Add Secrets Store CSI driver configuration to ClusterCSIDriver API

[chiragkyal]

Summary

• Adds SecretsStore as a new CSIDriverType enum value in the
  ClusterCSIDriver API (operator.openshift.io/v1)

• Introduces SecretsStoreCSIDriverConfigSpec with configuration for:

  • Secret rotation: toggle automatic rotation on/off and configure
    the poll interval (defaults to enabled with 2m interval)
  • Token requests: configure service account token audiences for
    workload identity federation (WIF)

• Implements: SSCSI-254: Configurable secret rotation and WIF support for SSCSI enhancements#2012

Summary by CodeRabbit

• New Features
  • Added support for the SecretsStore CSI driver type.
  • Introduced secret rotation configuration with policy and polling interval settings.
  • Added token request configuration for workload identity federation with audience and expiration settings.
  • Implemented validation rules to ensure secrets store configuration is only present when using the SecretsStore driver type.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

Hello @chiragkyal! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This pull request extends the CSI driver configuration API to support Secrets Store drivers. The Go API type CSIDriverType gains a new SecretsStore constant, CSIDriverConfigSpec gains a new secretsStore union field, and three new configuration struct types are introduced: SecretsStoreCSIDriverConfigSpec, SecretsStoreSecretRotation, and SecretsStoreTokenRequest. The corresponding CRD schemas in all five cluster-profile variants are updated with matching enum extensions, secretsStore schema definitions, and x-kubernetes-validations that require secretsStore presence only when driverType is SecretsStore.

Changes

Secrets Store CSI driver support

Layer / File(s)	Summary
API types and constants operator/v1/types_csi_cluster_driver.go	Adds SecretsStore to CSIDriverType and a SecretsStore constant; adds secretsStore *SecretsStoreCSIDriverConfigSpec to CSIDriverConfigSpec; introduces SecretsStoreCSIDriverConfigSpec, SecretsStoreSecretRotation, SecretRotationPolicy and SecretsStoreTokenRequest Go types with kubebuilder validation/default tags.
CRD schemas and generated manifests operator/v1/zz_generated.crd-manifests/*, operator/v1/zz_generated.featuregated-crd-manifests/*, payload-manifests/crds/*	Extends spec.driverConfig.driverType enum to include SecretsStore; adds spec.driverConfig.secretsStore schema (with secretRotation and tokenRequests fields, defaults and validation) across generated CRDs, feature-gated manifests, and payload manifests; adds x-kubernetes-validations to require secretsStore iff driverType == "SecretsStore".

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately summarizes the main change: adding Secrets Store CSI driver configuration support to the ClusterCSIDriver API. It is clear, specific, and directly related to the primary modification.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo test files. Changes are limited to Go type definitions, CRD manifests, and generated code - not test code.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code additions or modifications. Check not applicable: only API types and CRD manifests were changed.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Changes consist only of Go API types and CRD YAML manifests for Secrets Store CSI driver support.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes are limited to API type definitions and CRD YAML manifests. The SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	Pure API definition change (Go types and CRD schemas) with no deployment manifests, operators, pods, or scheduling constraints. Not applicable to topology-aware check.
Ote Binary Stdout Contract	✅ Passed	PR modifies only API type definitions and CRD YAML files. The Go file contains only struct definitions with no process-level code or stdout-writing operations.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests are present in this PR; it contains only API definitions and auto-generated CRD manifests for Secrets Store CSI driver configuration. The check is not applicable.
No-Weak-Crypto	✅ Passed	PR adds SecretsStore CSI driver API types and CRD schemas. No weak crypto implementations found: no MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB mode, custom crypto, or non-constant-time comparisons.
Container-Privileges	✅ Passed	PR modifies only API type definitions and CRD schemas, not container specifications. No container privilege flags are present.
No-Sensitive-Data-In-Logs	✅ Passed	No logging of sensitive data found. PR adds type definitions with no logging statements or error handling that exposes tokens, credentials, or PII.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign everettraven for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[chiragkyal]

