v0.16.0

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

Huge thanks to @ciaccotaco for driving some important improvements in this release, including a positive change to root CA bundle caching in #752 and support for setting the maximum number of current reconciliations allowed in #751 (along with #723 by @tlwr).

This release also includes a change which makes it much simpler to mirror container images to self-hosted registries.

There are also several CVE fixes including CVE-2026-27138, CVE-2026-27137, CVE-2026-27142 and CVE-2026-25679.

What's Changed

Features

• Add imageRegistry/imageNamespace to Helm chart image settings by @FelixPhipps in #748
• feat: MaxConcurrentReconciles can be configured by @tlwr in #723
• Add support to helm chart for Max Concurrent Reconciles by @ciaccotaco in #751
• Cache Root CA Bundle in ConfigMap Controller by @ciaccotaco in #752

CI

• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #745
• fix(deps): update module github.com/cert-manager/cert-manager to v1.19.4 by @renovate[bot] in #746
• chore(deps): update actions/setup-go action to v6.3.0 by @renovate[bot] in #747
• fix(deps): update kubernetes go patches to v0.35.2 by @renovate[bot] in #749
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #750
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #753
• fix(deps): update module sigs.k8s.io/controller-runtime to v0.23.2 by @renovate[bot] in #755
• fix(deps): update module sigs.k8s.io/controller-runtime to v0.23.3 by @renovate[bot] in #756
• fix(deps): update module k8s.io/klog/v2 to v2.140.0 by @renovate[bot] in #758
• chore(deps): update docker/login-action action to v4 by @renovate[bot] in #754
• fix(deps): update module google.golang.org/grpc to v1.79.2 by @renovate[bot] in #757
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #759

New Contributors

• @FelixPhipps made their first contribution in #748
• @tlwr made their first contribution in #723
• @ciaccotaco made their first contribution in #751

Full Changelog: v0.15.1...v0.16.0

v0.15.1

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

This patch release is mostly intended to address GO-2026-4394 and CVE-2025-68121

What's Changed

Manual Changes

• Bump otel to address GO-2026-4394 by @SgtCoDFish in #744

Automated Changes

• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #695
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #697
• fix(deps): update module google.golang.org/protobuf to v1.36.11 by @renovate[bot] in #696
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #698
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #699
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #701
• fix(deps): update module istio.io/api to v1.28.2 by @renovate[bot] in #702
• fix(deps): update module google.golang.org/grpc to v1.78.0 by @renovate[bot] in #703
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #704
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #706
• fix(deps): update k8s.io/utils digest to 718f0e5 by @renovate[bot] in #705
• fix(deps): update kubernetes go deps to v0.35.0 by @renovate[bot] in #700
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #707
• fix(deps): update github.com/onsi deps by @renovate[bot] in #708
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #709
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #710
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #711
• fix(deps): update module github.com/onsi/ginkgo/v2 to v2.27.5 by @renovate[bot] in #712
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #714
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #717
• chore(deps): update actions/setup-go action to v6.2.0 by @renovate[bot] in #713
• fix(deps): update module sigs.k8s.io/controller-runtime to v0.23.0 by @renovate[bot] in #716
• fix(deps): update module istio.io/api to v1.28.3 by @renovate[bot] in #715
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #718
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #720
• chore(deps): update actions/checkout action to v6.0.2 by @renovate[bot] in #719
• fix(deps): update module sigs.k8s.io/controller-runtime to v0.23.1 by @renovate[bot] in #721
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #722
• fix(deps): update module github.com/onsi/ginkgo/v2 to v2.28.0 by @renovate[bot] in #725
• fix(deps): update github.com/onsi deps by @renovate[bot] in #726
• chore(deps): update docker/login-action digest to c94ce9f by @renovate[bot] in #724
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #727
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #731
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #732
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #733
• fix(deps): update module github.com/cert-manager/cert-manager to v1.19.3 by @renovate[bot] in #730
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #734
• Use correct Renovate preset config by @erikgb in #729
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #735
• fix(deps): update kubernetes go patches to v0.35.1 by @renovate[bot] in #736
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #737
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #739
• fix(deps): update module google.golang.org/grpc to v1.79.1 by @renovate[bot] in #738
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #740
• fix(deps): update module istio.io/api to v1.29.0 by @renovate[bot] in #741
• fix(deps): update istio.io/istio digest to b38ad9e by @renovate[bot] in #691
• fix(deps): update k8s.io/utils digest to b8788ab by @renovate[bot] in #742
• [CI] Merge self-upgrade-main into main by @octo-sts[bot] in #743

Full Changelog: v0.15.0...v0.15.1

v0.15.0

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

This release has been built using Go v1.25.5 to fix CVE-2025-61727 and CVE-2025-61729.
This release also includes multiple dependency upgrades for improved security and stability, including updates to Kubernetes utilities, controller-runtime, and key Go modules.
Thanks to @erikgb for setting up Renovate to automate all the dependency upgrades.

