Releases: cert-manager/csi-driver-spiffe
v0.8.1
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
What's Changed
- [CI] Merge self-upgrade-main into main by @github-actions in #169
- Bump the all group across 1 directory with 8 updates by @dependabot in #168
- [CI] Merge self-upgrade-main into main by @github-actions in #171
- Bump the all group across 1 directory with 2 updates by @dependabot in #172
- [CI] Merge self-upgrade-main into main by @github-actions in #174
- [CI] Merge self-upgrade-main into main by @github-actions in #176
- [CI] Merge self-upgrade-main into main by @github-actions in #179
- [CI] Merge self-upgrade-main into main by @github-actions in #181
- Bump the all group across 1 directory with 9 updates by @dependabot in #180
- [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #182
- chore: update csi-node-driver-registrar to v2.12.0 by @ThatsMrTalbot in #183
Full Changelog: v0.8.0...v0.8.1
v0.8.0
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
What's Changed
- Bump github.com/cert-manager/cert-manager from 1.15.0 to 1.15.1 in the all group by @dependabot in #158
- chore: update csi-node-driver-registrar by @ThatsMrTalbot in #165
Full Changelog: v0.7.0...v0.8.0
v0.7.0
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
What's Changed
- [CI] Merge self-upgrade-main into main by @github-actions in #148
- Bump the all group across 1 directory with 5 updates by @dependabot in #152
- Bump the all group across 1 directory with 8 updates by @dependabot in #157
- [CI] Merge self-upgrade-main into main by @github-actions in #153
- feat: add RBAC for OpenShift SecurityContextConstraints by @ThatsMrTalbot in #159
Full Changelog: v0.6.0...v0.7.0
v0.6.0
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
v0.6.0 includes a variety of new features which make csi-driver-spiffe easier to work with and easier to set up, as well as the usual dependency bumps and tool upgardes.
Possibly Breaking Changes: Read Before Upgrading!
-
The default for the
app.approver.signerName
Helm value changed to allow approval for all signers by default. Previously, any built-in cert-managerClusterIssuer
was allowed. This change makes it simpler to use other types of issuer with csi-driver-spiffe.The impact of this change should be nonexistant for the vast majority of csi-driver-spiffe use cases but there are some very specific scenarios in which this change could have a security impact. For more information, see the relevant feature overview below.
-
The name of the DaemonSet installed by the Helm chart changed from a default of "cert-manager-csi-driver-spiffe" to "cert-manager-csi-driver-spiffe-driver". We don't anticipate this should be a huge change for anyone, but it's worth noting that upgrading will change the name. This change helps with tab completion when debugging csi-driver-spiffe.
Feature Overview
Runtime Issuer Configuration
The headline feature of this release is the ability to configure which issuer to use at runtime, rather than only being able to configure at install time.
Previously, changing the issuer configuration for csi-driver-spiffe required that it be restarted, which could lead to downtime and could block pods from getting the identities they need. It also meant there was a need to install csi-driver-spiffe after cert-manager was already installed and an issuer was configured, which complicated the installation process for users who wanted to simply install a series of Helm charts and configure them afterwards.
It's now possible to configure a ConfigMap in the installation namespace of csi-driver-spiffe which specifies which issuer to use. csi-driver-spiffe will watch that ConfigMap and adapt quickly to any changes in issuer, allowing issuer updates with zero downtime.
To use the feature, set the app.runtimeIssuanceConfigMap
Helm value to the name of the ConfigMap you'll use to configure issuer details.
A default issuer can still be specified using the app.issuer.*
Helm values, and this default issuer be used if the ConfigMap is invalid, missing or deleted. Alternatively, to require runtime configuration these values can be manually set to be blank as in the example below. [1]
If no issuer is configured, pods mounting csi-driver-spiffe volumes will fail to start as csi-driver-spiffe won't be able to create CertificateRequests for them.
