kubernetes-sigs/secrets-store-csi-driver v1.6.0

on GitHub

v1.6.0 - 2026-04-29

Secret Rotation via RequiresRepublish

The dedicated secret rotation controller has been replaced with the CSI RequiresRepublish mechanism. The CSIDriver now sets requiresRepublish: true, causing kubelet to periodically call NodePublishVolume, which re-fetches secrets from the provider when --enable-secret-rotation=true. The --rotation-poll-interval now acts as a minimum cache duration between rotations. This change removes the need for privileged RBAC permissions (listing pods, secrets, and creating service account tokens) that were previously required by the rotation controller. Rotation-specific RBAC resources (rbac-secretproviderrotation.yaml, rbac-secretprovidertokenrequest.yaml) have been removed and can be cleaned up from manual deployments.

Note: Please review the upgrade notes before upgrading.

Changelog

Bug Fixes 🐞

• fix: set authority to localhost by @aramase in #1953
• fix: configure requiresRepublish value in helm charts and metrics update by @dargudear-google in #1968

Build 🏭

• fix(build): disable provenance and SBOM in buildx to fix manifest cre… by @aramase in #2028

Continuous Integration 💜

• ci: add area/dependency label for dependabot PRs by @aramase in #1802
• ci: use ubuntu-latest for gh workflows by @aramase in #1804
• ci: update azure scripts to use rbac for keyvault permissions by @aramase in #1918
• ci: ignore CVE-2023-2878 false positive from Trivy version detection by @aramase in #1927
• ci: resolve azure e2e test flakes with rbac, windows vm size by @aramase in #1929
• ci: Fix codegen, add GH action verifying it by @stlaz in #1978
• ci: fix action version comments to match pinned SHAs by @aramase in #2017
• ci: add sts.amazonaws.com audience to e2e-helm-deploy tokenRequests by @aramase in #2020
• ci: fix govulncheck tools step with doc.go by @aramase in #2024
• ci: replace broken setup-kind action with direct kind by @aramase in #2031

Documentation 📘

• docs: Add OpenBao provider by @JoeMurray in #1914
• docs: update manifest_staging/charts/secrets-store-csi-driver/README.md by @ThirdEyeSqueegee in #2005
• docs: add missing OpenBao reference to concepts.md by @kangetsu121 in #2015

Features 🌈

• feat: Use RequiresRepublish for secret rotation by @dargudear-google in #1622
• feat: Support CSI serviceAccountTokenInSecrets for Kubernetes 1.35+ by @aramase in #1979

