From 6c7c195772654dd6f4c1ab698666306c416e82c3 Mon Sep 17 00:00:00 2001 From: chiragkyal Date: Fri, 15 May 2026 15:16:04 +0530 Subject: [PATCH 1/2] Add Secrets Store CSI driver configuration to ClusterCSIDriver API Extends CSIDriverConfigSpec with a new SecretsStore discriminated union variant containing secretRotation and tokenRequests fields. Signed-off-by: chiragkyal --- .../generated_openapi/zz_generated.openapi.go | 151 +++++++++++++++++- operator/v1/types_csi_cluster_driver.go | 127 ++++++++++++++- ...clustercsidrivers-CustomNoUpgrade.crd.yaml | 103 +++++++++++- ...iver_01_clustercsidrivers-Default.crd.yaml | 103 +++++++++++- ...tercsidrivers-DevPreviewNoUpgrade.crd.yaml | 103 +++++++++++- ...i-driver_01_clustercsidrivers-OKD.crd.yaml | 103 +++++++++++- ...ercsidrivers-TechPreviewNoUpgrade.crd.yaml | 103 +++++++++++- operator/v1/zz_generated.deepcopy.go | 101 ++++++++++++ .../AAA_ungated.yaml | 103 +++++++++++- .../AWSEuropeanSovereignCloudInstall.yaml | 103 +++++++++++- ...igurableMaxAllowedBlockVolumesPerNode.yaml | 103 +++++++++++- .../v1/zz_generated.swagger_doc_generated.go | 55 ++++++- ...clustercsidrivers-CustomNoUpgrade.crd.yaml | 103 +++++++++++- ...iver_01_clustercsidrivers-Default.crd.yaml | 103 +++++++++++- ...tercsidrivers-DevPreviewNoUpgrade.crd.yaml | 103 +++++++++++- ...i-driver_01_clustercsidrivers-OKD.crd.yaml | 103 +++++++++++- ...ercsidrivers-TechPreviewNoUpgrade.crd.yaml | 103 +++++++++++- 17 files changed, 1739 insertions(+), 34 deletions(-) diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 6f65ddbfdf0..019c71890bf 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -1220,6 +1220,10 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/operator/v1.RestartService": schema_openshift_api_operator_v1_RestartService(ref), "github.com/openshift/api/operator/v1.RouteAdmissionPolicy": schema_openshift_api_operator_v1_RouteAdmissionPolicy(ref), "github.com/openshift/api/operator/v1.SFlowConfig": schema_openshift_api_operator_v1_SFlowConfig(ref), + "github.com/openshift/api/operator/v1.SecretsStoreCSIDriverConfigSpec": schema_openshift_api_operator_v1_SecretsStoreCSIDriverConfigSpec(ref), + "github.com/openshift/api/operator/v1.SecretsStoreSecretRotation": schema_openshift_api_operator_v1_SecretsStoreSecretRotation(ref), + "github.com/openshift/api/operator/v1.SecretsStoreTokenRequest": schema_openshift_api_operator_v1_SecretsStoreTokenRequest(ref), + "github.com/openshift/api/operator/v1.SecretsStoreTokenRequests": schema_openshift_api_operator_v1_SecretsStoreTokenRequests(ref), "github.com/openshift/api/operator/v1.Server": schema_openshift_api_operator_v1_Server(ref), "github.com/openshift/api/operator/v1.ServiceAccountIssuerStatus": schema_openshift_api_operator_v1_ServiceAccountIssuerStatus(ref), "github.com/openshift/api/operator/v1.ServiceCA": schema_openshift_api_operator_v1_ServiceCA(ref), @@ -52657,7 +52661,7 @@ func schema_openshift_api_operator_v1_CSIDriverConfigSpec(ref common.ReferenceCa Properties: map[string]spec.Schema{ "driverType": { SchemaProps: spec.SchemaProps{ - Description: "driverType indicates type of CSI driver for which the driverConfig is being applied to. Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. Consumers should treat unknown values as a NO-OP.", + Description: "driverType indicates type of CSI driver for which the driverConfig is being applied to. Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP.", Default: "", Type: []string{"string"}, Format: "", @@ -52693,6 +52697,12 @@ func schema_openshift_api_operator_v1_CSIDriverConfigSpec(ref common.ReferenceCa Ref: ref("github.com/openshift/api/operator/v1.VSphereCSIDriverConfigSpec"), }, }, + "secretsStore": { + SchemaProps: spec.SchemaProps{ + Description: "secretsStore is used to configure the Secrets Store CSI driver.", + Ref: ref("github.com/openshift/api/operator/v1.SecretsStoreCSIDriverConfigSpec"), + }, + }, }, Required: []string{"driverType"}, }, @@ -52702,11 +52712,12 @@ func schema_openshift_api_operator_v1_CSIDriverConfigSpec(ref common.ReferenceCa map[string]interface{}{ "discriminator": "driverType", "fields-to-discriminateBy": map[string]interface{}{ - "aws": "AWS", - "azure": "Azure", - "gcp": "GCP", - "ibmcloud": "IBMCloud", - "vSphere": "VSphere", + "aws": "AWS", + "azure": "Azure", + "gcp": "GCP", + "ibmcloud": "IBMCloud", + "secretsStore": "SecretsStore", + "vSphere": "VSphere", }, }, }, @@ -52714,7 +52725,7 @@ func schema_openshift_api_operator_v1_CSIDriverConfigSpec(ref common.ReferenceCa }, }, Dependencies: []string{ - "github.com/openshift/api/operator/v1.AWSCSIDriverConfigSpec", "github.com/openshift/api/operator/v1.AzureCSIDriverConfigSpec", "github.com/openshift/api/operator/v1.GCPCSIDriverConfigSpec", "github.com/openshift/api/operator/v1.IBMCloudCSIDriverConfigSpec", "github.com/openshift/api/operator/v1.VSphereCSIDriverConfigSpec"}, + "github.com/openshift/api/operator/v1.AWSCSIDriverConfigSpec", "github.com/openshift/api/operator/v1.AzureCSIDriverConfigSpec", "github.com/openshift/api/operator/v1.GCPCSIDriverConfigSpec", "github.com/openshift/api/operator/v1.IBMCloudCSIDriverConfigSpec", "github.com/openshift/api/operator/v1.SecretsStoreCSIDriverConfigSpec", "github.com/openshift/api/operator/v1.VSphereCSIDriverConfigSpec"}, } } @@ -62237,6 +62248,132 @@ func schema_openshift_api_operator_v1_SFlowConfig(ref common.ReferenceCallback) } } +func schema_openshift_api_operator_v1_SecretsStoreCSIDriverConfigSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SecretsStoreCSIDriverConfigSpec defines properties that can be configured for the Secrets Store CSI driver.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "secretRotation": { + SchemaProps: spec.SchemaProps{ + Description: "secretRotation controls automatic secret rotation behavior. When omitted, secret rotation is enabled with a default poll interval of 2 minutes.", + Ref: ref("github.com/openshift/api/operator/v1.SecretsStoreSecretRotation"), + }, + }, + "tokenRequests": { + SchemaProps: spec.SchemaProps{ + Description: "tokenRequests controls service account token configuration for workload identity federation (WIF) with cloud providers.", + Ref: ref("github.com/openshift/api/operator/v1.SecretsStoreTokenRequests"), + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/operator/v1.SecretsStoreSecretRotation", "github.com/openshift/api/operator/v1.SecretsStoreTokenRequests"}, + } +} + +func schema_openshift_api_operator_v1_SecretsStoreSecretRotation(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SecretsStoreSecretRotation configures the automatic secret rotation behavior for the Secrets Store CSI driver.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "policy": { + SchemaProps: spec.SchemaProps{ + Description: "policy controls whether automatic secret rotation is active. When \"Enabled\", the CSIDriver object sets requiresRepublish and the driver re-fetches secrets from providers. When \"Disabled\", secrets are only fetched at initial pod mount time.", + Default: "Enabled", + Type: []string{"string"}, + Format: "", + }, + }, + "rotationPollIntervalSeconds": { + SchemaProps: spec.SchemaProps{ + Description: "rotationPollIntervalSeconds is the minimum time in seconds between secret rotation attempts. The driver skips provider calls if less than this interval has elapsed since the last successful rotation. Default is 120 (2 minutes).", + Default: 120, + Type: []string{"integer"}, + Format: "int32", + }, + }, + }, + }, + }, + } +} + +func schema_openshift_api_operator_v1_SecretsStoreTokenRequest(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SecretsStoreTokenRequest specifies a service account token audience configuration for workload identity federation (WIF) with the Secrets Store CSI driver.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "audience": { + SchemaProps: spec.SchemaProps{ + Description: "audience is the intended audience of the service account token. An empty string means the issued token will use the kube-apiserver's default APIAudiences.", + Type: []string{"string"}, + Format: "", + }, + }, + "expirationSeconds": { + SchemaProps: spec.SchemaProps{ + Description: "expirationSeconds is the requested duration of validity of the service account token. The token issuer may return a token with a different validity duration. When omitted, the token expiration is determined by the kube-apiserver. Must be at least 600 seconds (10 minutes).", + Type: []string{"integer"}, + Format: "int64", + }, + }, + }, + Required: []string{"audience"}, + }, + }, + } +} + +func schema_openshift_api_operator_v1_SecretsStoreTokenRequests(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SecretsStoreTokenRequests configures how service account tokens are provided to the Secrets Store CSI driver for workload identity federation.