/test all

[chiragkyal]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@operator/v1/types_csi_cluster_driver.go`:
- Around line 405-411: Update the field comments for TokenRequests (type
SecretsStoreTokenRequest) and the expirationSeconds field to document the
default behavior when omitted: state that if TokenRequests is nil/empty, no
service account tokens will be requested and the CSI driver will use the
kube-apiserver's default APIAudiences (or no tokens provided), and if
expirationSeconds is omitted the token lifetime defaults to the kubelet/cluster
provider default (or a specific default value used by the implementation).
Modify the comment blocks adjacent to the TokenRequests declaration and the
expirationSeconds declaration to include these omission semantics and expected
default values/behavior so the optional nature is clear.
- Around line 162-165: The new stable API field SecretsStore
(*SecretsStoreCSIDriverConfigSpec) must be gated with an OpenShift feature gate;
add the kubebuilder marker comment
+openshift:enable:FeatureGate=YourFeatureGateName immediately above the
`SecretsStore` field declaration (the SecretsStore
*SecretsStoreCSIDriverConfigSpec line) so the field is only enabled when the
feature gate is on, and update any related docs/tests to use that feature gate
name.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c45c7b74-a5df-45a7-8fef-3c1a81dc9f5c

📥 Commits

Reviewing files that changed from the base of the PR and between 73d7ca9 and dd82f59.

⛔ Files ignored due to path filters (11)

• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AWSEuropeanSovereignCloudInstall.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/VSphereConfigurableMaxAllowedBlockVolumesPerNode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*

📒 Files selected for processing (6)

• operator/v1/types_csi_cluster_driver.go
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Gate the new stable v1 field behind a feature gate.

Line 162 introduces a new stable API field without a +openshift:enable:FeatureGate=... marker. That violates the stable API rollout requirement and can expose partially-supported config in GA surface.

Suggested direction

 	// secretsStore is used to configure the Secrets Store CSI driver.
+	// +openshift:enable:FeatureGate=SecretsStoreCSIDriver
 	// +optional
 	SecretsStore *SecretsStoreCSIDriverConfigSpec `json:"secretsStore,omitempty"`

As per coding guidelines, **/types*.go: New fields on stable APIs should be introduced behind a feature gate using +openshift:enable:FeatureGate=MyFeatureGate.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// secretsStore is used to configure the Secrets Store CSI driver.
	// +optional
	SecretsStore *SecretsStoreCSIDriverConfigSpec `json:"secretsStore,omitempty"`
	}
	// secretsStore is used to configure the Secrets Store CSI driver.
	// +openshift:enable:FeatureGate=SecretsStoreCSIDriver
	// +optional
	SecretsStore *SecretsStoreCSIDriverConfigSpec `json:"secretsStore,omitempty"`
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@operator/v1/types_csi_cluster_driver.go` around lines 162 - 165, The new
stable API field SecretsStore (*SecretsStoreCSIDriverConfigSpec) must be gated
with an OpenShift feature gate; add the kubebuilder marker comment
+openshift:enable:FeatureGate=YourFeatureGateName immediately above the
`SecretsStore` field declaration (the SecretsStore
*SecretsStoreCSIDriverConfigSpec line) so the field is only enabled when the
feature gate is on, and update any related docs/tests to use that feature gate
name.

[chiragkyal]

This is a day2 operator, not an OpenShift core operator. I think we can add this feature to GA directly.
@mytreya-rh what do you think?

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml`:
- Around line 310-317: The schema for the CRD field expirationSeconds does not
enforce the documented lower bound of 600; update the OpenAPI schema for the
property named expirationSeconds in the CRD (within the properties block where
type: integer and format: int64 are defined) to include minimum: 600 so
admission validation will reject values below 600; ensure the minimum is set
alongside the existing type/format entry.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 02b1535f-ee7f-421e-b9f7-a4e43b5dd6c5

📥 Commits

Reviewing files that changed from the base of the PR and between eb0e5bd and e08f398.

⛔ Files ignored due to path filters (11)

• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AWSEuropeanSovereignCloudInstall.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/VSphereConfigurableMaxAllowedBlockVolumesPerNode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*

📒 Files selected for processing (6)

• operator/v1/types_csi_cluster_driver.go
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml

🚧 Files skipped from review as they are similar to previous changes (5)

• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml
• operator/v1/types_csi_cluster_driver.go
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Enforce the documented lower bound for token expiration.

Line [315] says expirationSeconds must be at least 600, but the schema at Lines [310-317] doesn’t enforce it. This allows invalid configs through admission.