Maintenance 🔧

• chore: bump actions/dependency-review-action from 4.3.4 to 4.6.0 by @dependabot[bot] in #1781
• chore: bump actions/setup-go from 5.3.0 to 5.4.0 by @dependabot[bot] in #1791
• chore: move nilekhc to emeritus_reviewers by @aramase in #1795
• chore: bump golang.org/x/net from 0.37.0 to 0.38.0 in /hack/tools by @dependabot[bot] in #1796
• chore: bump step-security/harden-runner from 2.10.3 to 2.12.0 by @dependabot[bot] in #1799
• chore: bump github/codeql-action from 3.28.8 to 3.28.15 by @dependabot[bot] in #1803
• chore: bump codecov/codecov-action from 5.1.2 to 5.4.2 by @dependabot[bot] in #1790
• chore: bump github.com/google/go-cmp from 0.6.0 to 0.7.0 in /test/e2eprovider by @dependabot[bot] in #1763
• chore: bump actions/checkout from 4.2.1 to 4.2.2 by @dependabot[bot] in #1723
• chore: bump engineerd/setup-kind from 0.5.0 to 0.6.2 by @dependabot[bot] in #1684
• chore: bump github/codeql-action from 3.28.15 to 3.28.16 by @dependabot[bot] in #1806
• chore: bump actions/upload-artifact from 4.5.0 to 4.6.2 by @dependabot[bot] in #1810
• chore: bump ossf/scorecard-action from 2.4.0 to 2.4.1 by @dependabot[bot] in #1807
• chore: bump gaurav-nelson/github-action-markdown-link-check from 1.0.16 to 1.0.17 by @dependabot[bot] in #1809
• chore: bump github/codeql-action from 3.28.16 to 3.28.17 by @dependabot[bot] in #1811
• chore: bump livenessprobe to v2.15.0 and node-driver-registrar to v2.13.0 by @aramase in #1812
• chore: bump actions/setup-go from 5.4.0 to 5.5.0 by @dependabot[bot] in #1815
• chore: bump actions/dependency-review-action from 4.6.0 to 4.7.0 by @dependabot[bot] in #1816
• chore: update to go 1.23.9 by @aramase in #1819
• chore: bump github/codeql-action from 3.28.17 to 3.28.18 by @dependabot[bot] in #1826
• chore: bump actions/dependency-review-action from 4.7.0 to 4.7.1 by @dependabot[bot] in #1828
• chore: bump codecov/codecov-action from 5.4.2 to 5.4.3 by @dependabot[bot] in #1827
• chore: bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @dependabot[bot] in #1839
• chore: bump github/codeql-action from 3.28.18 to 3.28.19 by @dependabot[bot] in #1843
• chore: update debian-base to bookworm-v1.0.5 by @aramase in #1853
• chore: bump github/codeql-action from 3.28.19 to 3.29.2 by @dependabot[bot] in #1866
• chore: bump step-security/harden-runner from 2.12.0 to 2.12.2 by @dependabot[bot] in #1865
• chore: bump golang.org/x/oauth2 from 0.7.0 to 0.27.0 by @dependabot[bot] in #1870
• chore: bump github/codeql-action from 3.29.2 to 3.29.5 by @dependabot[bot] in #1882
• chore: update to go 1.24.6 by @aramase in #1888
• chore: update to go 1.24.7 and bump base image by @aramase in #1915
• chore: Upgrade controller-runtime to v0.18.7 by @johngmyers in #1938
• chore: Take the Go version for codecov and scan-vulns from go.mod by @johngmyers in #1951
• chore: update to go 1.24.9 by @aramase in #1949
• chore: update to go 1.24.11 and bump golang.org/x/crypto to v0.46.0 by @aramase in #1967
• chore: add helm configuration for automountServiceAccountToken by @EladCirt in #1975
• chore: update to go 1.25.6 and kubectl v1.34.3 by @aramase in #1980
• chore: bump livenessprobe and csi-node-driver-registrar by @ThirdEyeSqueegee in #2004
• chore: bump trivy to v0.69.3 by @aramase in #2002
• chore: limit dependabot PRs, replace it with govulncheck, harden GH actions by @aramase in #2010
• chore: bump google.golang.org/grpc from 1.58.3 to 1.79.3 by @dependabot[bot] in #2012
• chore: bump the all group with 9 updates by @dependabot[bot] in #2014
• chore: bump the all group with 4 updates by @dependabot[bot] in #2019
• chore: bump go.opentelemetry.io/otel/sdk from 1.41.0 to 1.43.0 by @dependabot[bot] in #2021
• chore: bump Go to 1.25.9 to resolve CVE-2026-32281, CVE-2026-32288, CVE-2026-32289 by @aramase in #2022
• chore: update project ownership and move ritazh to emeritus by @aramase in #2023
• chore: bump version to v1.6.0 in release-1.6 by @aramase in #2026
• chore: bump version to v1.6.0 in release-1.6 (part 2) by @aramase in #2027

Security Fix 🛡️

• security: bump to go 1.23.10 to resolve CVE-2025-22874 by @aramase in #1846
• security: bump to go 1.25.7 to resolve CVE-2025-68121 by @aramase in #1990

Testing 💚

• test: update aks federated-credential command to add --audiences by @aramase in #1840
• test: add e2e for openbao csi provider by @eyenx in #1902

New Contributors

• @johngmyers made their first contribution in #1938
• @EladCirt made their first contribution in #1975
• @stlaz made their first contribution in #1978
• @JoeMurray made their first contribution in #1914
• @ThirdEyeSqueegee made their first contribution in #2004
• @kangetsu121 made their first contribution in #2015

Full Changelog: v1.5.6...v1.6.0