0.
- github.com/spf13/cobra was updated to v.18.1.
- github.com/spiffe/go-spiffe/v2 was updated to v2.3.0.
Downloads
- Container Image:
private-registry.venafi.cloud/csi-driver-spiffe/cert-manager-csi-driver-spiffe:v0.7.0
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.7.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.7.0
- Container Image:
private-registry.venafi.eu/csi-driver-spiffe/cert-manager-csi-driver-spiffe:v0.7.0
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.7.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/cert-manager-csi-driver-spiffe:v0.7.0
Release v0.6.0¶
CSI driver for SPIFFE v0.6.0 was released on May 16, 2024.
Breaking changes - read before upgrading¶
-
The default for the
app.approver.signerName
Helm value changed to allow approval for all signers by default. Previously, any built-in cert-manager ClusterIssuer was allowed. This change makes it simpler to use other types of issuer with CSI driver for SPIFFE.The impact of this change should be non-existent for the vast majority of CSI driver for SPIFFE use cases but there are some very specific scenarios in which this change could have a security impact. For more information, see the relevant feature overview below.
For more information, see Reference: CSI driver for SPIFFE Helm values.
-
The name of the DaemonSet installed by the Helm chart changed from a default of
cert-manager-csi-driver-spiffe
tocert-manager-csi-driver-spiffe-driver
. We don't anticipate this should be a huge change for anyone, but it's worth noting that upgrading will change the name. This change helps with tab completion when debugging CSI driver for SPIFFE.
Key features¶
-
Runtime Issuer Configuration
Release v0.6.0 of CSI driver for SPIFFE introduces the ability to configure an issuer at runtime, rather than being forced to configure one when installing.
Previously, changing the issuer configuration for CSI driver for SPIFFE required it to be restarted. This could lead to downtime and could block pods from getting the identities they need. It also meant there was a need to install CSI driver for SPIFFE after cert-manager was already installed and an issuer was configured. This complicated the installation process for users who wanted to simply install a series of Helm charts and configure them afterwards.
It's now possible to configure a ConfigMap in the installation namespace of CSI driver for SPIFFE which specifies which issuer to use. CSI driver for SPIFFE will watch that ConfigMap and adapt quickly to any changes in issuer, allowing issuer updates with zero downtime.
To use the feature, set the
app.runtimeIssuanceConfigMap
Helm value to the name of the ConfigMap you'll use to configure issuer details.A default issuer can still be specified using the
app.issuer.*
Helm values, and this default issuer will be used if the ConfigMap is invalid, missing or deleted. Alternatively, to require runtime configuration these values can be manually set to be blank.If no issuer is configured, pods mounting CSI driver for SPIFFE volumes will fail to start as the CSI driver for SPIFFE won't be able to create CertificateRequests for them.
For an example of installing CSI driver for SPIFFE with runtime configuration, see Installing CSI driver for SPIFFE using Venafi CLI tool or Installing CSI driver for SPIFFE using Helm
-
Simpler Install with no
signerName
Previously, to use any kind of issuer that wasn't a cert-manager ClusterIssuer would require configuring not just issuer settings but also allowlisting the use of that issuer through the
app.approver.signerName
Helm value.The impact of this change should be non-existent for the vast majority of CSI driver for SPIFFE use cases - but there are some extremely specific scenarios in which this change could have a security impact. Specifically, if you run another approver (such as Approver Policy) in the cluster and you require that the
csi-driver-spiffe-approver
and the other approver are allowed to approve for distinct types of issuer. In practice, most clusters won't have this requirement even if they run multiple approvers - it's easier to restrict the approvers by using their own configuration rather than using RBAC.For more information, see the Approver Policy 0.14.0 release notes which explain what actions you might want to take. Most users should need to take no action.
-
Approver Simplification
In earlier CSI driver for SPIFFE versions, the
csi-driver-spiffe-approver
component checked that the issuer configured for created CertificateRequests matched the one configured for the CSI driver for SPIFFE DaemonSet at install time. This introduces a race condition whenever that issuer needs to be updated (such as rotation). Because it wasn't possible to specify multiple issuers and it wasn't easy to ensure that both the DaemonSet and the approver could be restarted at the same time to ensure they both picked up the change.This check didn't provide much value, and would have made runtime configuration of issuers incredibly difficult, and has been removed in CSI driver for SPIFFE v0.6.0. Now, the approver doesn't look at the
issuerRef
field of CertificateRequest resources, but instead checks for thespiffe.csi.cert-manager.io/identity
annotation which the driver sets on all CertificateRequests it creates.Together with runtime issuer configuration, this makes issuer rotation simpler, safer and less error prone.
Downloads
- Container Image:
private-registry.venafi.cloud/csi-driver-spiffe/cert-manager-csi-driver-spiffe:v0.6.0
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.6.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.6.0
- Container Image:
private-registry.venafi.eu/csi-driver-spiffe/cert-manager-csi-driver-spiffe:v0.6.0
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.6.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/cert-manager-csi-driver-spiffe:v0.6.0
Release v0.5.0¶
CSI driver for SPIFFE v0.5.0 was released on February 9, 2024.
Key features¶
- This release is the first CSI driver for SPIFFE release that is based on cert-manager's Makefile modules system.
- This release also contains dependency updates, as well as updates to
Chart.yaml
properties.
Downloads
- Container Image:
private-registry.venafi.cloud/csi-driver-spiffe/cert-manager-csi-driver-spiffe:v0.5.0
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.5.0
- Helm Chart:
oci://private-registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.5.0
- Container Image:
private-registry.venafi.eu/csi-driver-spiffe/cert-manager-csi-driver-spiffe:v0.5.0
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.5.0
- Helm Chart:
oci://private-registry.venafi.eu/charts/cert-manager-csi-driver-spiffe:v0.5.0
Release v0.4.1¶
CSI driver for SPIFFE v0.4.1 was released on November 22, 2023.
Key features¶
- This release is includes a variety of dependency updates, including updates to the version of Go and Go dependencies, as well as the base images and the Kubernetes images the product depends on.
Downloads
- Container Image:
private-registry.venafi.cloud/csi-driver-spiffe/cert-manager-csi-driver-spiffe:v0.4.1
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.4.1
- Helm Chart:
oci://private-registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.4.1
- Container Image:
private-registry.venafi.eu/csi-driver-spiffe/cert-manager-csi-driver-spiffe:v0.4.1
- Helm Chart:
oci://registry.venafi.cloud/charts/cert-manager-csi-driver-spiffe:v0.4.1
- Helm Chart:
oci://private-registry.venafi.eu/charts/cert-manager-csi-driver-spiffe:v0.4.1