Proposed fix

                             expirationSeconds:
                               description: |-
                                 expirationSeconds is the requested duration of validity of the service account token.
                                 The token issuer may return a token with a different validity duration.
                                 When omitted, the token expiration is determined by the kube-apiserver.
                                 Must be at least 600 seconds (10 minutes).
                               format: int64
+                              minimum: 600
                               type: integer

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	expirationSeconds:
	description: |-
	expirationSeconds is the requested duration of validity of the service account token.
	The token issuer may return a token with a different validity duration.
	When omitted, the token expiration is determined by the kube-apiserver.
	Must be at least 600 seconds (10 minutes).
	format: int64
	type: integer
	expirationSeconds:
	description: |-
	expirationSeconds is the requested duration of validity of the service account token.
	The token issuer may return a token with a different validity duration.
	When omitted, the token expiration is determined by the kube-apiserver.
	Must be at least 600 seconds (10 minutes).
	format: int64
	minimum: 600
	type: integer

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml`
around lines 310 - 317, The schema for the CRD field expirationSeconds does not
enforce the documented lower bound of 600; update the OpenAPI schema for the
property named expirationSeconds in the CRD (within the properties block where
type: integer and format: int64 are defined) to include minimum: 600 so
admission validation will reject values below 600; ensure the minimum is set
alongside the existing type/format entry.

[chiragkyal]

The 600 minimum is enforced by the kube-apiserver's TokenRequest API. Also the upstream CSIDriver's tokenRequests[].expirationSeconds does NOT enforce this either.

If Kube ever changes the minimum, our validation becomes stale/wrong.

Following the same pattern as the upstream CSIDriver type keeps things consistent.
https://kubernetes-csi.github.io/docs/token-requests.html

/cc @mytreya-rh

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

[chiragkyal]

/cc @mytreya-rh

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

operator/v1/types_csi_cluster_driver.go (1)

116-125: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Gate the new stable SecretsStore API surface.

Lines 116-125 and 162-164 make SecretsStore part of the stable v1 discriminator/union, and the generated manifests in this PR already carry it into the ungated/default CRDs. If this is not intentionally GA-on-arrival, it needs to be feature-gated at the API layer so the stable surface does not expand for every cluster profile yet.

As per coding guidelines, **/types*.go: New fields on stable APIs should be introduced behind a feature gate using +openshift:enable:FeatureGate=MyFeatureGate.

Also applies to: 162-164

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@operator/v1/types_csi_cluster_driver.go` around lines 116 - 125, The
SecretsStore driver constant was added to the stable CSIDriverType union and
must be feature-gated; add the openshift feature-gate annotation to the API so
the new discriminator is not GA-on-arrival: locate the CSIDriverType declaration
and the SecretsStoreDriverType constant (symbols: CSIDriverType and
SecretsStoreDriverType) and add the kubebuilder/openshift annotation
`+openshift:enable:FeatureGate=SecretsStoreCSIDriver` (or your chosen gate name)
immediately above the relevant type/constant declarations (also apply the same
annotation to the other occurrence referenced around lines 162-164) so CRD
generation treats SecretsStore as gated.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@operator/v1/types_csi_cluster_driver.go`:
- Around line 454-459: The ExpirationSeconds field on the CSIClusterDriver type
lacks the kubebuilder validation enforcing the documented minimum of 600
seconds; update the field tag for ExpirationSeconds (*int64
`json:"expirationSeconds,omitempty"`) to include
+kubebuilder:validation:Minimum=600 (and keep +optional) so the generated CRD
will reject values <600 and match the documented contract.

In
`@operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/VSphereConfigurableMaxAllowedBlockVolumesPerNode.yaml`:
- Around line 289-296: The schema for the expirationSeconds field currently only
declares type/format but does not enforce the documented lower bound; update the
CRD manifest so the expirationSeconds property includes a numeric minimum of 600
(e.g. add "minimum: 600" alongside the existing "type: integer" and "format:
int64") to ensure values less than 600 are rejected by validation; locate the
expirationSeconds definition in the
VSphereConfigurableMaxAllowedBlockVolumesPerNode.yaml and add the minimum
constraint for that property.

