Skip to content

Add Secrets Store CSI driver configuration to ClusterCSIDriver API #2846

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
chiragkyal wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add Secrets Store CSI driver configuration to ClusterCSIDriver API #2846

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
121 changes: 114 additions & 7 deletions openapi/generated_openapi/zz_generated.openapi.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

84 changes: 77 additions & 7 deletions operator/v1/types_csi_cluster_driver.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,25 +113,27 @@ type ClusterCSIDriverSpec struct {
}

// CSIDriverType indicates type of CSI driver being configured.
// +kubebuilder:validation:Enum="";AWS;Azure;GCP;IBMCloud;vSphere
// +kubebuilder:validation:Enum="";AWS;Azure;GCP;IBMCloud;vSphere;SecretsStore
type CSIDriverType string

const (
AWSDriverType CSIDriverType = "AWS"
AzureDriverType CSIDriverType = "Azure"
GCPDriverType CSIDriverType = "GCP"
IBMCloudDriverType CSIDriverType = "IBMCloud"
VSphereDriverType CSIDriverType = "vSphere"
AWSDriverType CSIDriverType = "AWS"
AzureDriverType CSIDriverType = "Azure"
GCPDriverType CSIDriverType = "GCP"
IBMCloudDriverType CSIDriverType = "IBMCloud"
VSphereDriverType CSIDriverType = "vSphere"
SecretsStoreDriverType CSIDriverType = "SecretsStore"
)

// CSIDriverConfigSpec defines configuration spec that can be
// used to optionally configure a specific CSI Driver.
// +kubebuilder:validation:XValidation:rule="has(self.driverType) && self.driverType == 'IBMCloud' ? has(self.ibmcloud) : !has(self.ibmcloud)",message="ibmcloud must be set if driverType is 'IBMCloud', but remain unset otherwise"
// +kubebuilder:validation:XValidation:rule="has(self.driverType) && self.driverType == 'SecretsStore' ? has(self.secretsStore) : !has(self.secretsStore)",message="secretsStore must be set if driverType is 'SecretsStore', but remain unset otherwise"
// +union
type CSIDriverConfigSpec struct {
// driverType indicates type of CSI driver for which the
// driverConfig is being applied to.
// Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted.
// Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted.
// Consumers should treat unknown values as a NO-OP.
// +required
// +unionDiscriminator
Expand All @@ -156,6 +158,10 @@ type CSIDriverConfigSpec struct {
// vSphere is used to configure the vsphere CSI driver.
// +optional
VSphere *VSphereCSIDriverConfigSpec `json:"vSphere,omitempty"`

// secretsStore is used to configure the Secrets Store CSI driver.
// +optional
SecretsStore *SecretsStoreCSIDriverConfigSpec `json:"secretsStore,omitempty"`
}
Comment on lines +162 to 165
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 18, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Gate the new stable v1 field behind a feature gate.

Line 162 introduces a new stable API field without a +openshift:enable:FeatureGate=... marker. That violates the stable API rollout requirement and can expose partially-supported config in GA surface.

Suggested direction 
 	// secretsStore is used to configure the Secrets Store CSI driver.
+	// +openshift:enable:FeatureGate=SecretsStoreCSIDriver
 	// +optional
 	SecretsStore *SecretsStoreCSIDriverConfigSpec `json:"secretsStore,omitempty"`

As per coding guidelines, **/types*.go: New fields on stable APIs should be introduced behind a feature gate using +openshift:enable:FeatureGate=MyFeatureGate.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
// secretsStore is used to configure the Secrets Store CSI driver.
// +optional
SecretsStore *SecretsStoreCSIDriverConfigSpec `json:"secretsStore,omitempty"`
}
// secretsStore is used to configure the Secrets Store CSI driver.
// +openshift:enable:FeatureGate=SecretsStoreCSIDriver
// +optional
SecretsStore *SecretsStoreCSIDriverConfigSpec `json:"secretsStore,omitempty"`
}
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@operator/v1/types_csi_cluster_driver.go` around lines 162 - 165, The new
stable API field SecretsStore (*SecretsStoreCSIDriverConfigSpec) must be gated
with an OpenShift feature gate; add the kubebuilder marker comment
+openshift:enable:FeatureGate=YourFeatureGateName immediately above the
`SecretsStore` field declaration (the SecretsStore
*SecretsStoreCSIDriverConfigSpec line) so the field is only enabled when the
feature gate is on, and update any related docs/tests to use that feature gate
name.

