cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

v0.11.0 is a feature release containing the ability to specify a key type for the certificate you're mounting with csi-driver, allowing
the use of ECDSA and Ed25519 certs using csi-driver.

To generate a P-256 certificate, try the following:

apiVersion: v1
kind: Pod
metadata:
  name: my-csi-app
  namespace: sandbox
  labels:
    app: my-csi-app
spec:
  containers:
    - name: my-frontend
      image: busybox
      volumeMounts:
      - mountPath: "/tls"
        name: tls
      command: [ "sleep", "1000000" ]
  volumes:
    - name: tls
      csi:
        driver: csi.cert-manager.io
        readOnly: true
        volumeAttributes:
          csi.cert-manager.io/issuer-name: my-issuer
          csi.cert-manager.io/issuer-kind: Issuer
          csi.cert-manager.io/dns-names: ${POD_NAME}.${POD_NAMESPACE}.svc.cluster.local
          csi.cert-manager.io/key-algorithm: ECDSA

Huge thanks to @matthewpi for the awesome contribution!

What's Changed

Features

• 🚀 Add support for ECDSA and Ed25519 algorithms, make key size configurable by @matthewpi in #404

Dependency Bumps

• Bump the all group across 1 directory with 2 updates by @dependabot[bot] in #422
• Bump the all group across 1 directory with 8 updates by @dependabot[bot] in #428
• Bump the all group with 2 updates by @dependabot[bot] in #431

Makefile Modules Updates

• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #420
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #423
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #424
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #426
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #429
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #430
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #432
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #433
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #434
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #435
• [CI] Merge self-upgrade-main into main by @github-actions[bot] (and @SgtCoDFish) in #436

New Contributors

• @matthewpi made their first contribution in #404 ⭐

Full Changelog: v0.10.4...v0.11.0

cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

This release contains miscellaneous bug fixes and dependency updates.
It is built with Go 1.24.4 which fixes the following vulnerabilities: CVE-2025-22874, CVE-2025-0913, and CVE-2025-4673.

helm inspect chart cert-manager-csi-driver --repo https://charts.jetstack.io --version v0.10.4

What's Changed

• Bump sidecar images in preparation for release by @wallrj in #419

Dependabot

• Bump the all group across 1 directory with 10 updates by @dependabot in #415
• Bump the all group with 7 updates by @dependabot in #418

makefile-modules

• [CI] Merge self-upgrade-main into main by @github-actions in #407
• [CI] Merge self-upgrade-main into main by @github-actions in #408
• [CI] Merge self-upgrade-main into main by @github-actions in #409
• [CI] Merge self-upgrade-main into main by @github-actions in #411
• [CI] Merge self-upgrade-main into main by @github-actions in #414
• [CI] Merge self-upgrade-main into main by @github-actions in #416
• [CI] Merge self-upgrade-main into main by @github-actions in #417

Full Changelog: v0.10.3...v0.10.4

cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

This is a patch release with dependency bumps, aiming to fix "vulnerabilities" reported by scanners. We don't know of any specific vulnerability in csi-driver, but we think it's important to make occasional releases with patched dependencies.

This new version can be installed as follows:

helm upgrade cert-manager-csi-driver jetstack/cert-manager-csi-driver \
  --install \
  --version v0.10.3 \
  --namespace cert-manager \
  --wait

What's Changed

Features

• Add dependency licenses to repo and OCI image by @inteon in #398

Dependency upgrades

• Bump sigs.k8s.io/controller-runtime from 0.19.4 to 0.20.0 in the all group by @dependabot in #356
• Bump other images, add note to release process about checking them by @SgtCoDFish in #357
• Bump the all group across 1 directory with 4 updates by @dependabot in #365
• Bump golang.org/x/sync from 0.10.0 to 0.11.0 in the all group by @dependabot in #367
• Bump the all group across 1 directory with 11 updates by @dependabot in #377
• Bump golang.org/x/net from 0.35.0 to 0.36.0 in the go_modules group by @dependabot in #381
• Bump the all group across 1 directory with 10 updates by @dependabot in #386
• Bump github.com/onsi/gomega from 1.36.3 to 1.37.0 in the all group by @dependabot in #387
• Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules group by @dependabot in #392
• Bump the all group across 1 directory with 7 updates by @dependabot in #396

Makefile module upgrades

#358, #360, #361, #363, #364, #366, #368, #369, #373, #375, #376, #378, #388, #389, #390, #391, #393, #395, #397, #399, #400, #401, #402, #403, #405

Full Changelog: v0.10.2...v0.10.3

cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

This is a patch release with dependency bumps, aiming to fix "vulnerabilities" reported by scanners. We don't know of any specific vulnerability in csi-driver, but we think it's important to make occasional releases with patched dependencies.