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "policy": { + SchemaProps: spec.SchemaProps{ + Description: "policy controls whether the operator manages tokenRequests on the CSIDriver object. When \"Unmanaged\" (default), existing tokenRequests on the CSIDriver are preserved and the audiences list below is ignored. When \"Managed\", the operator sets tokenRequests from the audiences list, replacing any previously configured values. Once set to \"Managed\", policy cannot be reverted back to \"Unmanaged\".", + Default: "Unmanaged", + Type: []string{"string"}, + Format: "", + }, + }, + "audiences": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "audiences specifies service account token audiences that kubelet will provide to the CSI driver during NodePublishVolume calls. These tokens enable workload identity federation (WIF) with cloud providers such as AWS, Azure, and GCP. Only honored when policy is \"Managed\".", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/operator/v1.SecretsStoreTokenRequest"), + }, + }, + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/operator/v1.SecretsStoreTokenRequest"}, + } +} + func schema_openshift_api_operator_v1_Server(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/operator/v1/types_csi_cluster_driver.go b/operator/v1/types_csi_cluster_driver.go index 52f5db78d51..dc19f171873 100644 --- a/operator/v1/types_csi_cluster_driver.go +++ b/operator/v1/types_csi_cluster_driver.go @@ -113,25 +113,27 @@ type ClusterCSIDriverSpec struct { } // CSIDriverType indicates type of CSI driver being configured. -// +kubebuilder:validation:Enum="";AWS;Azure;GCP;IBMCloud;vSphere +// +kubebuilder:validation:Enum="";AWS;Azure;GCP;IBMCloud;vSphere;SecretsStore type CSIDriverType string const ( - AWSDriverType CSIDriverType = "AWS" - AzureDriverType CSIDriverType = "Azure" - GCPDriverType CSIDriverType = "GCP" - IBMCloudDriverType CSIDriverType = "IBMCloud" - VSphereDriverType CSIDriverType = "vSphere" + AWSDriverType CSIDriverType = "AWS" + AzureDriverType CSIDriverType = "Azure" + GCPDriverType CSIDriverType = "GCP" + IBMCloudDriverType CSIDriverType = "IBMCloud" + VSphereDriverType CSIDriverType = "vSphere" + SecretsStoreDriverType CSIDriverType = "SecretsStore" ) // CSIDriverConfigSpec defines configuration spec that can be // used to optionally configure a specific CSI Driver. // +kubebuilder:validation:XValidation:rule="has(self.driverType) && self.driverType == 'IBMCloud' ? has(self.ibmcloud) : !has(self.ibmcloud)",message="ibmcloud must be set if driverType is 'IBMCloud', but remain unset otherwise" +// +kubebuilder:validation:XValidation:rule="has(self.driverType) && self.driverType == 'SecretsStore' ? has(self.secretsStore) : !has(self.secretsStore)",message="secretsStore must be set if driverType is 'SecretsStore', but remain unset otherwise" // +union type CSIDriverConfigSpec struct { // driverType indicates type of CSI driver for which the // driverConfig is being applied to. - // Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + // Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. // Consumers should treat unknown values as a NO-OP. // +required // +unionDiscriminator @@ -156,6 +158,10 @@ type CSIDriverConfigSpec struct { // vSphere is used to configure the vsphere CSI driver. // +optional VSphere *VSphereCSIDriverConfigSpec `json:"vSphere,omitempty"` + + // secretsStore is used to configure the Secrets Store CSI driver. + // +optional + SecretsStore *SecretsStoreCSIDriverConfigSpec `json:"secretsStore,omitempty"` } // AWSCSIDriverConfigSpec defines properties that can be configured for the AWS CSI driver. @@ -389,6 +395,113 @@ type VSphereCSIDriverConfigSpec struct { MaxAllowedBlockVolumesPerNode int32 `json:"maxAllowedBlockVolumesPerNode,omitempty"` } +// SecretsStoreCSIDriverConfigSpec defines properties that can be configured for the Secrets Store CSI driver. +// +kubebuilder:validation:MinProperties=1 +// +kubebuilder:validation:XValidation:rule="!has(oldSelf.tokenRequests) || oldSelf.tokenRequests.policy != 'Managed' || (has(self.tokenRequests) && self.tokenRequests.policy == 'Managed')",message="tokenRequests cannot be removed when policy is Managed" +type SecretsStoreCSIDriverConfigSpec struct { + // secretRotation controls automatic secret rotation behavior. + // When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + // +optional + SecretRotation *SecretsStoreSecretRotation `json:"secretRotation,omitempty"` + + // tokenRequests controls service account token configuration for + // workload identity federation (WIF) with cloud providers. + // +optional + TokenRequests *SecretsStoreTokenRequests `json:"tokenRequests,omitempty"` +} + +// TokenRequestsPolicy determines how the operator manages the tokenRequests +// field on the storage.k8s.io CSIDriver object. +// +kubebuilder:validation:Enum=Managed;Unmanaged +type TokenRequestsPolicy string + +const ( + // TokenRequestsManaged means the operator uses the audiences list + // as the sole source of truth for the CSIDriver.spec.tokenRequests field. + TokenRequestsManaged TokenRequestsPolicy = "Managed" + + // TokenRequestsUnmanaged means the operator preserves any existing + // tokenRequests already configured on the CSIDriver object and does not + // overwrite them. + TokenRequestsUnmanaged TokenRequestsPolicy = "Unmanaged" +) + +// SecretsStoreTokenRequests configures how service account tokens are +// provided to the Secrets Store CSI driver for workload identity federation. +// +kubebuilder:validation:MinProperties=1 +type SecretsStoreTokenRequests struct { + // policy controls whether the operator manages tokenRequests on the + // CSIDriver object. + // When "Unmanaged" (default), existing tokenRequests on the CSIDriver + // are preserved and the audiences list below is ignored. + // When "Managed", the operator sets tokenRequests from the audiences + // list, replacing any previously configured values. + // Once set to "Managed", policy cannot be reverted back to "Unmanaged". + // +default="Unmanaged" + // +kubebuilder:validation:XValidation:rule="oldSelf != 'Managed' || self == 'Managed'",message="policy cannot be changed from Managed back to Unmanaged" + // +optional + Policy TokenRequestsPolicy `json:"policy,omitempty"` + + // audiences specifies service account token audiences that kubelet will + // provide to the CSI driver during NodePublishVolume calls. These tokens + // enable workload identity federation (WIF) with cloud providers such as + // AWS, Azure, and GCP. + // Only honored when policy is "Managed". + // +optional + // +listType=atomic + // +kubebuilder:validation:MaxItems=10 + Audiences []SecretsStoreTokenRequest `json:"audiences,omitempty"` +} + +// SecretRotationPolicy determines whether automatic secret rotation is active +// for the Secrets Store CSI driver. +// +kubebuilder:validation:Enum=Enabled;Disabled +type SecretRotationPolicy string + +const ( + SecretRotationEnabled SecretRotationPolicy = "Enabled" + SecretRotationDisabled SecretRotationPolicy = "Disabled" +) + +// SecretsStoreSecretRotation configures the automatic secret rotation behavior +// for the Secrets Store CSI driver. +// +kubebuilder:validation:MinProperties=1 +type SecretsStoreSecretRotation struct { + // policy controls whether automatic secret rotation is active. + // When "Enabled", the CSIDriver object sets requiresRepublish and the driver + // re-fetches secrets from providers. + // When "Disabled", secrets are only fetched at initial pod mount time. + // +default="Enabled" + // +optional + Policy SecretRotationPolicy `json:"policy,omitempty"` + + // rotationPollIntervalSeconds is the minimum time in seconds between secret + // rotation attempts. The driver skips provider calls if less than this interval + // has elapsed since the last successful rotation. + // Default is 120 (2 minutes). + // +default=120 + // +optional + RotationPollIntervalSeconds *int32 `json:"rotationPollIntervalSeconds,omitempty"` +} + +// SecretsStoreTokenRequest specifies a service account token audience configuration +// for workload identity federation (WIF) with the Secrets Store CSI driver. +type SecretsStoreTokenRequest struct { + // audience is the intended audience of the service account token. + // An empty string means the issued token will use the kube-apiserver's default APIAudiences. + // +kubebuilder:validation:MinLength=0 + // +kubebuilder:validation:MaxLength=253 + // +required + Audience *string `json:"audience,omitempty"` + + // expirationSeconds is the requested duration of validity of the service account token. + // The token issuer may return a token with a different validity duration. + // When omitted, the token expiration is determined by the kube-apiserver. + // Must be at least 600 seconds (10 minutes). + // +optional + ExpirationSeconds *int64 `json:"expirationSeconds,omitempty"` +} + // ClusterCSIDriverStatus is the observed status of CSI driver operator type ClusterCSIDriverStatus struct { OperatorStatus `json:",inline"` diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml index 19b319fcb8d..ce8939c182e 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,102 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + minProperties: 1 + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + minProperties: 1 + properties: + policy: + default: Enabled + description: |- + policy controls whether automatic secret rotation is active. + When "Enabled", the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When "Disabled", secrets are