Copy link
Copy Markdown
Member Author

@chiragkyal chiragkyal May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a day2 operator, not an OpenShift core operator. I think we can add this feature to GA directly.
@mytreya-rh what do you think?

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!


// AWSCSIDriverConfigSpec defines properties that can be configured for the AWS CSI driver.
Expand Down Expand Up @@ -389,6 +395,70 @@ type VSphereCSIDriverConfigSpec struct {
MaxAllowedBlockVolumesPerNode int32 `json:"maxAllowedBlockVolumesPerNode,omitempty"`
}

// SecretsStoreCSIDriverConfigSpec defines properties that can be configured for the Secrets Store CSI driver.
type SecretsStoreCSIDriverConfigSpec struct {
// secretRotation controls automatic secret rotation behavior.
// When omitted, secret rotation is enabled with a default poll interval of 2 minutes.
// +optional
SecretRotation *SecretsStoreSecretRotation `json:"secretRotation,omitempty"`

// tokenRequests specifies service account token audiences that kubelet will provide
// to the CSI driver during NodePublishVolume calls. These tokens enable workload
// identity federation (WIF) with cloud providers such as AWS, Azure, and GCP.
// When omitted or empty, no service account tokens are provided to the CSI driver
// and workload identity federation is not available.
// +optional
// +listType=atomic
TokenRequests []SecretsStoreTokenRequest `json:"tokenRequests,omitempty"`
Comment thread
coderabbitai[bot] marked this conversation as resolved.
}

// SecretRotationPolicy determines whether automatic secret rotation is active
// for the Secrets Store CSI driver.
// +kubebuilder:validation:Enum=Enabled;Disabled
type SecretRotationPolicy string

const (
SecretRotationEnabled SecretRotationPolicy = "Enabled"
SecretRotationDisabled SecretRotationPolicy = "Disabled"
)

// SecretsStoreSecretRotation configures the automatic secret rotation behavior
// for the Secrets Store CSI driver.
type SecretsStoreSecretRotation struct {
// policy controls whether automatic secret rotation is active.
// When "Enabled", the CSIDriver object sets requiresRepublish and the driver
// re-fetches secrets from providers.
// When "Disabled", secrets are only fetched at initial pod mount time.
// +default="Enabled"
// +optional
Policy SecretRotationPolicy `json:"policy,omitempty"`

// rotationPollIntervalSeconds is the minimum time in seconds between secret
// rotation attempts. The driver skips provider calls if less than this interval
// has elapsed since the last successful rotation.
// Default is 120 (2 minutes).
// +default=120
// +optional
RotationPollIntervalSeconds *int32 `json:"rotationPollIntervalSeconds,omitempty"`
}

// SecretsStoreTokenRequest specifies a service account token audience configuration
// for workload identity federation (WIF) with the Secrets Store CSI driver.
type SecretsStoreTokenRequest struct {
// audience is the intended audience of the service account token.
// An empty string means the issued token will use the kube-apiserver's default APIAudiences.
// +kubebuilder:validation:MaxLength=253
// +required
Audience *string `json:"audience,omitempty"`

// expirationSeconds is the requested duration of validity of the service account token.
// The token issuer may return a token with a different validity duration.
// When omitted, the token expiration is determined by the kube-apiserver.
// Must be at least 600 seconds (10 minutes).
// +optional
ExpirationSeconds *int64 `json:"expirationSeconds,omitempty"`
Comment on lines +454 to +459
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Enforce the documented 600-second minimum.

Line 457 says expirationSeconds must be at least 600, but the field has no +kubebuilder:validation:Minimum=600, so the generated CRDs currently accept smaller values too. That turns a documented API contract into a late runtime failure path.