OCI_MANAGER_IMAGE: quay.io/jetstack/cert-manager-istio-csr
OCI_MANAGER_TAG: v0.15.0
HELM_CHART_IMAGE: quay.io/jetstack/charts/cert-manager-istio-csr
HELM_CHART_VERSION: v0.15.0

Full Changelog: v0.14.3...v0.15.0

v0.14.3

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

This release is a patch release, upgrading Go from 1.25.1 to 1.25.3, fixing a range of CVEs: CVE-2025-61724, CVE-2025-58187, CVE-2025-47912, CVE-2025-58183, CVE-2025-61723, CVE-2025-58186, CVE-2025-58185, CVE-2025-58188, and CVE-2025-61725.

Furthermore, additional go dependencies were upgraded where possible.

Full Changelog: v0.14.2...v0.14.3

v0.14.2

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

This patch release is built with Go 1.24.4 which fixes the following vulnerabilities: CVE-2025-22874 and CVE-2025-0913.

helm inspect chart cert-manager-istio-csr --repo https://charts.jetstack.io --version v0.14.2

What's Changed

Dependabot updates

• Bump the all group across 1 directory with 6 updates by @dependabot in #567
• Bump the all group across 1 directory with 10 updates by @dependabot in #559

makefile-modules updates

• [CI] Merge self-upgrade-main into main by @github-actions in #548
• [CI] Merge self-upgrade-main into main by @github-actions in #549
• [CI] Merge self-upgrade-main into main by @github-actions in #552
• [CI] Merge self-upgrade-main into main by @github-actions in #555
• [CI] Merge self-upgrade-main into main by @github-actions in #558
• [CI] Merge self-upgrade-main into main by @github-actions in #562
• [CI] Merge self-upgrade-main into main by @github-actions in #564

Full Changelog: v0.14.1...v0.14.2

v0.14.1

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

This is a patch release with dependency bumps, aiming to fix "vulnerabilities" reported by scanners. We don't know of any specific vulnerability in istio-csr, but we think it's important to make occasional releases with patched dependencies.

What's Changed

Features

• Add dependency licenses to repo and OCI image by @inteon in #539

Dependency upgrades

• Bump istio module dependency + fix jose vulnerability by @SgtCoDFish in #509
• Bump the all group across 1 directory with 13 updates by @dependabot in #511
• Bump the all group across 1 directory with 13 updates by @dependabot in #524
• Bump the all group across 1 directory with 2 updates by @dependabot in #529
• Bump the all group across 1 directory with 7 updates by @dependabot in #536

Makefile module upgrades

#485, #488, #489, #491, #492, #494, #495, #497, #498, #503, #506, #508, #512, #525, #527, #528, #530, #531, #535, #538, #540, #541, #542, #543, #544, #545, #547

Full Changelog: v0.14.0...v0.14.1

v0.14.0

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

v0.14.0 is a minor released focused around dependency upgrades and minor bugfixes. We recommend that all users upgrade to this latest version.

Importantly, this version of istio-csr depends on a patched version of cert-manager providing protections against GHSA-r4pg-vg54-wxx4 when parsing trust bundles - although exploitation would require an attacker to have privileged access inside your cluster and the effects of an exploit would be minimal.