Note that the livenessprobe and node-driver-registrar images for this release aren't at their latest versions. You can control the versions of these images at install time.

For example, to use the latest images at the time of the release of csi-driver v0.10.2:

helm upgrade cert-manager-csi-driver jetstack/cert-manager-csi-driver \
  --install \
  --version v0.10.2 \
  --namespace cert-manager \
  --set nodeDriverRegistrarImage.tag=v2.13.0 \
  --set livenessProbeImage.tag=v2.15.0 \
  --wait

What's Changed

Dependency Bumps

• Bump the all group across 1 directory with 3 updates by @dependabot in #299
• Bump the all group with 6 updates by @dependabot in #303
• Bump the all group across 1 directory with 13 updates by @dependabot in #322
• Bump the all group across 1 directory with 4 updates by @dependabot in #337
• Bump the all group across 1 directory with 6 updates by @dependabot in #341
• Bump golang.org/x/crypto from 0.28.0 to 0.31.0 in the go_modules group by @dependabot in #343
• Bump the all group across 1 directory with 2 updates by @dependabot in #349
• Bump the all group across 1 directory with 8 updates by @dependabot in #354

Other

• Add Helm chart OCI release to GH automation by @inteon in #340

Makefile Modules Upgrades

• [CI] Merge self-upgrade-main into main by @github-actions in #298
• [CI] Merge self-upgrade-main into main by @github-actions in #300
• [CI] Merge self-upgrade-main into main by @github-actions in #301
• [CI] Merge self-upgrade-main into main by @github-actions in #302
• [CI] Merge self-upgrade-main into main by @github-actions in #304
• [CI] Merge self-upgrade-main into main by @github-actions in #305
• [CI] Merge self-upgrade-main into main by @github-actions in #306
• [CI] Merge self-upgrade-main into main by @github-actions in #308
• [CI] Merge self-upgrade-main into main by @github-actions in #311
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #312
• [CI] Merge self-upgrade-main into main by @github-actions in #313
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #315
• [CI] Merge self-upgrade-main into main by @github-actions in #317
• [CI] Merge self-upgrade-main into main by @github-actions in #321
• [CI] Merge self-upgrade-main into main by @github-actions in #323
• [CI] Merge self-upgrade-main into main by @github-actions in #324
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #325
• [CI] Merge self-upgrade-main into main by @github-actions in #327
• [CI] Merge self-upgrade-main into main by @github-actions in #330
• [CI] Merge self-upgrade-main into main by @github-actions in #332
• [CI] Merge self-upgrade-main into main by @github-actions in #334
• [CI] Merge self-upgrade-main into main by @github-actions in #336
• [CI] Merge self-upgrade-main into main by @github-actions in #338
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #342
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #344
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #345
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #347
• [CI] Merge self-upgrade-main into main by @github-actions in #350
• [CI] Merge self-upgrade-main into main by @github-actions in #352
• [CI] Merge self-upgrade-main into main by @github-actions in #355

Full Changelog: v0.10.1...v0.10.2

cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

This is a patch release with some dependency bumps.

What's Changed

Dependency Bumps

• chore: update csi-node-driver-registrar to v2.12.0 by @ThatsMrTalbot in #296
• Bump the all group across 1 directory with 8 updates by @dependabot in #281
• Bump the all group across 1 directory with 3 updates by @dependabot in #284
• Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 in the all group by @dependabot in #286
• Bump the all group across 1 directory with 10 updates by @dependabot in #294

Makefile Modules Updates

• [CI] Merge self-upgrade-main into main by @github-actions in #282
• [CI] Merge self-upgrade-main into main by @github-actions in #285
• [CI] Merge self-upgrade-main into main by @github-actions in #287
• [CI] Merge self-upgrade-main into main by @github-actions in #290
• [CI] Merge self-upgrade-main into main by @github-actions in #293
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #295

Full Changelog: v0.10.0...v0.10.1

cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

What's Changed

• Add Prometheus metrics endpoint by @wallrj in #271
• Bump google.golang.org/grpc from 1.64.0 to 1.64.1 in the go_modules group by @dependabot in #275
• chore: update csi-node-driver-registrar image by @ThatsMrTalbot in #280