Below is an example of installing csi-driver-spiffe with runtime configuration:
kubectl create configmap spiffe-issuer -n cert-manager \
--from-literal=issuer-name=my-issuer-name \
--from-literal=issuer-kind=ClusterIssuer \
--from-literal=issuer-group=cert-manager.io
helm upgrade -i -n cert-manager cert-manager-csi-driver-spiffe jetstack/cert-manager-csi-driver-spiffe --wait \
--set "app.logLevel=1" \
--set "app.trustDomain=my.trust.domain" \
--set "app.issuer.name=" \
--set "app.issuer.kind=" \
--set "app.issuer.group=" \
--set "app.runtimeIssuanceConfigMap=spiffe-issuer"
The logs for the csi-driver-spiffe DaemonSet pods should produce output like the following to show that the ConfigMap was picked up:
I0516 11:57:44.655854 1 driver.go:410] "Changed active issuerRef in response to runtime configuration ConfigMap" logger="csi.runtime-config-watcher" config-map-name="spiffe-issuer" config-map-namespace="cert-manager" issuer-name="my-issuer-name" issuer-kind="ClusterIssuer" issuer-group="cert-manager.io"
Simpler Install with no signerName
Previously, to use any kind of issuer that wasn't a cert-manager ClusterIssuer
would require configuring not just issuer settings but also allowlisting the use of that issuer through the app.approver.signerName
Helm value.
The impact of this change should be nonexistant for the vast majority of csi-driver-spiffe use cases (beyond making it easier to configure) - but there are some extremely specific scenarios in which this change could have a security impact. Specifically, if you run another approver (such as approver-policy) in the cluster and you require that the csi-driver-spiffe-approver and the other approver are allowed to approve for distinct types of issuer. In practice, most clusters won't have this requirement even if they run multiple approvers - it's easier to restrict the approvers via their own configuration rather than using RBAC.
For more information, read the rationale about why this was changed in approver-policy. If you're concerned, see also the relevant approver-policy release notes which explain what actions you might want to take. Most users should need to take no action.
Approver Simplification
In earlier csi-driver-spiffe versions, the csi-driver-spiffe-approver component would check that the issuer configured for created CertificateRequests matched the one configured for the csi-driver-spiffe DaemonSet at install time. This introduces a race condition whenever that issuer needs to be updated (such as rotation), since it wasn't possible to specify multiple issuers and it wasn't easy to ensure that both the DaemonSet and the approver could be restarted at the same time to ensure they both picked up the change.
This check didn't provide much value, and would have made runtime configuration of issuers incredibly difficult, and so it was removed in csi-driver-spiffe v0.6.0. Now, the approver doesn't look at the issuerRef
field of CertificateRequest
resources and instead checks for the spiffe.csi.cert-manager.io/identity
annotation which the driver sets on all CertificateRequests
it creates.
Together with runtime issuer configuration, this makes issuer rotation simpler, safer and less error prone.
What's Changed
New Features
- Allow runtime configuration of issuers by @SgtCoDFish in #141
Helm Chart
⚠️ Allow use of all signers by default by @SgtCoDFish in #131- Add 'crds.enabled' and 'crds.keep' options to generated CRDs by @inteon in #91
- Enable helm-tool linter and schema generator by @inteon in #80
- Use same include statement for labels everywhere & add labels to pod templates by @inteon in #97
- Helm Add commonLabels option by @inteon in #98
- Added tolerations, nodeSelector, affinity, topologySpreadConstraints by @saydulaev and @maelvls in #50
Tests / CI
- Update digests of upstream busybox docker image by @inteon in #103
- Add go module and replace oci-image with oci-build and oci-publish by @inteon in #110
- Fix linters by @inteon in #111
- Fix gosec issues and enable gosec linter by @inteon in #122
- Increase timeouts for camanager test by @SgtCoDFish in #126
- Move parsing of custom annotations to testable function by @SgtCoDFish in #130
- Add env var for focusing on individual e2e tests by @SgtCoDFish in #135
- Add e2e util package to abstract common e2e tasks by @SgtCoDFish in #136
- Change approval of e2e issuer to use cmctl by @SgtCoDFish in #144
- Tweak camanager testing by @SgtCoDFish in #143
Other
⚠️ Rename DaemonSet for easier tab completion by @SgtCoDFish in #124- Use exit code from recommended range by @SgtCoDFish in #95
- Add design for runtime configuration of issuers by @SgtCoDFish in #94
- Remove issuerRef from approver by @SgtCoDFish in #125
- Two minor tweaks (default container annotation!) by @SgtCoDFish in #123
- docs: add RELEASE.md documenting the release process by @ThatsMrTalbot in #146
New Contributors
- @saydulaev made their first contribution in #50
- @maelvls made their first contribution in #50
Full Changelog: v0.5.0...v0.6.0
Other Notes
[1]: A future change may set the default issuer to be blank in all cases. Today, the default is t...
v0.5.0
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
This v0.5.0
is the first csi-driver-spiffe release that is based on cert-manager's Makefile modules system.
