v0.12.0

cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

This release has been built using Go v1.25.5 to fix CVE-2025-61727 and CVE-2025-61729.
This release also includes multiple dependency upgrades for improved security and stability, including updates to Kubernetes utilities, controller-runtime, CSI libraries, and key Go modules (ginkgo, cobra, sync, crypto, and runc).
Thanks to @erikgb for setting up Renovate to automate all the dependency upgrades.
Additionally, Helm packaging has been migrated from legacy charts to OCI format.

⚠️ csi-driver depends on two Kubernetes maintained side-car containers: kubernetes-csi/node-driver-registrar, and kubernetes-csi/livenessprobe, which had not been updated at the time of this release.

OCI_MANAGER_IMAGE: quay.io/jetstack/cert-manager-csi-driver
OCI_MANAGER_TAG: v0.12.0
HELM_CHART_IMAGE: quay.io/jetstack/charts/cert-manager-csi-driver
HELM_CHART_VERSION: v0.12.0

New Contributors

• @wallrj-cyberark made their first contribution in #540

Full Changelog: v0.11.1...v0.12.0

v0.11.1

cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

This release is a patch release, upgrading Go from 1.25.1 to 1.25.3, fixing a range of CVEs: CVE-2025-61724, CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186, CVE-2025-58185, CVE-2025-58188, and CVE-2025-61725.

Furthermore, additional go dependencies were upgraded where possible.

Full Changelog: v0.11.0...v0.11.1

v0.11.0

cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

v0.11.0 is a feature release containing the ability to specify a key type for the certificate you're mounting with csi-driver, allowing
the use of ECDSA and Ed25519 certs using csi-driver.

To generate a P-256 certificate, try the following:

apiVersion: v1
kind: Pod
metadata:
  name: my-csi-app
  namespace: sandbox
  labels:
    app: my-csi-app
spec:
  containers:
    - name: my-frontend
      image: busybox
      volumeMounts:
      - mountPath: "/tls"
        name: tls
      command: [ "sleep", "1000000" ]
  volumes:
    - name: tls
      csi:
        driver: csi.cert-manager.io
        readOnly: true
        volumeAttributes:
          csi.cert-manager.io/issuer-name: my-issuer
          csi.cert-manager.io/issuer-kind: Issuer
          csi.cert-manager.io/dns-names: ${POD_NAME}.${POD_NAMESPACE}.svc.cluster.local
          csi.cert-manager.io/key-algorithm: ECDSA

Huge thanks to @matthewpi for the awesome contribution!

What's Changed

Features

• 🚀 Add support for ECDSA and Ed25519 algorithms, make key size configurable by @matthewpi in #404

Dependency Bumps

• Bump the all group across 1 directory with 2 updates by @dependabot[bot] in #422
• Bump the all group across 1 directory with 8 updates by @dependabot[bot] in #428
• Bump the all group with 2 updates by @dependabot[bot] in #431

Makefile Modules Updates

• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #420
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #423
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #424
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #426
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #429
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #430
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #432
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #433
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #434
• [CI] Merge self-upgrade-main into main by @github-actions[bot] in #435
• [CI] Merge self-upgrade-main into main by @github-actions[bot] (and @SgtCoDFish) in #436

New Contributors

• @matthewpi made their first contribution in #404 ⭐

Full Changelog: v0.10.4...v0.11.0

v0.10.4

cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

This release contains miscellaneous bug fixes and dependency updates.
It is built with Go 1.24.4 which fixes the following vulnerabilities: CVE-2025-22874, CVE-2025-0913, and CVE-2025-4673.

helm inspect chart cert-manager-csi-driver --repo https://charts.jetstack.io --version v0.10.4

What's Changed

• Bump sidecar images in preparation for release by @wallrj in #419

Dependabot

• Bump the all group across 1 directory with 10 updates by @dependabot in #415
• Bump the all group with 7 updates by @dependabot in #418

makefile-modules

• [CI] Merge self-upgrade-main into main by @github-actions in #407
• [CI] Merge self-upgrade-main into main by @github-actions in #408
• [CI] Merge self-upgrade-main into main by @github-actions in #409
• [CI] Merge self-upgrade-main into main by @github-actions in #411
• [CI] Merge self-upgrade-main into main by @github-actions in #414
• [CI] Merge self-upgrade-main into main by @github-actions in #416
• [CI] Merge self-upgrade-main into main by @github-actions in #417

Full Changelog: v0.10.3...v0.10.4

v0.10.3

cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

This is a patch release with dependency bumps, aiming to fix "vulnerabilities" reported by scanners. We don't know of any specific vulnerability in csi-driver, but we think it's important to make occasional releases with patched dependencies.

