This page includes instructions for upgrading the driver to the latest version.
helm upgrade csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --namespace=NAMESPACE
NAMESPACE to the same namespace where the driver was originally installed,
If you are upgrading from one of the following versions there may be additional steps that you should take.
v1.0.0-rc.1 and later use the
v1 version of the
CRDs will continue to work, but consider
updating your YAMLs to
The helm chart repository URL has changed to
Run the following commands to update your Helm chart repositories:
helm repo rm secrets-store-csi-driver helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts helm repo update
NOTE: CustomResourceDefinitions (CRDs) have been moved from
crdsdirectory in the helm charts. To manage the lifecycle of the CRDs during install/upgrade, helm
pre-upgradehook has been added. This hook will create a pod that runs only on linux nodes and deploys the CRDs in the Kubernetes cluster.
In case there is an issue with these hooks we recommend backing up your
SecretProviderClasses in case of any issues with the hooks:
kubectl get secretproviderclass -A -o yaml > spc-all-backup.yaml
The filtered watch feature is enabled by default in
nodePublishSecretRef Kubernetes Secrets used in volume mounts
must have the
secrets-store.csi.k8s.io/used=true label otherwise secret
rotations will fail with
failed to get node publish secret errors.
Label these Kubernetes Secrets by running:
kubectl label secret <node publish secret ref name> secrets-store.csi.k8s.io/used=true
syncSecret.enabled=false by default. This means the RBAC clusterrole and clusterrolebinding required for sync mounted content as Kubernetes secret will no longer be created by default as part of
helm install/upgrade. If you’re using the driver to sync mounted content as Kubernetes secret, you’ll need to set
syncSecret.enabled=true as part of
v0.0.20 removed support for non-gRPC based providers. Follow your provider
documentation to upgrade providers to use gRPC before upgrading the driver to
v0.0.20 or greater.
v0.0.17 and earlier installed the driver to the
default namespace when using
the YAML based install. Newer versions of the driver YAML files install the
driver to the
kube-system namespace. After applying the new YAML files to your
cluster run the following to clean up old resources:
kubectl delete daemonset csi-secrets-store --namespace=default kubectl delete daemonset csi-secrets-store-windows --namespace=default kubectl delete serviceaccount secrets-store-csi-driver --namespace=default
SecretProviderClass needs to be in the same namespace as the pod
referencing it as of
Defining driver configuration and provider-specific parameters to the CSI driver
pod.Spec.Volumes has been deprecated in
v0.0.12. It is now mandatory to
SecretProviderClass custom resource.