What's Changed
- Add certificate requests annotations flag by @jamesglennan in #60
- Migrate to ginkgo v2 by @inteon in #61
- Upgrade 'csi-node-driver-registrar' and 'livenessprobe' by @inteon in #70
- chore: add thatsmrtalbot as reviewer by @ThatsMrTalbot in #78
- Add version info to binary at compile time by @inteon in #75
- Update Chart.yaml properties by @inteon in #82
- Use helm-tool to generate Helm README.md by @inteon in #86
- Fix broken link in Chart.yaml for csi-driver by @inteon in #88
Dependabot updates
- Bump the all group with 8 updates by @dependabot in #64
- Bump the all group with 8 updates by @dependabot in #76
- Bump the all group with 1 update by @dependabot in #84
Makefile updates
- Migrate makefiles and CI/CD by @inteon in #62
- Upgrade repository-base module by @inteon in #66
- Use fixed version for busybox image by @inteon in #73
- Upgrade oci-image module by @inteon in #74
- Use standardised release process by @inteon in #79
- Fix release target and add approver image by @inteon in #87
- [CI] Merge self-upgrade into main by @github-actions in #65
- [CI] Merge self-upgrade into main by @github-actions in #67
- [CI] Merge self-upgrade into main by @github-actions in #68
- [CI] Merge self-upgrade into main by @github-actions in #69
- [CI] Merge self-upgrade into main by @github-actions in #71
- [CI] Merge self-upgrade into main by @github-actions in #72
- [CI] Merge self-upgrade into main by @github-actions in #77
- [CI] Merge self-upgrade into main by @github-actions in #81
- [CI] Merge self-upgrade into main by @github-actions in #83
- [CI] Merge self-upgrade into main by @github-actions in #85
New Contributors
- @jamesglennan made their first contribution in #60
- @github-actions made their first contribution in #65
- @ThatsMrTalbot made their first contribution in #78
Full Changelog: v0.4.1...v0.5.0
v0.5.0-alpha.1
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
This v0.5.0-alpha.1 is a pre-release containing a small bugfix for a bug we found in the v0.5.0-alpha.0 release process.
What's Changed
Full Changelog: v0.5.0-alpha.0...v0.5.0-alpha.1
v0.5.0-alpha.0
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
This v0.5.0-alpha.0
is a pre-release to test the new release process based on cert-manager's Makefile modules system.
What's Changed
- Add certificate requests annotations flag by @jamesglennan in #60
- Migrate to ginkgo v2 by @inteon in #61
- Upgrade 'csi-node-driver-registrar' and 'livenessprobe' by @inteon in #70
- chore: add thatsmrtalbot as reviewer by @ThatsMrTalbot in #78
- Add version info to binary at compile time by @inteon in #75
- Update Chart.yaml properties by @inteon in #82
- Use helm-tool to generate Helm README.md by @inteon in #86
Dependabot updates
- Bump the all group with 8 updates by @dependabot in #64
- Bump the all group with 8 updates by @dependabot in #76
- Bump the all group with 1 update by @dependabot in #84
Makefile updates
- Migrate makefiles and CI/CD by @inteon in #62
- Upgrade repository-base module by @inteon in #66
- Use fixed version for busybox image by @inteon in #73
- Upgrade oci-image module by @inteon in #74
- Use standardised release process by @inteon in #79
- [CI] Merge self-upgrade into main by @github-actions in #65
- [CI] Merge self-upgrade into main by @github-actions in #67
- [CI] Merge self-upgrade into main by @github-actions in #68
- [CI] Merge self-upgrade into main by @github-actions in #69
- [CI] Merge self-upgrade into main by @github-actions in #71
- [CI] Merge self-upgrade into main by @github-actions in #72
- [CI] Merge self-upgrade into main by @github-actions in #77
- [CI] Merge self-upgrade into main by @github-actions in #81
- [CI] Merge self-upgrade into main by @github-actions in #83
- [CI] Merge self-upgrade into main by @github-actions in #85
New Contributors
- @jamesglennan made their first contribution in #60
- @github-actions made their first contribution in #65
- @ThatsMrTalbot made their first contribution in #78
Full Changelog: v0.4.1...v0.5.0-alpha.0
v0.4.1
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
This patch release is mainly to include a variety of dependency updates, including bumping the version of Go, bumping Go dependencies and updating both our base images and the Kubernetes images we depend on.