This new version can be installed as follows:

helm upgrade cert-manager-csi-driver jetstack/cert-manager-csi-driver \
  --install \
  --version v0.10.3 \
  --namespace cert-manager \
  --wait

What's Changed

Features

• Add dependency licenses to repo and OCI image by @inteon in #398

Dependency upgrades

• Bump sigs.k8s.io/controller-runtime from 0.19.4 to 0.20.0 in the all group by @dependabot in #356
• Bump other images, add note to release process about checking them by @SgtCoDFish in #357
• Bump the all group across 1 directory with 4 updates by @dependabot in #365
• Bump golang.org/x/sync from 0.10.0 to 0.11.0 in the all group by @dependabot in #367
• Bump the all group across 1 directory with 11 updates by @dependabot in #377
• Bump golang.org/x/net from 0.35.0 to 0.36.0 in the go_modules group by @dependabot in #381
• Bump the all group across 1 directory with 10 updates by @dependabot in #386
• Bump github.com/onsi/gomega from 1.36.3 to 1.37.0 in the all group by @dependabot in #387
• Bump golang.org/x/net from 0.37.0 to 0.38.0 in the go_modules group by @dependabot in #392
• Bump the all group across 1 directory with 7 updates by @dependabot in #396

Makefile module upgrades

#358, #360, #361, #363, #364, #366, #368, #369, #373, #375, #376, #378, #388, #389, #390, #391, #393, #395, #397, #399, #400, #401, #402, #403, #405

Full Changelog: v0.10.2...v0.10.3

v0.10.2

cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

This is a patch release with dependency bumps, aiming to fix "vulnerabilities" reported by scanners. We don't know of any specific vulnerability in csi-driver, but we think it's important to make occasional releases with patched dependencies.

Note that the livenessprobe and node-driver-registrar images for this release aren't at their latest versions. You can control the versions of these images at install time.

For example, to use the latest images at the time of the release of csi-driver v0.10.2:

helm upgrade cert-manager-csi-driver jetstack/cert-manager-csi-driver \
  --install \
  --version v0.10.2 \
  --namespace cert-manager \
  --set nodeDriverRegistrarImage.tag=v2.13.0 \
  --set livenessProbeImage.tag=v2.15.0 \
  --wait

What's Changed

Dependency Bumps

• Bump the all group across 1 directory with 3 updates by @dependabot in #299
• Bump the all group with 6 updates by @dependabot in #303
• Bump the all group across 1 directory with 13 updates by @dependabot in #322
• Bump the all group across 1 directory with 4 updates by @dependabot in #337
• Bump the all group across 1 directory with 6 updates by @dependabot in #341
• Bump golang.org/x/crypto from 0.28.0 to 0.31.0 in the go_modules group by @dependabot in #343
• Bump the all group across 1 directory with 2 updates by @dependabot in #349
• Bump the all group across 1 directory with 8 updates by @dependabot in #354

Other

• Add Helm chart OCI release to GH automation by @inteon in #340

Makefile Modules Upgrades

• [CI] Merge self-upgrade-main into main by @github-actions in #298
• [CI] Merge self-upgrade-main into main by @github-actions in #300
• [CI] Merge self-upgrade-main into main by @github-actions in #301
• [CI] Merge self-upgrade-main into main by @github-actions in #302
• [CI] Merge self-upgrade-main into main by @github-actions in #304
• [CI] Merge self-upgrade-main into main by @github-actions in #305
• [CI] Merge self-upgrade-main into main by @github-actions in #306
• [CI] Merge self-upgrade-main into main by @github-actions in #308
• [CI] Merge self-upgrade-main into main by @github-actions in #311
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #312
• [CI] Merge self-upgrade-main into main by @github-actions in #313
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #315
• [CI] Merge self-upgrade-main into main by @github-actions in #317
• [CI] Merge self-upgrade-main into main by @github-actions in #321
• [CI] Merge self-upgrade-main into main by @github-actions in #323
• [CI] Merge self-upgrade-main into main by @github-actions in #324
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #325
• [CI] Merge self-upgrade-main into main by @github-actions in #327
• [CI] Merge self-upgrade-main into main by @github-actions in #330
• [CI] Merge self-upgrade-main into main by @github-actions in #332
• [CI] Merge self-upgrade-main into main by @github-actions in #334
• [CI] Merge self-upgrade-main into main by @github-actions in #336
• [CI] Merge self-upgrade-main into main by @github-actions in #338
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #342
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #344
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #345
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #347
• [CI] Merge self-upgrade-main into main by @github-actions in #350
• [CI] Merge self-upgrade-main into main by @github-actions in #352
• [CI] Merge self-upgrade-main into main by @github-actions in #355