What's Changed

Bug Fixes

• Use istiod- as the prefix for the DNS names for Istio revisions by @wallrj in #454
• Fix helm chart typos by @wallrj in #458
• Use specialised function for decoding trust bundles by @SgtCoDFish in #477
• Fix some more grammatical mistakes and typos in the comments of Helm chart values.yaml by @wallrj in #460

Other

• Add Helm chart OCI release to GH automation by @inteon in #457

Dependency Updates

• Bump the all group with 3 updates by @dependabot in #446
• Bump the all group across 1 directory with 3 updates by @dependabot in #455
• Bump the all group across 1 directory with 6 updates by @dependabot in #462
• Bump the all group across 1 directory with 2 updates by @dependabot in #467
• Bump istio.io/api from 1.24.1 to 1.24.2 in the all group by @dependabot in #468
• Bump the all group across 1 directory with 3 updates by @dependabot in #474
• Bump the all group across 1 directory with 9 updates by @dependabot in #483

Makefile Modules Upgrades

• [CI] Merge self-upgrade-main into main by @github-actions in #445
• [CI] Merge self-upgrade-main into main by @github-actions in #447
• [CI] Merge self-upgrade-main into main by @github-actions in #448
• [CI] Merge self-upgrade-main into main by @github-actions in #450
• [CI] Merge self-upgrade-main into main by @github-actions in #452
• [CI] Merge self-upgrade-main into main by @github-actions in #456
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #461
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #466
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #470
• [CI] Merge self-upgrade-main into main by @github-actions in #476
• [CI] Merge self-upgrade-main into main by @github-actions in #480
• [CI] Merge self-upgrade-main into main by @github-actions in #484

Full Changelog: v0.13.0...v0.14.0

v0.14.0-alpha.0

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

This pre-release is largely for testing some new automation behind the scenes. We don't recommend running this release.

What's Changed

• Use istiod- as the prefix for the DNS names for Istio revisions by @wallrj in #454
• Fix helm chart typos by @wallrj in #458
• Add Helm chart OCI release to GH automation by @inteon in #457
• Fix some more grammatical mistakes and typos in the comments of Helm chart values.yaml by @wallrj in #460

Other

• [CI] Merge self-upgrade-main into main by @github-actions in #445
• [CI] Merge self-upgrade-main into main by @github-actions in #447
• [CI] Merge self-upgrade-main into main by @github-actions in #448
• Bump the all group with 3 updates by @dependabot in #446
• [CI] Merge self-upgrade-main into main by @github-actions in #450
• [CI] Merge self-upgrade-main into main by @github-actions in #452
• [CI] Merge self-upgrade-main into main by @github-actions in #456
• Bump the all group across 1 directory with 3 updates by @dependabot in #455
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #461
• Bump the all group across 1 directory with 6 updates by @dependabot in #462
• [CI] Self-upgrade merging self-upgrade-main into main by @inteon in #466

Full Changelog: v0.13.0...v0.14.0-alpha.0

v0.13.0

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

v0.13.0 includes a change to istio-csr so it works with the latest version of Istio (v1.24).

Specifically, the new version of istio requires that ALPN be set by clients, which istio-csr didn't previously set.

What's Changed

• ⭐ fix: expose ALPN in TLS handshake by @howardjohn in #422
• fix(helm): quote istiodAdditionalDNSNames to support wildcard domains by @ashithwilson in #425
• Use a default (but configurable) test file for istio-csr by @SgtCoDFish in #429
• Various e2e setup tweaks by @SgtCoDFish in #430

New Contributors

• @ashithwilson made their first contribution in #425 🚀
• @howardjohn made their first contribution in #422 🚀

Full Changelog: v0.12.0...v0.13.0

v0.13.0-alpha.0

istio-csr integrates cert-manager into Istio, allowing you to issue workload certificates using the power of cert-manager.

v0.13.0-alpha.0 is a prerelease for testing changes to istio-csr with the new Istio 1.24. Specifically, the new version of istio requires that ALPN be set by clients, which istio-csr didn't previously set.

If you're having issues with istio-csr and Istio 1.24, try this prerelease and please let us know if it works for you!

IMPORTANT: The chart for this release might not be visible in the charts.jetstack.io repository as of when this release is published. You can use the chart attached to this release until it becomes visible.

What's Changed

• ⭐ fix: expose ALPN in TLS handshake by @howardjohn in #422
• fix(helm): quote istiodAdditionalDNSNames to support wildcard domains by @ashithwilson in #425
• Use a default (but configurable) test file for istio-csr by @SgtCoDFish in #429
• Various e2e setup tweaks by @SgtCoDFish in #430

New Contributors

• @ashithwilson made their first contribution in #425 🚀
• @howardjohn made their first contribution in #422 🚀

Full Changelog: v0.12.0...v0.13.0-alpha.0