only fetched at initial pod mount time. + enum: + - Enabled + - Disabled + type: string + rotationPollIntervalSeconds: + default: 120 + description: |- + rotationPollIntervalSeconds is the minimum time in seconds between secret + rotation attempts. The driver skips provider calls if less than this interval + has elapsed since the last successful rotation. + Default is 120 (2 minutes). + format: int32 + type: integer + type: object + tokenRequests: + description: |- + tokenRequests controls service account token configuration for + workload identity federation (WIF) with cloud providers. + minProperties: 1 + properties: + audiences: + description: |- + audiences specifies service account token audiences that kubelet will + provide to the CSI driver during NodePublishVolume calls. These tokens + enable workload identity federation (WIF) with cloud providers such as + AWS, Azure, and GCP. + Only honored when policy is "Managed". + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + maxLength: 253 + minLength: 0 + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + When omitted, the token expiration is determined by the kube-apiserver. + Must be at least 600 seconds (10 minutes). + format: int64 + type: integer + required: + - audience + type: object + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + policy: + default: Unmanaged + description: |- + policy controls whether the operator manages tokenRequests on the + CSIDriver object. + When "Unmanaged" (default), existing tokenRequests on the CSIDriver + are preserved and the audiences list below is ignored. + When "Managed", the operator sets tokenRequests from the audiences + list, replacing any previously configured values. + Once set to "Managed", policy cannot be reverted back to "Unmanaged". + enum: + - Managed + - Unmanaged + type: string + x-kubernetes-validations: + - message: policy cannot be changed from Managed back + to Unmanaged + rule: oldSelf != 'Managed' || self == 'Managed' + type: object + type: object + x-kubernetes-validations: + - message: tokenRequests cannot be removed when policy is Managed + rule: '!has(oldSelf.tokenRequests) || oldSelf.tokenRequests.policy + != ''Managed'' || (has(self.tokenRequests) && self.tokenRequests.policy + == ''Managed'')' vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -328,6 +425,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml index 5bb6bdddcfb..7e9e6471699 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,102 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + minProperties: 1 + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + minProperties: 1 + properties: + policy: + default: Enabled + description: |- + policy controls whether automatic secret rotation is active. + When "Enabled", the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When "Disabled", secrets are only fetched at initial pod mount time. + enum: + - Enabled + - Disabled + type: string + rotationPollIntervalSeconds: + default: 120 + description: |- + rotationPollIntervalSeconds is the minimum time in seconds between secret + rotation attempts. The driver skips provider calls if less than this interval + has elapsed since the last successful rotation. + Default is 120 (2 minutes). + format: int32 + type: integer + type: object + tokenRequests: + description: |- + tokenRequests controls service account token configuration for + workload identity federation (WIF) with cloud providers. + minProperties: 1 + properties: + audiences: + description: |- + audiences specifies service account token audiences that kubelet will + provide to the CSI driver during NodePublishVolume calls. These tokens + enable workload identity federation (WIF) with cloud providers such as + AWS, Azure, and GCP. + Only honored when policy is "Managed". + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + maxLength: 253 + minLength: 0 + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + When omitted, the token expiration is determined by the kube-apiserver. + Must be at least 600 seconds (10 minutes). + format: int64 + type: integer + required: + - audience + type: object + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + policy: + default: Unmanaged + description: |- + policy controls whether the operator manages tokenRequests on the + CSIDriver object. + When "Unmanaged" (default), existing tokenRequests on the CSIDriver + are preserved and the audiences list below is ignored. + When "Managed", the operator sets tokenRequests from the audiences + list, replacing any previously configured values. + Once set to "Managed", policy cannot be reverted back to "Unmanaged". + enum: + - Managed + - Unmanaged + type: string + x-kubernetes-validations: + - message: policy cannot be changed from Managed back + to Unmanaged + rule: oldSelf != 'Managed' || self == 'Managed' + type: object + type: object + x-kubernetes-validations: + - message: tokenRequests cannot be removed when policy is Managed + rule: '!has(oldSelf.tokenRequests) || oldSelf.tokenRequests.policy + != ''Managed'' || (has(self.tokenRequests) && self.tokenRequests.policy + == ''Managed'')' vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -313,6 +410,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml index a03dd7d88db..71662414f08 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,102 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + minProperties: 1 + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + minProperties: 1 + properties: + policy: + default: Enabled + description: |- + policy controls whether automatic secret rotation is active. + When "Enabled", the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When "Disabled", secrets are only fetched at initial pod mount time. + enum: + - Enabled + - Disabled + type: string + rotationPollIntervalSeconds: + default: 120 + description: |- + rotationPollIntervalSeconds is the minimum time in seconds between secret + rotation attempts. The driver skips provider calls if less than this interval + has elapsed since the last successful rotation. + Default is 120 (2 minutes). + format: int32 + type: integer + type: object + tokenRequests: + description: |- + tokenRequests controls service account token configuration for + workload identity federation (WIF) with cloud providers. + minProperties: 1 + properties: + audiences: + description: |- + audiences specifies service account token audiences that kubelet will + provide to the CSI driver during NodePublishVolume calls. These tokens + enable workload identity federation (WIF) with cloud providers such as + AWS, Azure, and GCP. + Only honored when policy is "Managed". + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + maxLength: 253 + minLength: 0 + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + When omitted, the token expiration is determined by the kube-apiserver. + Must be at least 600 seconds (10 minutes). + format: int64 + type: integer + required: + - audience + type: object + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + policy: + default: Unmanaged + description: |- + policy controls whether the operator manages tokenRequests on the + CSIDriver object. + When "Unmanaged" (default), existing tokenRequests on the CSIDriver + are preserved and the audiences list below is ignored. + When "Managed", the operator sets tokenRequests from the audiences + list, replacing any previously configured values. + Once set to "Managed", policy cannot be reverted back to "Unmanaged". + enum: + - Managed + - Unmanaged + type: string + x-kubernetes-validations: + - message: policy cannot be changed from Managed back + to Unmanaged + rule: oldSelf != 'Managed' || self == 'Managed' + type: object + type: object + x-kubernetes-validations: + - message: tokenRequests cannot be removed when policy is Managed + rule: '!has(oldSelf.tokenRequests) || oldSelf.tokenRequests.policy + != ''Managed'' || (has(self.tokenRequests) && self.tokenRequests.policy + == ''Managed'')' vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -328,6 +425,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml index 0e925a75110..54196a1c12d 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,102 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + minProperties: 1 + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + minProperties: 1 + properties: + policy: + default: Enabled + description: |- + policy controls whether automatic secret rotation is active. + When "Enabled", the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When "Disabled", secrets are only fetched at initial pod mount time. + enum: + - Enabled + - Disabled + type: string + rotationPollIntervalSeconds: + default: 120 + description: |- + rotationPollIntervalSeconds is the minimum time in seconds between secret + rotation attempts. The driver skips provider calls if less than this interval + has elapsed since the last successful rotation. + Default is 120 (2 minutes). + format: int32 + type: integer + type: object + tokenRequests: + description: |- + tokenRequests controls service account token configuration for + workload identity federation (WIF) with cloud providers. + minProperties: 1 + properties: + audiences: + description: |- + audiences specifies service account token audiences that kubelet will + provide to the CSI driver during NodePublishVolume calls. These tokens + enable workload identity federation (WIF) with cloud providers such as + AWS, Azure, and GCP. + Only honored when policy is "Managed". + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + maxLength: 253 + minLength: 0 + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + When omitted, the token expiration is determined by the kube-apiserver. + Must be at least 600 seconds (10 minutes). + format: int64 + type: integer + required: + - audience + type: object + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + policy: + default: Unmanaged + description: |- + policy controls whether the operator manages tokenRequests on the + CSIDriver object. + When "Unmanaged" (default), existing tokenRequests on the CSIDriver + are preserved and the audiences list below is ignored. + When "Managed", the operator sets tokenRequests from the audiences + list, replacing any previously configured values. + Once set to "Managed", policy cannot be reverted back to "Unmanaged". + enum: + - Managed + - Unmanaged + type: string + x-kubernetes-validations: + - message: policy cannot be changed from Managed back + to Unmanaged + rule: oldSelf != 'Managed' || self == 'Managed' + type: object + type: object + x-kubernetes-validations: + - message: tokenRequests cannot be removed when policy is Managed + rule: '!has(oldSelf.tokenRequests) || oldSelf.tokenRequests.policy + != ''Managed'' || (has(self.tokenRequests) && self.tokenRequests.policy + == ''Managed'')' vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -313,6 +410,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml index 3dc68028e00..ecf8e0f6ffa 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,102 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + minProperties: 1 + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + minProperties: 1 + properties: + policy: + default: Enabled + description: |- + policy controls whether automatic secret rotation is active. + When "Enabled", the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When "Disabled", secrets are only fetched at initial pod mount time. + enum: + - Enabled + - Disabled + type: string + rotationPollIntervalSeconds: + default: 120 + description: |- + rotationPollIntervalSeconds is the minimum time in seconds between secret + rotation attempts. The driver skips provider calls if less than this interval + has elapsed since the last successful rotation. + Default is 120 (2 minutes). + format: int32 + type: integer + type: object + tokenRequests: + description: |- + tokenRequests controls service account token configuration for + workload identity federation (WIF) with cloud providers. + minProperties: 1 + properties: + audiences: + description: |- + audiences specifies service account token audiences that kubelet will + provide to the CSI driver during NodePublishVolume calls. These tokens + enable workload identity federation (WIF) with cloud providers such as + AWS, Azure, and GCP. + Only honored when policy is "Managed". + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + maxLength: 253 + minLength: 0 + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + When omitted, the token expiration is determined by the kube-apiserver. + Must be at least 600 seconds (10 minutes). + format: int64 + type: integer + required: + - audience + type: object + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + policy: + default: Unmanaged + description: |- + policy controls whether the operator manages tokenRequests on the + CSIDriver object. + When "Unmanaged" (default), existing tokenRequests on the CSIDriver + are preserved and the audiences list below is ignored. + When "Managed", the operator sets tokenRequests from the audiences + list, replacing any previously configured values. + Once set to "Managed", policy cannot be reverted back to "Unmanaged". + enum: + - Managed + - Unmanaged + type: string + x-kubernetes-validations: + - message: policy cannot be changed from Managed back + to Unmanaged + rule: oldSelf != 'Managed' || self == 'Managed' + type: object + type: object + x-kubernetes-validations: + - message: tokenRequests cannot be removed when policy is Managed + rule: '!has(oldSelf.tokenRequests) || oldSelf.tokenRequests.policy + != ''Managed'' || (has(self.tokenRequests) && self.tokenRequests.policy + == ''Managed'')' vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -328,6 +425,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/operator/v1/zz_generated.deepcopy.go b/operator/v1/zz_generated.deepcopy.go index 3d3c8f4f825..1235c4412b0 100644 --- a/operator/v1/zz_generated.deepcopy.go +++ b/operator/v1/zz_generated.deepcopy.go @@ -469,6 +469,11 @@ func (in *CSIDriverConfigSpec) DeepCopyInto(out *CSIDriverConfigSpec) { *out = new(VSphereCSIDriverConfigSpec) (*in).DeepCopyInto(*out) } + if in.SecretsStore != nil { + in, out := &in.SecretsStore, &out.SecretsStore + *out = new(SecretsStoreCSIDriverConfigSpec) + (*in).DeepCopyInto(*out) + } return } @@ -4869,6 +4874,102 @@ func (in *SFlowConfig) DeepCopy() *SFlowConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecretsStoreCSIDriverConfigSpec) DeepCopyInto(out *SecretsStoreCSIDriverConfigSpec) { + *out = *in + if in.SecretRotation != nil { + in, out := &in.SecretRotation, &out.SecretRotation + *out = new(SecretsStoreSecretRotation) + (*in).DeepCopyInto(*out) + } + if in.TokenRequests != nil { + in, out := &in.TokenRequests, &out.TokenRequests + *out = new(SecretsStoreTokenRequests) + (*in).DeepCopyInto(*out) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsStoreCSIDriverConfigSpec. +func (in *SecretsStoreCSIDriverConfigSpec) DeepCopy() *SecretsStoreCSIDriverConfigSpec { + if in == nil { + return nil + } + out := new(SecretsStoreCSIDriverConfigSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecretsStoreSecretRotation) DeepCopyInto(out *SecretsStoreSecretRotation) { + *out = *in + if in.RotationPollIntervalSeconds != nil { + in, out := &in.RotationPollIntervalSeconds, &out.RotationPollIntervalSeconds + *out = new(int32) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsStoreSecretRotation. +func (in *SecretsStoreSecretRotation) DeepCopy() *SecretsStoreSecretRotation { + if in == nil { + return nil + } + out := new(SecretsStoreSecretRotation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecretsStoreTokenRequest) DeepCopyInto(out *SecretsStoreTokenRequest) { + *out = *in + if in.Audience != nil { + in, out := &in.Audience, &out.Audience + *out = new(string) + **out = **in + } + if in.ExpirationSeconds != nil { + in, out := &in.ExpirationSeconds, &out.ExpirationSeconds + *out = new(int64) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsStoreTokenRequest. +func (in *SecretsStoreTokenRequest) DeepCopy() *SecretsStoreTokenRequest { + if in == nil { + return nil + } + out := new(SecretsStoreTokenRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecretsStoreTokenRequests) DeepCopyInto(out *SecretsStoreTokenRequests) { + *out = *in + if in.Audiences != nil { + in, out := &in.Audiences, &out.Audiences + *out = make([]SecretsStoreTokenRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsStoreTokenRequests. +func (in *SecretsStoreTokenRequests) DeepCopy() *SecretsStoreTokenRequests { + if in == nil { + return nil + } + out := new(SecretsStoreTokenRequests) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Server) DeepCopyInto(out *Server) { *out = *in diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AAA_ungated.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AAA_ungated.yaml index 12aeaee8795..2895e3fa1e4 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AAA_ungated.