Full Changelog: v0.10.1...v0.10.2

v0.10.1

cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

This is a patch release with some dependency bumps.

What's Changed

Dependency Bumps

• chore: update csi-node-driver-registrar to v2.12.0 by @ThatsMrTalbot in #296
• Bump the all group across 1 directory with 8 updates by @dependabot in #281
• Bump the all group across 1 directory with 3 updates by @dependabot in #284
• Bump github.com/onsi/ginkgo/v2 from 2.19.1 to 2.20.0 in the all group by @dependabot in #286
• Bump the all group across 1 directory with 10 updates by @dependabot in #294

Makefile Modules Updates

• [CI] Merge self-upgrade-main into main by @github-actions in #282
• [CI] Merge self-upgrade-main into main by @github-actions in #285
• [CI] Merge self-upgrade-main into main by @github-actions in #287
• [CI] Merge self-upgrade-main into main by @github-actions in #290
• [CI] Merge self-upgrade-main into main by @github-actions in #293
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #295

Full Changelog: v0.10.0...v0.10.1

v0.10.0

cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

What's Changed

• Add Prometheus metrics endpoint by @wallrj in #271
• Bump google.golang.org/grpc from 1.64.0 to 1.64.1 in the go_modules group by @dependabot in #275
• chore: update csi-node-driver-registrar image by @ThatsMrTalbot in #280

New Contributors

• @wallrj made their first contribution in #271

Full Changelog: v0.9.0...v0.10.0

v0.9.0

cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

What's Changed

• Helm: set linux nodeSelector by default by @inteon in #258
• docs: move release docs to RELEASE.md by @ThatsMrTalbot in #259
• Add attribute support for certificate subject by @nzbr in #228
• [CI] Merge self-upgrade-main into main by @github-actions in #260
• Bump the all group across 1 directory with 9 updates by @dependabot in #263
• Bump the all group with 3 updates by @dependabot in #265
• feat: add RBAC for OpenShift SecurityContextConstraints by @ThatsMrTalbot in #272
• [CI] Merge self-upgrade-main into main by @github-actions in #266
• Bump the all group across 1 directory with 8 updates by @dependabot in #270
• Bump github.com/cert-manager/cert-manager from 1.15.0 to 1.15.1 in the all group by @dependabot in #273

New Contributors

• @nzbr made their first contribution in #228

Full Changelog: v0.8.1...v0.9.0

v0.8.1

cert-manager-csi-driver enables issuing secretless X.509 certificates for pods using cert-manager!

This patch release upgrades the Go version used to build from 1.22.2 to 1.22.3, fixing GO-2024-2824 (GHSA-2jwv-jmq4-4j3r).

Additionally, the PR includes version bumps for all Go dependencies.

Version bumps

• Bump sigs.k8s.io/controller-runtime from 0.17.2 to 0.17.3 in the all group by @dependabot in #233
• Bump golang.org/x/net from 0.20.0 to 0.23.0 in the go_modules group by @dependabot in #236
• Bump the all group across 1 directory with 8 updates by @dependabot in #242
• Bump github.com/cert-manager/cert-manager from 1.14.4 to 1.14.5 in the all group by @dependabot in #243
• Bump the all group across 1 directory with 3 updates by @dependabot in #249
• Bump sigs.k8s.io/controller-runtime from 0.18.1 to 0.18.2 in the all group by @dependabot in #250
• Bump github.com/onsi/ginkgo/v2 from 2.17.2 to 2.17.3 in the all group by @dependabot in #253

Full Changelog: v0.8.0...v0.8.1