Istio CSR releases¶

Istio CSR integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

Learn about current and past releases of Istio CSR.

Latest release¶

The latest stable release of Istio CSR is v0.10.0.

Downloads¶

Release 0.10.0¶

​ Istio CSR v0.10.0 was released on July 17, 2024.

Key features¶

• Initial runtime configuration support

  Istio CSR requires cert-manager to be installed to be able to issue certificates; using cert-manager to issue Istio certificates is the reason why you use Istio CSR.

  More subtly, Istio CSR actually requires a cert-manager issuer to be created before Istio CSR is installed. This issuer is used to issue the istiod certificate, the Istio serving certificate, and workload certificates.

  This dependency means that it's not possible to install Istio CSR and cert-manager at the same time, which can be a problem for some users and some installation methods. Runtime configuration aims to solve that problem, by allowing the issuer to be defined at runtime through a ConfigMap resource in the same namespace as the Istio CSR pods.

  Since the issuer is defined at pod startup time (via the Helm chart) it's not possible to swap out an issuer on the fly while Istio CSR pods are running. Runtime configuration changes this:

  kubectl create configmap -n venafi istio-issuer \
    --from-literal=issuer-name=my-issuer-name \
    --from-literal=issuer-kind=ClusterIssuer \
    --from-literal=issuer-group=cert-manager.io
  

  values.yaml

  app:
    runtimeIssuanceConfigMap: istio-issuer
    certmanager:
      issuer:
        name: ""
        kind: ""
        group: ""
    tls:
      rootCAFile: "/var/run/secrets/istio-csr/ca.pem"
      istiodCertificateEnable: false
  volumeMounts:
  - name: root-ca
    mountPath: /var/run/secrets/istio-csr
  volumes:
  - name: root-ca
    secret:
      secretName: istio-root-ca
  

  helm upgrade cert-manager-istio-csr oci://registry.venafi.cloud/charts/cert-manager-istio-csr:v0.10.0 \
    --install \
    --namespace venafi \
    --wait \
    --values values.yaml  
  

  This initial support requires that the istiod certificate is disabled. This means you must provision that certificate manually, ahead of installing Istio CSR.

  Alternatively, istiodCertificateEnable can be left as true and app.certmanager.issuer can be provided. This still requires cert-manager to be installed and configured before Istio CSR, but enables you to change certificates on the fly.

  A future release of Istio CSR will include the ability to provision the istiod certificate dynamically, allowing for true runtime configuration.

• s390x support

  Istio CSR now supports the s390x architecture.

• nameOverride Helm value added

  The nameOverride Helm value added was added to values.yaml to improve jsonSchema validation.

• Dependency updates

  github.com/lestrrat-go/jwx has been updated to v.1.2.29. This fixes CVE-2024-28122

Release 0.9.0¶

​ Istio CSR v0.9.0 was released on May 13, 2024.

Key features¶

• Release v0.9.0 upgrades the Go version used to build to 1.22.3 to fix the following vulnerability: GO-2024-2824 (CVE-2024-24788). All Go-related dependencies were also upgraded in this release.
• This release also adds json-schema validation to the Helm chart and fixes for minor bugs and test for Istio 1.20.

Release v0.8.1¶

​ Istio CSR v0.8.1 was released on February 6, 2024.

Key features¶

• Release 0.8.1 adds the ability to provide additional DNS names to a istiod certificate.
• This release also sees updates to component libraries and minor bug fixes.