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AAA_ungated.yaml @@ -167,7 +167,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -176,6 +176,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -241,6 +242,102 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + minProperties: 1 + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + minProperties: 1 + properties: + policy: + default: Enabled + description: |- + policy controls whether automatic secret rotation is active. + When "Enabled", the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When "Disabled", secrets are only fetched at initial pod mount time. + enum: + - Enabled + - Disabled + type: string + rotationPollIntervalSeconds: + default: 120 + description: |- + rotationPollIntervalSeconds is the minimum time in seconds between secret + rotation attempts. The driver skips provider calls if less than this interval + has elapsed since the last successful rotation. + Default is 120 (2 minutes). + format: int32 + type: integer + type: object + tokenRequests: + description: |- + tokenRequests controls service account token configuration for + workload identity federation (WIF) with cloud providers. + minProperties: 1 + properties: + audiences: + description: |- + audiences specifies service account token audiences that kubelet will + provide to the CSI driver during NodePublishVolume calls. These tokens + enable workload identity federation (WIF) with cloud providers such as + AWS, Azure, and GCP. + Only honored when policy is "Managed". + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + maxLength: 253 + minLength: 0 + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + When omitted, the token expiration is determined by the kube-apiserver. + Must be at least 600 seconds (10 minutes). + format: int64 + type: integer + required: + - audience + type: object + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + policy: + default: Unmanaged + description: |- + policy controls whether the operator manages tokenRequests on the + CSIDriver object. + When "Unmanaged" (default), existing tokenRequests on the CSIDriver + are preserved and the audiences list below is ignored. + When "Managed", the operator sets tokenRequests from the audiences + list, replacing any previously configured values. + Once set to "Managed", policy cannot be reverted back to "Unmanaged". + enum: + - Managed + - Unmanaged + type: string + x-kubernetes-validations: + - message: policy cannot be changed from Managed back + to Unmanaged + rule: oldSelf != 'Managed' || self == 'Managed' + type: object + type: object + x-kubernetes-validations: + - message: tokenRequests cannot be removed when policy is Managed + rule: '!has(oldSelf.tokenRequests) || oldSelf.tokenRequests.policy + != ''Managed'' || (has(self.tokenRequests) && self.tokenRequests.policy + == ''Managed'')' vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -293,6 +390,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AWSEuropeanSovereignCloudInstall.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AWSEuropeanSovereignCloudInstall.yaml index 1aeaf6ae0f2..8b56b81fc3a 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AWSEuropeanSovereignCloudInstall.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AWSEuropeanSovereignCloudInstall.yaml @@ -167,7 +167,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -176,6 +176,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -241,6 +242,102 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + minProperties: 1 + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + minProperties: 1 + properties: + policy: + default: Enabled + description: |- + policy controls whether automatic secret rotation is active. + When "Enabled", the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When "Disabled", secrets are only fetched at initial pod mount time. + enum: + - Enabled + - Disabled + type: string + rotationPollIntervalSeconds: + default: 120 + description: |- + rotationPollIntervalSeconds is the minimum time in seconds between secret + rotation attempts. The driver skips provider calls if less than this interval + has elapsed since the last successful rotation. + Default is 120 (2 minutes). + format: int32 + type: integer + type: object + tokenRequests: + description: |- + tokenRequests controls service account token configuration for + workload identity federation (WIF) with cloud providers. + minProperties: 1 + properties: + audiences: + description: |- + audiences specifies service account token audiences that kubelet will + provide to the CSI driver during NodePublishVolume calls. These tokens + enable workload identity federation (WIF) with cloud providers such as + AWS, Azure, and GCP. + Only honored when policy is "Managed". + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + maxLength: 253 + minLength: 0 + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + When omitted, the token expiration is determined by the kube-apiserver. + Must be at least 600 seconds (10 minutes). + format: int64 + type: integer + required: + - audience + type: object + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + policy: + default: Unmanaged + description: |- + policy controls whether the operator manages tokenRequests on the + CSIDriver object. + When "Unmanaged" (default), existing tokenRequests on the CSIDriver + are preserved and the audiences list below is ignored. + When "Managed", the operator sets tokenRequests from the audiences + list, replacing any previously configured values. + Once set to "Managed", policy cannot be reverted back to "Unmanaged". + enum: + - Managed + - Unmanaged + type: string + x-kubernetes-validations: + - message: policy cannot be changed from Managed back + to Unmanaged + rule: oldSelf != 'Managed' || self == 'Managed' + type: object + type: object + x-kubernetes-validations: + - message: tokenRequests cannot be removed when policy is Managed + rule: '!has(oldSelf.tokenRequests) || oldSelf.tokenRequests.policy + != ''Managed'' || (has(self.tokenRequests) && self.tokenRequests.policy + == ''Managed'')' vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -293,6 +390,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/VSphereConfigurableMaxAllowedBlockVolumesPerNode.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/VSphereConfigurableMaxAllowedBlockVolumesPerNode.yaml index f7696f5e1b9..b6d0de57fc5 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/VSphereConfigurableMaxAllowedBlockVolumesPerNode.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/VSphereConfigurableMaxAllowedBlockVolumesPerNode.yaml @@ -163,7 +163,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -172,6 +172,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -237,6 +238,102 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + minProperties: 1 + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + minProperties: 1 + properties: + policy: + default: Enabled + description: |- + policy controls whether automatic secret rotation is active. + When "Enabled", the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When "Disabled", secrets are only fetched at initial pod mount time. + enum: + - Enabled + - Disabled + type: string + rotationPollIntervalSeconds: + default: 120 + description: |- + rotationPollIntervalSeconds is the minimum time in seconds between secret + rotation attempts. The driver skips provider calls if less than this interval + has elapsed since the last successful rotation. + Default is 120 (2 minutes). + format: int32 + type: integer + type: object + tokenRequests: + description: |- + tokenRequests controls service account token configuration for + workload identity federation (WIF) with cloud providers. + minProperties: 1 + properties: + audiences: + description: |- + audiences specifies service account token audiences that kubelet will + provide to the CSI driver during NodePublishVolume calls. These tokens + enable workload identity federation (WIF) with cloud providers such as + AWS, Azure, and GCP. + Only honored when policy is "Managed". + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + maxLength: 253 + minLength: 0 + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + When omitted, the token expiration is determined by the kube-apiserver. + Must be at least 600 seconds (10 minutes). + format: int64 + type: integer + required: + - audience + type: object + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + policy: + default: Unmanaged + description: |- + policy controls whether the operator manages tokenRequests on the + CSIDriver object. + When "Unmanaged" (default), existing tokenRequests on the CSIDriver + are preserved and the audiences list below is ignored. + When "Managed", the operator sets tokenRequests from the audiences + list, replacing any previously configured values. + Once set to "Managed", policy cannot be reverted back to "Unmanaged". + enum: + - Managed + - Unmanaged + type: string + x-kubernetes-validations: + - message: policy cannot be changed from Managed back + to Unmanaged + rule: oldSelf != 'Managed' || self == 'Managed' + type: object + type: object + x-kubernetes-validations: + - message: tokenRequests cannot be removed when policy is Managed + rule: '!has(oldSelf.tokenRequests) || oldSelf.tokenRequests.policy + != ''Managed'' || (has(self.tokenRequests) && self.tokenRequests.policy + == ''Managed'')' vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -304,6 +401,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/operator/v1/zz_generated.swagger_doc_generated.go b/operator/v1/zz_generated.swagger_doc_generated.go index c3ed726028d..8b9519ecc28 100644 --- a/operator/v1/zz_generated.swagger_doc_generated.go +++ b/operator/v1/zz_generated.swagger_doc_generated.go @@ -515,13 +515,14 @@ func (AzureDiskEncryptionSet) SwaggerDoc() map[string]string { } var map_CSIDriverConfigSpec = map[string]string{ - "": "CSIDriverConfigSpec defines configuration spec that can be used to optionally configure a specific CSI Driver.", - "driverType": "driverType indicates type of CSI driver for which the driverConfig is being applied to. Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. Consumers should treat unknown values as a NO-OP.", - "aws": "aws is used to configure the AWS CSI driver.", - "azure": "azure is used to configure the Azure CSI driver.", - "gcp": "gcp is used to configure the GCP CSI driver.", - "ibmcloud": "ibmcloud is used to configure the IBM Cloud CSI driver.", - "vSphere": "vSphere is used to configure the vsphere CSI driver.", + "": "CSIDriverConfigSpec defines configuration spec that can be used to optionally configure a specific CSI Driver.", + "driverType": "driverType indicates type of CSI driver for which the driverConfig is being applied to. Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP.", + "aws": "aws is used to configure the AWS CSI driver.", + "azure": "azure is used to configure the Azure CSI driver.", + "gcp": "gcp is used to configure the GCP CSI driver.", + "ibmcloud": "ibmcloud is used to configure the IBM Cloud CSI driver.", + "vSphere": "vSphere is used to configure the vsphere CSI driver.", + "secretsStore": "secretsStore is used to configure the Secrets Store CSI driver.", } func (CSIDriverConfigSpec) SwaggerDoc() map[string]string { @@ -596,6 +597,46 @@ func (IBMCloudCSIDriverConfigSpec) SwaggerDoc() map[string]string { return map_IBMCloudCSIDriverConfigSpec } +var map_SecretsStoreCSIDriverConfigSpec = map[string]string{ + "": "SecretsStoreCSIDriverConfigSpec defines properties that can be configured for the Secrets Store CSI driver.", + "secretRotation": "secretRotation controls automatic secret rotation behavior. When omitted, secret rotation is enabled with a default poll interval of 2 minutes.", + "tokenRequests": "tokenRequests controls service account token configuration for workload identity federation (WIF) with cloud providers.", +} + +func (SecretsStoreCSIDriverConfigSpec) SwaggerDoc() map[string]string { + return map_SecretsStoreCSIDriverConfigSpec +} + +var map_SecretsStoreSecretRotation = map[string]string{ + "": "SecretsStoreSecretRotation configures the automatic secret rotation behavior for the Secrets Store CSI driver.", + "policy": "policy controls whether automatic secret rotation is active. When \"Enabled\", the CSIDriver object sets requiresRepublish and the driver re-fetches secrets from providers. When \"Disabled\", secrets are only fetched at initial pod mount time.", + "rotationPollIntervalSeconds": "rotationPollIntervalSeconds is the minimum time in seconds between secret rotation attempts. The driver skips provider calls if less than this interval has elapsed since the last successful rotation. Default is 120 (2 minutes).", +} + +func (SecretsStoreSecretRotation) SwaggerDoc() map[string]string { + return map_SecretsStoreSecretRotation +} + +var map_SecretsStoreTokenRequest = map[string]string{ + "": "SecretsStoreTokenRequest specifies a service account token audience configuration for workload identity federation (WIF) with the Secrets Store CSI driver.", + "audience": "audience is the intended audience of the service account token. An empty string means the issued token will use the kube-apiserver's default APIAudiences.", + "expirationSeconds": "expirationSeconds is the requested duration of validity of the service account token. The token issuer may return a token with a different validity duration. When omitted, the token expiration is determined by the kube-apiserver. Must be at least 600 seconds (10 minutes).", +} + +func (SecretsStoreTokenRequest) SwaggerDoc() map[string]string { + return map_SecretsStoreTokenRequest +} + +var map_SecretsStoreTokenRequests = map[string]string{ + "": "SecretsStoreTokenRequests configures how service account tokens are provided to the Secrets Store CSI driver for workload identity federation.", + "policy": "policy controls whether the operator manages tokenRequests on the CSIDriver object. When \"Unmanaged\" (default), existing tokenRequests on the CSIDriver are preserved and the audiences list below is ignored. When \"Managed\", the operator sets tokenRequests from the audiences list, replacing any previously configured values. Once set to \"Managed\", policy cannot be reverted back to \"Unmanaged\".", + "audiences": "audiences specifies service account token audiences that kubelet will provide to the CSI driver during NodePublishVolume calls. These tokens enable workload identity federation (WIF) with cloud providers such as AWS, Azure, and GCP. Only honored when policy is \"Managed\".", +} + +func (SecretsStoreTokenRequests) SwaggerDoc() map[string]string { + return map_SecretsStoreTokenRequests +} + var map_VSphereCSIDriverConfigSpec = map[string]string{ "": "VSphereCSIDriverConfigSpec defines properties that can be configured for vsphere CSI driver.", "topologyCategories": "topologyCategories indicates tag categories with which vcenter resources such as hostcluster or datacenter were tagged with. If cluster Infrastructure object has a topology, values specified in Infrastructure object will be used and modifications to topologyCategories will be rejected.", diff --git a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml index 19b319fcb8d..ce8939c182e 100644 --- a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,102 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + minProperties: 1 + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + minProperties: 1 + properties: + policy: + default: Enabled + description: |- + policy controls whether automatic secret rotation is active. + When "Enabled", the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When "Disabled", secrets are only fetched at initial pod mount time. + enum: + - Enabled + - Disabled + type: string + rotationPollIntervalSeconds: + default: 120 + description: |- + rotationPollIntervalSeconds is the minimum time in seconds between secret + rotation attempts. The driver skips provider calls if less than this interval + has elapsed since the last successful rotation. + Default is 120 (2 minutes). + format: int32 + type: integer + type: object + tokenRequests: + description: |- + tokenRequests controls service account token configuration for + workload identity federation (WIF) with cloud providers. + minProperties: 1 + properties: + audiences: + description: |- + audiences specifies service account token audiences that kubelet will + provide to the CSI driver during NodePublishVolume calls. These tokens + enable workload identity federation (WIF) with cloud providers such as + AWS, Azure, and GCP. + Only honored when policy is "Managed". + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + maxLength: 253 + minLength: 0 + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + When omitted, the token expiration is determined by the kube-apiserver. + Must be at least 600 seconds (10 minutes). + format: int64 + type: integer + required: + - audience + type: object + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + policy: + default: Unmanaged + description: |- + policy controls whether the operator manages tokenRequests on the + CSIDriver object. + When "Unmanaged" (default), existing tokenRequests on the CSIDriver + are preserved and the audiences list below is ignored. + When "Managed", the operator sets tokenRequests from the audiences + list, replacing any previously configured values. + Once set to "Managed", policy cannot be reverted back to "Unmanaged". + enum: + - Managed + - Unmanaged + type: string + x-kubernetes-validations: + - message: policy cannot be changed from Managed back + to Unmanaged + rule: oldSelf != 'Managed' || self == 'Managed' + type: object + type: object + x-kubernetes-validations: + - message: tokenRequests cannot be removed when policy is Managed + rule: '!has(oldSelf.tokenRequests) || oldSelf.tokenRequests.policy + != ''Managed'' || (has(self.tokenRequests) && self.tokenRequests.policy + == ''Managed'')' vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -328,6 +425,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml index 5bb6bdddcfb..7e9e6471699 100644 --- a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml +++ b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,102 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + minProperties: 1 + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + minProperties: 1 + properties: + policy: + default: Enabled + description: |- + policy controls whether automatic secret rotation is active. + When "Enabled", the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When "Disabled", secrets are only fetched at initial pod mount time. + enum: + - Enabled + - Disabled + type: string + rotationPollIntervalSeconds: + default: 120 + description: |- + rotationPollIntervalSeconds is the minimum time in seconds between secret + rotation attempts. The driver skips provider calls if less than this interval + has elapsed since the last successful rotation. + Default is 120 (2 minutes). + format: int32 + type: integer + type: object + tokenRequests: + description: |- + tokenRequests controls service account token configuration for + workload identity federation (WIF) with cloud providers. + minProperties: 1 + properties: + audiences: + description: |- + audiences specifies service account token audiences that kubelet will + provide to the CSI driver during NodePublishVolume calls. These tokens + enable workload identity federation (WIF) with cloud providers such as + AWS, Azure, and GCP. + Only honored when policy is "Managed". + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + maxLength: 253 + minLength: 0 + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + When omitted, the token expiration is determined by the kube-apiserver. + Must be at least 600 seconds (10 minutes). + format: int64 + type: integer + required: + - audience + type: object + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + policy: + default: Unmanaged + description: |- + policy controls whether the operator manages tokenRequests on the + CSIDriver object. + When "Unmanaged" (default), existing tokenRequests on the CSIDriver + are preserved and the audiences list below is ignored. + When "Managed", the operator sets tokenRequests from the audiences + list, replacing any previously configured values. + Once set to "Managed", policy cannot be reverted back to "Unmanaged". + enum: + - Managed + - Unmanaged + type: string + x-kubernetes-validations: + - message: policy cannot be changed from Managed back + to Unmanaged + rule: oldSelf != 'Managed' || self == 'Managed' + type: object + type: object + x-kubernetes-validations: + - message: tokenRequests cannot be removed when policy is Managed + rule: '!has(oldSelf.tokenRequests) || oldSelf.tokenRequests.policy + != ''Managed'' || (has(self.tokenRequests) && self.tokenRequests.policy + == ''Managed'')' vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -313,6 +410,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml index a03dd7d88db..71662414f08 100644 --- a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,102 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + minProperties: 1 + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + minProperties: 1 + properties: + policy: + default: Enabled + description: |- + policy controls whether automatic secret rotation is active. + When "Enabled", the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When "Disabled", secrets are only fetched at initial pod mount time. + enum: + - Enabled + - Disabled + type: string + rotationPollIntervalSeconds: + default: 120 + description: |- + rotationPollIntervalSeconds is the minimum time in seconds between secret + rotation attempts. The driver skips provider calls if less than this interval + has elapsed since the last successful rotation. + Default is 120 (2 minutes). + format: int32 + type: integer + type: object + tokenRequests: + description: |- + tokenRequests controls service account token configuration for + workload identity federation (WIF) with cloud providers. + minProperties: 1 + properties: + audiences: + description: |- + audiences specifies service account token audiences that kubelet will + provide to the CSI driver during NodePublishVolume calls. These tokens + enable workload identity federation (WIF) with cloud providers such as + AWS, Azure, and GCP. + Only honored when policy is "Managed". + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + maxLength: 253 + minLength: 0 + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + When omitted, the token expiration is determined by the kube-apiserver. + Must be at least 600 seconds (10 minutes). + format: int64 + type: integer + required: + - audience + type: object + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + policy: + default: Unmanaged + description: |- + policy controls whether the operator manages tokenRequests on the + CSIDriver object. + When "Unmanaged" (default), existing tokenRequests on the CSIDriver + are preserved and the audiences list below is ignored. + When "Managed", the operator sets tokenRequests from the audiences + list, replacing any previously configured values. + Once set to "Managed", policy cannot be reverted back to "Unmanaged". + enum: + - Managed + - Unmanaged + type: string + x-kubernetes-validations: + - message: policy cannot be changed from Managed back + to Unmanaged + rule: oldSelf != 'Managed' || self == 'Managed' + type: object + type: object + x-kubernetes-validations: + - message: tokenRequests cannot be removed when policy is Managed + rule: '!has(oldSelf.tokenRequests) || oldSelf.tokenRequests.policy + != ''Managed'' || (has(self.tokenRequests) && self.tokenRequests.policy + == ''Managed'')' vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -328,6 +425,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml index 0e925a75110..54196a1c12d 100644 --- a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml +++ b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,102 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + minProperties: 1 + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + minProperties: 1 + properties: + policy: + default: Enabled + description: |- + policy controls whether automatic secret rotation is active. + When "Enabled", the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When "Disabled", secrets are only fetched at initial pod mount time. + enum: + - Enabled + - Disabled + type: string + rotationPollIntervalSeconds: + default: 120 + description: |- + rotationPollIntervalSeconds is the minimum time in seconds between secret + rotation attempts. The driver skips provider calls if less than this interval + has elapsed since the last successful rotation. + Default is 120 (2 minutes). + format: int32 + type: integer + type: object + tokenRequests: + description: |- + tokenRequests controls service account token configuration for + workload identity federation (WIF) with cloud providers. + minProperties: 1 + properties: + audiences: + description: |- + audiences specifies service account token audiences that kubelet will + provide to the CSI driver during NodePublishVolume calls. These tokens + enable workload identity federation (WIF) with cloud providers such as + AWS, Azure, and GCP. + Only honored when policy is "Managed". + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + maxLength: 253 + minLength: 0 + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + When omitted, the token expiration is determined by the kube-apiserver. + Must be at least 600 seconds (10 minutes). + format: int64 + type: integer + required: + - audience + type: object + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + policy: + default: Unmanaged + description: |- + policy controls whether the operator manages tokenRequests on the + CSIDriver object. + When "Unmanaged" (default), existing tokenRequests on the CSIDriver + are preserved and the audiences list below is ignored. + When "Managed", the operator sets tokenRequests from the audiences + list, replacing any previously configured values. + Once set to "Managed", policy cannot be reverted back to "Unmanaged". + enum: + - Managed + - Unmanaged + type: string + x-kubernetes-validations: + - message: policy cannot be changed from Managed back + to Unmanaged + rule: oldSelf != 'Managed' || self == 'Managed' + type: object + type: object + x-kubernetes-validations: + - message: tokenRequests cannot be removed when policy is Managed + rule: '!has(oldSelf.tokenRequests) || oldSelf.tokenRequests.policy + != ''Managed'' || (has(self.tokenRequests) && self.tokenRequests.policy + == ''Managed'')' vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -313,6 +410,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml index 3dc68028e00..ecf8e0f6ffa 100644 --- a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,102 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + minProperties: 1 + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + minProperties: 1 + properties: + policy: + default: Enabled + description: |- + policy controls whether automatic secret rotation is active. + When "Enabled", the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When "Disabled", secrets are only fetched at initial pod mount time. + enum: + - Enabled + - Disabled + type: string + rotationPollIntervalSeconds: + default: 120 + description: |- + rotationPollIntervalSeconds is the minimum time in seconds between secret + rotation attempts. The driver skips provider calls if less than this interval + has elapsed since the last successful rotation. + Default is 120 (2 minutes). + format: int32 + type: integer + type: object + tokenRequests: + description: |- + tokenRequests controls service account token configuration for + workload identity federation (WIF) with cloud providers. + minProperties: 1 + properties: + audiences: + description: |- + audiences specifies service account token audiences that kubelet will + provide to the CSI driver during NodePublishVolume calls. These tokens + enable workload identity federation (WIF) with cloud providers such as + AWS, Azure, and GCP. + Only honored when policy is "Managed". + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + maxLength: 253 + minLength: 0 + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + When omitted, the token expiration is determined by the kube-apiserver. + Must be at least 600 seconds (10 minutes). + format: int64 + type: integer + required: + - audience + type: object + maxItems: 10 + type: array + x-kubernetes-list-type: atomic + policy: + default: Unmanaged + description: |- + policy controls whether the operator manages tokenRequests on the + CSIDriver object. + When "Unmanaged" (default), existing tokenRequests on the CSIDriver + are preserved and the audiences list