Upgrade Secrets Store CSI Driver from 1.3.4 to v1.6.0

[amdove]

Summary

Upgrade the default Secrets Store CSI Driver Helm chart from 1.3.4 to v1.6.0 (current latest as of April 2026).

Why this is needed

Chart 1.3.4 was released in June 2023. Running a ~3-year-old CSI driver version on Kubernetes 1.36 clusters (released April 2026) is untested and outside any supported version window. The Secrets Store CSI Driver project follows the Kubernetes supported versions policy, providing compatibility patches only for actively supported Kubernetes minor releases.

This upgrade is a prerequisite for the planned Kubernetes 1.36 upgrade.

Relevant links:

• Secrets Store CSI Driver releases: https://github.com/kubernetes-sigs/secrets-store-csi-driver/releases
• Installation documentation: https://secrets-store-csi-driver.sigs.k8s.io/getting-started/installation.html

Backward compatibility

Secrets Store CSI Driver v1.6.0 specifies a minimum Kubernetes version of 1.30.0 in its Helm chart kubeVersion field. It can be deployed in place on clusters currently running K8s 1.31 through 1.35 — this upgrade can be performed independently of and prior to the Kubernetes 1.36 upgrade.

Note: This only covers the driver itself. The cloud-provider-specific CSI provider (e.g., AWS Secrets Manager provider) should also be reviewed for version compatibility.

Breaking changes in the upgrade

Review the release notes for any changes between 1.3.4 and 1.6.0, particularly around SecretProviderClass API or sync secret behaviour.

Acceptance criteria

• Default Secrets Store CSI Driver version updated to v1.6.0 in workload.go
• AWS Secrets Store CSI provider version reviewed for compatibility with v1.6.0 driver
• Verified secret mounting works correctly on a staging cluster after upgrade