Suggested fix 
 	// expirationSeconds is the requested duration of validity of the service account token.
 	// The token issuer may return a token with a different validity duration.
 	// When omitted, the token expiration is determined by the kube-apiserver.
 	// Must be at least 600 seconds (10 minutes).
+	// +kubebuilder:validation:Minimum=600
 	// +optional
 	ExpirationSeconds *int64 `json:"expirationSeconds,omitempty"`
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
// expirationSeconds is the requested duration of validity of the service account token.
// The token issuer may return a token with a different validity duration.
// When omitted, the token expiration is determined by the kube-apiserver.
// Must be at least 600 seconds (10 minutes).
// +optional
ExpirationSeconds *int64 `json:"expirationSeconds,omitempty"`
// expirationSeconds is the requested duration of validity of the service account token.
// The token issuer may return a token with a different validity duration.
// When omitted, the token expiration is determined by the kube-apiserver.
// Must be at least 600 seconds (10 minutes).
// +kubebuilder:validation:Minimum=600
// +optional
ExpirationSeconds *int64 `json:"expirationSeconds,omitempty"`
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@operator/v1/types_csi_cluster_driver.go` around lines 454 - 459, The
ExpirationSeconds field on the CSIClusterDriver type lacks the kubebuilder
validation enforcing the documented minimum of 600 seconds; update the field tag
for ExpirationSeconds (*int64 `json:"expirationSeconds,omitempty"`) to include
+kubebuilder:validation:Minimum=600 (and keep +optional) so the generated CRD
will reject values <600 and match the documented contract.

}

// ClusterCSIDriverStatus is the observed status of CSI driver operator
type ClusterCSIDriverStatus struct {
OperatorStatus `json:",inline"`
Expand Down
69 changes: 68 additions & 1 deletion ..._generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,7 @@ spec:
description: |-
driverType indicates type of CSI driver for which the
driverConfig is being applied to.
Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted.
Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted.
Consumers should treat unknown values as a NO-OP.
enum:
- ""
Expand All @@ -196,6 +196,7 @@ spec:
- GCP
- IBMCloud
- vSphere
- SecretsStore
type: string
gcp:
description: gcp is used to configure the GCP CSI driver.
Expand Down Expand Up @@ -261,6 +262,68 @@ spec:
required:
- encryptionKeyCRN
type: object
secretsStore:
description: secretsStore is used to configure the Secrets Store
CSI driver.
properties:
secretRotation:
description: |-
secretRotation controls automatic secret rotation behavior.
When omitted, secret rotation is enabled with a default poll interval of 2 minutes.
properties:
policy:
default: Enabled
description: |-
policy controls whether automatic secret rotation is active.
When "Enabled", the CSIDriver object sets requiresRepublish and the driver
re-fetches secrets from providers.
When "Disabled", secrets are only fetched at initial pod mount time.
enum:
- Enabled
- Disabled
type: string
rotationPollIntervalSeconds:
default: 120
description: |-
rotationPollIntervalSeconds is the minimum time in seconds between secret
rotation attempts. The driver skips provider calls if less than this interval
has elapsed since the last successful rotation.
Default is 120 (2 minutes).
format: int32
type: integer
type: object
tokenRequests:
description: |-
tokenRequests specifies service account token audiences that kubelet will provide
to the CSI driver during NodePublishVolume calls. These tokens enable workload
identity federation (WIF) with cloud providers such as AWS, Azure, and GCP.
When omitted or empty, no service account tokens are provided to the CSI driver
and workload identity federation is not available.
items:
description: |-
SecretsStoreTokenRequest specifies a service account token audience configuration
for workload identity federation (WIF) with the Secrets Store CSI driver.
properties:
audience:
description: |-
audience is the intended audience of the service account token.
An empty string means the issued token will use the kube-apiserver's default APIAudiences.
maxLength: 253
type: string
expirationSeconds:
description: |-
expirationSeconds is the requested duration of validity of the service account token.
The token issuer may return a token with a different validity duration.
When omitted, the token expiration is determined by the kube-apiserver.
Must be at least 600 seconds (10 minutes).
format: int64
type: integer
required:
- audience
type: object
type: array
x-kubernetes-list-type: atomic
type: object
vSphere:
description: vSphere is used to configure the vsphere CSI driver.
properties:
Expand Down Expand Up @@ -328,6 +391,10 @@ spec:
unset otherwise
rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ?
has(self.ibmcloud) : !has(self.ibmcloud)'
- message: secretsStore must be set if driverType is 'SecretsStore',
but remain unset otherwise
rule: 'has(self.driverType) && self.driverType == ''SecretsStore''
? has(self.secretsStore) : !has(self.secretsStore)'
logLevel:
default: Normal
description: |-
Expand Down
Loading