---

Duplicate comments:
In `@operator/v1/types_csi_cluster_driver.go`:
- Around line 116-125: The SecretsStore driver constant was added to the stable
CSIDriverType union and must be feature-gated; add the openshift feature-gate
annotation to the API so the new discriminator is not GA-on-arrival: locate the
CSIDriverType declaration and the SecretsStoreDriverType constant (symbols:
CSIDriverType and SecretsStoreDriverType) and add the kubebuilder/openshift
annotation `+openshift:enable:FeatureGate=SecretsStoreCSIDriver` (or your chosen
gate name) immediately above the relevant type/constant declarations (also apply
the same annotation to the other occurrence referenced around lines 162-164) so
CRD generation treats SecretsStore as gated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: dc4e1222-9530-4acb-9ae8-509a500a44a1

📥 Commits

Reviewing files that changed from the base of the PR and between e08f398 and 4836779.

⛔ Files ignored due to path filters (3)

• openapi/generated_openapi/zz_generated.openapi.go is excluded by !**/zz_generated*
• operator/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*

📒 Files selected for processing (14)

• operator/v1/types_csi_cluster_driver.go
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml
• operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AAA_ungated.yaml
• operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AWSEuropeanSovereignCloudInstall.yaml
• operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/VSphereConfigurableMaxAllowedBlockVolumesPerNode.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml

🚧 Files skipped from review as they are similar to previous changes (4)

• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Enforce the documented 600-second minimum.

Line 457 says expirationSeconds must be at least 600, but the field has no +kubebuilder:validation:Minimum=600, so the generated CRDs currently accept smaller values too. That turns a documented API contract into a late runtime failure path.

Suggested fix

 	// expirationSeconds is the requested duration of validity of the service account token.
 	// The token issuer may return a token with a different validity duration.
 	// When omitted, the token expiration is determined by the kube-apiserver.
 	// Must be at least 600 seconds (10 minutes).
+	// +kubebuilder:validation:Minimum=600
 	// +optional
 	ExpirationSeconds *int64 `json:"expirationSeconds,omitempty"`

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// expirationSeconds is the requested duration of validity of the service account token.
	// The token issuer may return a token with a different validity duration.
	// When omitted, the token expiration is determined by the kube-apiserver.
	// Must be at least 600 seconds (10 minutes).
	// +optional
	ExpirationSeconds *int64 `json:"expirationSeconds,omitempty"`
	// expirationSeconds is the requested duration of validity of the service account token.
	// The token issuer may return a token with a different validity duration.
	// When omitted, the token expiration is determined by the kube-apiserver.
	// Must be at least 600 seconds (10 minutes).
	// +kubebuilder:validation:Minimum=600
	// +optional
	ExpirationSeconds *int64 `json:"expirationSeconds,omitempty"`

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@operator/v1/types_csi_cluster_driver.go` around lines 454 - 459, The
ExpirationSeconds field on the CSIClusterDriver type lacks the kubebuilder
validation enforcing the documented minimum of 600 seconds; update the field tag
for ExpirationSeconds (*int64 `json:"expirationSeconds,omitempty"`) to include
+kubebuilder:validation:Minimum=600 (and keep +optional) so the generated CRD
will reject values <600 and match the documented contract.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Enforce the documented lower bound for expirationSeconds.

Line 294 says this value must be at least 600 seconds, but the schema only sets type/format. Values <600 would currently pass CRD validation.

Proposed fix

                           expirationSeconds:
                             description: |-
                               expirationSeconds is the requested duration of validity of the service account token.
                               The token issuer may return a token with a different validity duration.
                               When omitted, the token expiration is determined by the kube-apiserver.
                               Must be at least 600 seconds (10 minutes).
                             format: int64
+                            minimum: 600
                             type: integer

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/VSphereConfigurableMaxAllowedBlockVolumesPerNode.yaml`
around lines 289 - 296, The schema for the expirationSeconds field currently
only declares type/format but does not enforce the documented lower bound;
update the CRD manifest so the expirationSeconds property includes a numeric
minimum of 600 (e.g. add "minimum: 600" alongside the existing "type: integer"
and "format: int64") to ensure values less than 600 are rejected by validation;
locate the expirationSeconds definition in the
VSphereConfigurableMaxAllowedBlockVolumesPerNode.yaml and add the minimum
constraint for that property.

[openshift-ci]

@chiragkyal: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/lint	4836779	link	true	/test lint
ci/prow/verify	4836779	link	true	/test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.