CSI driver for SPIFFE releases¶

CSI driver for SPIFFE is a straightforward way to get SPIFFE (Secure Production Identity Framework for Everyone) IDs for your Kubernetes pods.

Learn about current and past releases of CSI driver for SPIFFE.

Latest release¶

​ The latest stable version of CSI driver for SPIFFE is v0.8.0.

Downloads¶

Release v0.8.0¶

CSI driver for SPIFFE v0.8.0 was released on July 22, 2024.

Key features¶

• Release v0.8.0 of the CSI driver for SPIFFE updates the csi-node-driver-registrar image to v2.11.1, including updated dependencies with fixes for several vulnerabilities. Learn more
• The release also updates the cert-manage dependency to v1.15.1.

Release v0.7.0¶

CSI driver for SPIFFE v0.7.0 was released on July 2, 2024.

Key features¶

• This release updates the CSI driver Helm chart values to include RBAC for OpenShift SecurityContextConstraints. Learn more
• Release v.0.7.0 of CSI driver for SPIFFE updates the following dependencies:
  • cert-manager was updated to v.1.15.0 .
  • github.com/go-logr/logr was updated to v.1.4.2.
  • github.com/onsi/ginkgo/v2 was updated to v.2.19.0.
  • k8s.io/api was updated to v.0.30.2.
  • k8s.io/cli-runtime was updated to v.0.30.2.
  • k8s.io/component-base was updated to v.0.30.2.
  • sigs.k8s.io/controller-runtime was updated to v.0.18.4.
  • k8s.io/utils was updated to v.0.0.0-20240502163921-fe8a2dddb1d0.
  • github.com/spf13/cobra was updated to v.18.1.
  • github.com/spiffe/go-spiffe/v2 was updated to v2.3.0.

Release v0.6.0¶

CSI driver for SPIFFE v0.6.0 was released on May 16, 2024.

Breaking changes - read before upgrading¶

• The default for the app.approver.signerName Helm value changed to allow approval for all signers by default. Previously, any built-in cert-manager ClusterIssuer was allowed. This change makes it simpler to use other types of issuer with CSI driver for SPIFFE.

  The impact of this change should be non-existent for the vast majority of CSI driver for SPIFFE use cases but there are some very specific scenarios in which this change could have a security impact. For more information, see the relevant feature overview below.

  For more information, see Reference: CSI driver for SPIFFE Helm values.

• The name of the DaemonSet installed by the Helm chart changed from a default of cert-manager-csi-driver-spiffe to cert-manager-csi-driver-spiffe-driver. We don't anticipate this should be a huge change for anyone, but it's worth noting that upgrading will change the name. This change helps with tab completion when debugging CSI driver for SPIFFE.

Key features¶

• Runtime Issuer Configuration

  Release v0.6.0 of CSI driver for SPIFFE introduces the ability to configure an issuer at runtime, rather than being forced to configure one when installing.

  Previously, changing the issuer configuration for CSI driver for SPIFFE required it to be restarted. This could lead to downtime and could block pods from getting the identities they need. It also meant there was a need to install CSI driver for SPIFFE after cert-manager was already installed and an issuer was configured. This complicated the installation process for users who wanted to simply install a series of Helm charts and configure them afterwards.

  It's now possible to configure a ConfigMap in the installation namespace of CSI driver for SPIFFE which specifies which issuer to use. CSI driver for SPIFFE will watch that ConfigMap and adapt quickly to any changes in issuer, allowing issuer updates with zero downtime.

  To use the feature, set the app.runtimeIssuanceConfigMap Helm value to the name of the ConfigMap you'll use to configure issuer details.

  A default issuer can still be specified using the app.issuer.* Helm values, and this default issuer will be used if the ConfigMap is invalid, missing or deleted. Alternatively, to require runtime configuration these values can be manually set to be blank.

  If no issuer is configured, pods mounting CSI driver for SPIFFE volumes will fail to start as the CSI driver for SPIFFE won't be able to create CertificateRequests for them.

  For an example of installing CSI driver for SPIFFE with runtime configuration, see Installing CSI driver for SPIFFE using Venafi CLI tool or Installing CSI driver for SPIFFE using Helm

• Simpler Install with no signerName

  Previously, to use any kind of issuer that wasn't a cert-manager ClusterIssuer would require configuring not just issuer settings but also allowlisting the use of that issuer through the app.approver.signerName Helm value.

  The impact of this change should be non-existent for the vast majority of CSI driver for SPIFFE use cases - but there are some extremely specific scenarios in which this change could have a security impact. Specifically, if you run another approver (such as Approver Policy) in the cluster and you require that the csi-driver-spiffe-approver and the other approver are allowed to approve for distinct types of issuer. In practice, most clusters won't have this requirement even if they run multiple approvers - it's easier to restrict the approvers by using their own configuration rather than using RBAC.

  For more information, see the Approver Policy 0.14.0 release notes which explain what actions you might want to take. Most users should need to take no action.

• Approver Simplification

  In earlier CSI driver for SPIFFE versions, the csi-driver-spiffe-approver component checked that the issuer configured for created CertificateRequests matched the one configured for the CSI driver for SPIFFE DaemonSet at install time. This introduces a race condition whenever that issuer needs to be updated (such as rotation). Because it wasn't possible to specify multiple issuers and it wasn't easy to ensure that both the DaemonSet and the approver could be restarted at the same time to ensure they both picked up the change.

  This check didn't provide much value, and would have made runtime configuration of issuers incredibly difficult, and has been removed in CSI driver for SPIFFE v0.6.0. Now, the approver doesn't look at the issuerRef field of CertificateRequest resources, but instead checks for the spiffe.csi.cert-manager.io/identity annotation which the driver sets on all CertificateRequests it creates.

  Together with runtime issuer configuration, this makes issuer rotation simpler, safer and less error prone.

Release v0.5.0¶

CSI driver for SPIFFE v0.5.0 was released on February 9, 2024.

Key features¶

• This release is the first CSI driver for SPIFFE release that is based on cert-manager's Makefile modules system.
• This release also contains dependency updates, as well as updates to Chart.yaml properties.

Release v0.4.1¶

CSI driver for SPIFFE v0.4.1 was released on November 22, 2023.

Key features¶

• This release is includes a variety of dependency updates, including updates to the version of Go and Go dependencies, as well as the base images and the Kubernetes images the product depends on.