Add Secrets Store CSI driver configuration to ClusterCSIDriver API

[chiragkyal]

Summary

• Adds SecretsStore as a new CSIDriverType enum value in the
  ClusterCSIDriver API (operator.openshift.io/v1)
• Introduces SecretsStoreCSIDriverConfigSpec with configuration for:
  • Secret rotation: toggle automatic rotation on/off and configure
    the poll interval (defaults to enabled with 2m interval)
  • Token requests: configure service account token audiences for
    workload identity federation (WIF) with AWS, Azure, GCP, etc.
• Adds union discriminator validation ensuring secretsStore config
  is set if and only if driverType is SecretsStore
• Regenerates CRDs, deepcopy, swagger docs, and OpenAPI schemas

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

Hello @chiragkyal! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request extends the CSI driver configuration API to support Secrets Store drivers. The Go API type CSIDriverType gains a new SecretsStore constant, CSIDriverConfigSpec gains a new secretsStore union field, and three new configuration struct types are introduced: SecretsStoreCSIDriverConfigSpec, SecretsStoreSecretRotation, and SecretsStoreTokenRequest. The corresponding CRD schemas in all five cluster-profile variants (CustomNoUpgrade, Default, DevPreviewNoUpgrade, OKD, TechPreviewNoUpgrade) are updated with matching enum extensions, schema definitions, and validation rules that require secretsStore presence only when driverType is SecretsStore.

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Test Structure And Quality	❓ Inconclusive	No Ginkgo test code was added for the new SecretsStore functionality. Existing YAML test fixtures do not include SecretsStore tests.	Add test coverage for SecretsStore following the project's YAML test fixture pattern or clarify if tests will be added separately.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding Secrets Store CSI driver configuration support to the ClusterCSIDriver API.
Description check	✅ Passed	The description is well-related to the changeset, providing clear details about the new SecretsStore driver type, configuration options, and validation rules added.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in the PR are stable and deterministic. No dynamic information found in test titles. Test names are static, descriptive strings constant across runs.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. The changes consist of API type definitions and CRD manifests only. The check is not applicable as specified instructions.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The changes consist of API type definitions and CRD manifests only. The SNO Test Compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only API types and CRD schemas, not deployment manifests, operator code, or controllers. Check applies only to such operational changes.
Ote Binary Stdout Contract	✅ Passed	This PR updates CSI API definitions and CRD manifests. No test binaries, main() functions, OTE suite setup, or stdout writes detected in modified code. Not applicable to OTE stdout contract check.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The pull request only adds API types and CRD schemas for Secrets Store CSI driver configuration, with no test code to assess.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign everettraven for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[chiragkyal]

/test all

[chiragkyal]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@operator/v1/types_csi_cluster_driver.go`:
- Around line 405-411: Update the field comments for TokenRequests (type
SecretsStoreTokenRequest) and the expirationSeconds field to document the
default behavior when omitted: state that if TokenRequests is nil/empty, no
service account tokens will be requested and the CSI driver will use the
kube-apiserver's default APIAudiences (or no tokens provided), and if
expirationSeconds is omitted the token lifetime defaults to the kubelet/cluster
provider default (or a specific default value used by the implementation).
Modify the comment blocks adjacent to the TokenRequests declaration and the
expirationSeconds declaration to include these omission semantics and expected
default values/behavior so the optional nature is clear.
- Around line 162-165: The new stable API field SecretsStore
(*SecretsStoreCSIDriverConfigSpec) must be gated with an OpenShift feature gate;
add the kubebuilder marker comment
+openshift:enable:FeatureGate=YourFeatureGateName immediately above the
`SecretsStore` field declaration (the SecretsStore
*SecretsStoreCSIDriverConfigSpec line) so the field is only enabled when the
feature gate is on, and update any related docs/tests to use that feature gate
name.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c45c7b74-a5df-45a7-8fef-3c1a81dc9f5c

📥 Commits

Reviewing files that changed from the base of the PR and between 73d7ca9 and dd82f59.

⛔ Files ignored due to path filters (11)

• openapi/generated_openapi/zz_generated.openapi.go is excluded by !openapi/**, !**/zz_generated*
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/*
• operator/v1/zz_generated.deepcopy.go is excluded by !**/zz_generated*
• operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AWSEuropeanSovereignCloudInstall.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/VSphereConfigurableMaxAllowedBlockVolumesPerNode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• operator/v1/zz_generated.swagger_doc_generated.go is excluded by !**/zz_generated*

📒 Files selected for processing (6)

• operator/v1/types_csi_cluster_driver.go
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml
• payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Gate the new stable v1 field behind a feature gate.

Line 162 introduces a new stable API field without a +openshift:enable:FeatureGate=... marker. That violates the stable API rollout requirement and can expose partially-supported config in GA surface.

Suggested direction

 	// secretsStore is used to configure the Secrets Store CSI driver.
+	// +openshift:enable:FeatureGate=SecretsStoreCSIDriver
 	// +optional
 	SecretsStore *SecretsStoreCSIDriverConfigSpec `json:"secretsStore,omitempty"`

As per coding guidelines, **/types*.go: New fields on stable APIs should be introduced behind a feature gate using +openshift:enable:FeatureGate=MyFeatureGate.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// secretsStore is used to configure the Secrets Store CSI driver.
	// +optional
	SecretsStore *SecretsStoreCSIDriverConfigSpec `json:"secretsStore,omitempty"`
	}
	// secretsStore is used to configure the Secrets Store CSI driver.
	// +openshift:enable:FeatureGate=SecretsStoreCSIDriver
	// +optional
	SecretsStore *SecretsStoreCSIDriverConfigSpec `json:"secretsStore,omitempty"`
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@operator/v1/types_csi_cluster_driver.go` around lines 162 - 165, The new
stable API field SecretsStore (*SecretsStoreCSIDriverConfigSpec) must be gated
with an OpenShift feature gate; add the kubebuilder marker comment
+openshift:enable:FeatureGate=YourFeatureGateName immediately above the
`SecretsStore` field declaration (the SecretsStore
*SecretsStoreCSIDriverConfigSpec line) so the field is only enabled when the
feature gate is on, and update any related docs/tests to use that feature gate
name.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Document omitted behavior for new optional fields.

tokenRequests and expirationSeconds are marked +optional, but their comments don’t describe behavior when omitted.

As per coding guidelines, Documentation for +optional fields must explain the behavior when the field is omitted.

Also applies to: 445-448

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@operator/v1/types_csi_cluster_driver.go` around lines 405 - 411, Update the
field comments for TokenRequests (type SecretsStoreTokenRequest) and the
expirationSeconds field to document the default behavior when omitted: state
that if TokenRequests is nil/empty, no service account tokens will be requested
and the CSI driver will use the kube-apiserver's default APIAudiences (or no
tokens provided), and if expirationSeconds is omitted the token lifetime
defaults to the kubelet/cluster provider default (or a specific default value
used by the implementation). Modify the comment blocks adjacent to the
TokenRequests declaration and the expirationSeconds declaration to include these
omission semantics and expected default values/behavior so the optional nature
is clear.

[openshift-ci]

@chiragkyal: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/lint	dd82f59	link	true	/test lint

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.