New Contributors

• @wallrj made their first contribution in #271

Full Changelog: v0.9.0...v0.10.0

cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

What's Changed

• Helm: set linux nodeSelector by default by @inteon in #258
• docs: move release docs to RELEASE.md by @ThatsMrTalbot in #259
• Add attribute support for certificate subject by @nzbr in #228
• [CI] Merge self-upgrade-main into main by @github-actions in #260
• Bump the all group across 1 directory with 9 updates by @dependabot in #263
• Bump the all group with 3 updates by @dependabot in #265
• feat: add RBAC for OpenShift SecurityContextConstraints by @ThatsMrTalbot in #272
• [CI] Merge self-upgrade-main into main by @github-actions in #266
• Bump the all group across 1 directory with 8 updates by @dependabot in #270
• Bump github.com/cert-manager/cert-manager from 1.15.0 to 1.15.1 in the all group by @dependabot in #273

New Contributors

• @nzbr made their first contribution in #228

Full Changelog: v0.8.1...v0.9.0

cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

This patch release upgrades the Go version used to build from 1.22.2 to 1.22.3, fixing GO-2024-2824 (GHSA-2jwv-jmq4-4j3r).

Additionally, the PR includes version bumps for all Go dependencies.

Version bumps

• Bump sigs.k8s.io/controller-runtime from 0.17.2 to 0.17.3 in the all group by @dependabot in #233
• Bump golang.org/x/net from 0.20.0 to 0.23.0 in the go_modules group by @dependabot in #236
• Bump the all group across 1 directory with 8 updates by @dependabot in #242
• Bump github.com/cert-manager/cert-manager from 1.14.4 to 1.14.5 in the all group by @dependabot in #243
• Bump the all group across 1 directory with 3 updates by @dependabot in #249
• Bump sigs.k8s.io/controller-runtime from 0.18.1 to 0.18.2 in the all group by @dependabot in #250
• Bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.17.3 in the all group by @dependabot in #253

Full Changelog: v0.8.0...v0.8.1

cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

v0.8.0 includes a few improvements and upgrades to the Helm chart, which should make it easier to install and manage CSI driver.

Notably, this release uses the v1 API for CSIDriver in all cases. Previously, logic existed which tried to support very old Kubernetes versions back from before the CSIDriver resource hit GA around Kubernetes v1.18. Since those versions are so old now, we unconditionally use v1 to simply the process of using csi-driver. Notably, this helps if using helm template to render the chart to YAML.

This release also includes a great improvement from a first time contributor, @Cisien! They added the ability to pass volumeAttributes along to the CertificateRequest resource which csi-driver creates. This makes csi-driver act more like "regular" cert-manager, enabling new potential uses!

Finally, the csi-driver DaemonSet now includes the default-container annotation, which means that kubectl logs will show the logs for the csi-driver container by default, which should help with debugging!

What's Changed

• Use CSIDriver v1 unconditionally by @SgtCoDFish in #220
• Pass non-driver volumeAttributes to the created CertificateRequest by @Cisien in #212
• Add 'crds.enabled' and 'crds.keep' options to generated CRDs by @inteon in #204
• Enable helm-tool linter and schema generator by @inteon in #191
• Fix broken link to csi-driver-spiffe in Chart.yaml by @inteon in #201
• Helm: Use same include statement for labels everywhere by @inteon in #207
• Add default container annotation to daemonset by @SgtCoDFish in #223

Misc / Business-as-Usual

• Add initial documentation of release process by @SgtCoDFish in #224
• Several dependency upgrade PRs by @dependabot
• Several makefile modules update PRs by @github-actions

New Contributors

• @Cisien made their first contribution in #212 🎉

Full Changelog: v0.7.1...v0.8.0

cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

This release includes a set of small improvements, version bumps and bugfixes.

Additionally, it is the first release after migrating to our new Makefile modules CI/ CD setup.

Breaking changes

See Breaking Changes section in v0.7.0 release notes

What's Changed

• Update Chart.yaml properties by @inteon in #194
• Remove README header since it is already included in the artifacthub sidebar by @inteon in #196
• Bump the all group with 1 update by @dependabot in #198
• [CI] Merge self-upgrade into main by @github-actions in #195
• [CI] Merge self-upgrade into main by @github-actions in #199
• [CI] Merge self-upgrade into main by @github-actions in #200

Full Changelog: v0.7.0...v0.7.1