below is ignored. + When "Managed", the operator sets tokenRequests from the audiences + list, replacing any previously configured values. + Once set to "Managed", policy cannot be reverted back to "Unmanaged". + enum: + - Managed + - Unmanaged + type: string + x-kubernetes-validations: + - message: policy cannot be changed from Managed back + to Unmanaged + rule: oldSelf != 'Managed' || self == 'Managed' + type: object + type: object + x-kubernetes-validations: + - message: tokenRequests cannot be removed when policy is Managed + rule: '!has(oldSelf.tokenRequests) || oldSelf.tokenRequests.policy + != ''Managed'' || (has(self.tokenRequests) && self.tokenRequests.policy + == ''Managed'')' vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -328,6 +425,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- From 7a40d90739fffe6eb19320993439b78a6260b523 Mon Sep 17 00:00:00 2001 From: chiragkyal Date: Tue, 2 Jun 2026 16:12:41 +0530 Subject: [PATCH 2/2] Add API integration tests Signed-off-by: chiragkyal --- .../AAA_ungated.yaml | 489 ++++++++++++++++++ 1 file changed, 489 insertions(+) diff --git a/operator/v1/tests/clustercsidrivers.operator.openshift.io/AAA_ungated.yaml b/operator/v1/tests/clustercsidrivers.operator.openshift.io/AAA_ungated.yaml index f9370ef9c9a..d37ea12f1d4 100644 --- a/operator/v1/tests/clustercsidrivers.operator.openshift.io/AAA_ungated.yaml +++ b/operator/v1/tests/clustercsidrivers.operator.openshift.io/AAA_ungated.yaml @@ -39,3 +39,492 @@ tests: driverType: IBMCloud ibmcloud: {} expectedError: "spec.driverConfig.ibmcloud.encryptionKeyCRN: Required value, : Invalid value: \"null\": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation" + - name: SecretsStore driverType must have secretsStore spec + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + expectedError: "Invalid value: \"object\": secretsStore must be set if driverType is 'SecretsStore', but remain unset otherwise" + - name: SecretsStore spec must not be set without SecretsStore driverType + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: AWS + secretsStore: + secretRotation: + policy: Enabled + expectedError: "Invalid value: \"object\": secretsStore must be set if driverType is 'SecretsStore', but remain unset otherwise" + - name: Should create SecretsStore with secretRotation defaults + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + secretRotation: + policy: Enabled + expected: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + logLevel: Normal + operatorLogLevel: Normal + driverConfig: + driverType: SecretsStore + secretsStore: + secretRotation: + policy: Enabled + rotationPollIntervalSeconds: 120 + - name: Should create SecretsStore with tokenRequests defaults + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Managed + audiences: + - audience: "sts.amazonaws.com" + expected: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + logLevel: Normal + operatorLogLevel: Normal + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Managed + audiences: + - audience: "sts.amazonaws.com" + - name: Should create SecretsStore with Unmanaged tokenRequests policy default + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + audiences: + - audience: "sts.amazonaws.com" + expected: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + logLevel: Normal + operatorLogLevel: Normal + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Unmanaged + audiences: + - audience: "sts.amazonaws.com" + - name: Should create SecretsStore with rotation disabled + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + secretRotation: + policy: Disabled + expected: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + logLevel: Normal + operatorLogLevel: Normal + driverConfig: + driverType: SecretsStore + secretsStore: + secretRotation: + policy: Disabled + rotationPollIntervalSeconds: 120 + - name: Should create SecretsStore with full configuration + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + secretRotation: + policy: Enabled + rotationPollIntervalSeconds: 300 + tokenRequests: + policy: Managed + audiences: + - audience: "sts.amazonaws.com" + expirationSeconds: 3600 + - audience: "api://AzureADTokenExchange" + expected: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + logLevel: Normal + operatorLogLevel: Normal + driverConfig: + driverType: SecretsStore + secretsStore: + secretRotation: + policy: Enabled + rotationPollIntervalSeconds: 300 + tokenRequests: + policy: Managed + audiences: + - audience: "sts.amazonaws.com" + expirationSeconds: 3600 + - audience: "api://AzureADTokenExchange" + - name: Should reject empty secretsStore struct + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: {} + expectedError: "spec.driverConfig.secretsStore: Invalid value" + - name: Should reject empty secretRotation struct + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + secretRotation: {} + expectedError: "spec.driverConfig.secretsStore.secretRotation: Invalid value" + - name: Should reject empty tokenRequests struct + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: {} + expectedError: "spec.driverConfig.secretsStore.tokenRequests: Invalid value" + - name: Should allow empty audience string for kube-apiserver default + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Managed + audiences: + - audience: "" + expected: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + logLevel: Normal + operatorLogLevel: Normal + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Managed + audiences: + - audience: "" + - name: Should allow Managed policy with no audiences to clear tokenRequests + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Managed + expected: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + logLevel: Normal + operatorLogLevel: Normal + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Managed + - name: Should allow audience with expirationSeconds + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Managed + audiences: + - audience: "sts.amazonaws.com" + expirationSeconds: 7200 + expected: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + logLevel: Normal + operatorLogLevel: Normal + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Managed + audiences: + - audience: "sts.amazonaws.com" + expirationSeconds: 7200 + - name: Should allow multiple audiences for multi-cloud WIF + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Managed + audiences: + - audience: "sts.amazonaws.com" + expirationSeconds: 3600 + - audience: "api://AzureADTokenExchange" + - audience: "https://accounts.google.com" + expected: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + logLevel: Normal + operatorLogLevel: Normal + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Managed + audiences: + - audience: "sts.amazonaws.com" + expirationSeconds: 3600 + - audience: "api://AzureADTokenExchange" + - audience: "https://accounts.google.com" + - name: Should reject invalid secretRotation policy enum + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + secretRotation: + policy: Invalid + expectedError: "spec.driverConfig.secretsStore.secretRotation.policy" + - name: Should reject invalid tokenRequests policy enum + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Invalid + expectedError: "spec.driverConfig.secretsStore.tokenRequests.policy" + onUpdate: + - name: Should not allow reverting tokenRequests policy from Managed to Unmanaged + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Managed + audiences: + - audience: "sts.amazonaws.com" + updated: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Unmanaged + expectedError: "policy cannot be changed from Managed back to Unmanaged" + - name: Should not allow removing tokenRequests when policy was Managed + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Managed + audiences: + - audience: "sts.amazonaws.com" + updated: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + secretRotation: + policy: Enabled + expectedError: "tokenRequests cannot be removed when policy is Managed" + - name: Should allow changing tokenRequests policy from Unmanaged to Managed + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Unmanaged + updated: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Managed + audiences: + - audience: "sts.amazonaws.com" + expected: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + logLevel: Normal + operatorLogLevel: Normal + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Managed + audiences: + - audience: "sts.amazonaws.com" + - name: Should allow updating audiences when policy is Managed + initial: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Managed + audiences: + - audience: "sts.amazonaws.com" + updated: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Managed + audiences: + - audience: "sts.amazonaws.com" + - audience: "api://AzureADTokenExchange" + expected: | + apiVersion: operator.openshift.io/v1 + kind: ClusterCSIDriver + metadata: + name: secrets-store.csi.k8s.io + spec: + logLevel: Normal + operatorLogLevel: Normal + driverConfig: + driverType: SecretsStore + secretsStore: + tokenRequests: + policy: Managed + audiences: + - audience: "sts.amazonaws.com" + - audience: "api://AzureADTokenExchange"