What's Changed
- Bump deps by @irbekrm in #40
- Helm chart improvements by @inteon in #37
- Update OWNERS file (copied from cert-manager) by @inteon in #43
- Don't include wrong usages in e2e CSR blob by @inteon in #47
- Ensure bindir exists before running certain commands by @SgtCoDFish in #46
- Add dependabot config by @inteon in #44
- Version bumps for CVE-2023-44487 & CVE-2023-39325 by @SgtCoDFish in #48
- Bump the all group with 14 updates by @dependabot in #49
- Tweak golang base image + update dependent container images by @SgtCoDFish in #54
New Contributors
- @inteon made their first contribution in #37
- @dependabot made their first contribution in #49
Full Changelog: v0.4.0...v0.4.1
v0.4.0
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
This release has a couple of helm chart improvements, mostly arising from the work of @kesselborn ! Thanks to them for the contributions, and thanks to anyone using csi-driver-spiffe!
What's Changed
- Change release version to use a v, fixes generation of chart by @SgtCoDFish in #31
- Use
/usr/bin/env
instead of/bin/bash
in hack scripts by @JoshVanL in #22 - Add missing --csi-driver-name option to daemonset by @kesselborn in #24
- Bump helm docs by @SgtCoDFish in #34
- Make data dir configurable by @SgtCoDFish (thanks @kesselborn for the original commit!) in #35
- Bump to v0.4.0 for release by @SgtCoDFish in #36
New Contributors
- @kesselborn made their first contribution in #24
Full Changelog: v0.3.0...v0.4.0
v0.3.0
csi-driver-spiffe is a clean and simple way to get SPIFFE IDs for your Kubernetes pods with minimal dependencies and minimal fuss.
v0.3.0 contains an important change to use P-256 certificates instead of P-521. This should be faster to generate and more widely supported by other tooling which might consume certificates issued by csi-driver-spiffe. In the longer term we'd like to make this configurable, but for now P-256 should be a good compromise in the middle.
None of the changes in this release made should be breaking, so feel free to upgrade and benefit from upgraded dependencies and base images, faster issuance and greater configurability!
What's Changed
- 🚀 Change to use p256 instead of p521 by @SgtCoDFish in #28
- Remove life cycle hook from Daemonset by @JoshVanL in #16
- Support for including imagePullSecrets in Helm by @sitaramkm in #18
- Adds priorityClassName option to helm chart by @JoshVanL in #20
- Ensures that CSI driver sidecar images are latest from registry.k8s.io by @irbekrm in #27
- Update logo to smaller version, fix broken HTML by @SgtCoDFish in #14
- Remove documentation in favour of cert-manager.io by @JoshVanL in #15
- README and example updates by @SgtCoDFish in #25
- Bump go, deps, base images by @SgtCoDFish in #29
- Updates dependencies by @JoshVanL in #21
- Bump helm version, improve install, add chart target by @SgtCoDFish in #26
- Bump versions, fix old info by @SgtCoDFish in #30
New Contributors
- @SgtCoDFish made their first contribution in #14
- @sitaramkm made their first contribution in #18
Full Changelog: v0.2.0...v0.3.0
Note
The container images for this chart were generated with a checkout of the v0.3.0 tag, but the published Helm chart was generated using commit 7d2d103 added in #31 - this is because of a bug in the make target for generating the chart. There are no functional differences and it's nothing to worry about - we simply value being transparent!