diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index 6f65ddbfdf0..95dce050f35 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -1220,6 +1220,9 @@ func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenA "github.com/openshift/api/operator/v1.RestartService": schema_openshift_api_operator_v1_RestartService(ref), "github.com/openshift/api/operator/v1.RouteAdmissionPolicy": schema_openshift_api_operator_v1_RouteAdmissionPolicy(ref), "github.com/openshift/api/operator/v1.SFlowConfig": schema_openshift_api_operator_v1_SFlowConfig(ref), + "github.com/openshift/api/operator/v1.SecretsStoreCSIDriverConfigSpec": schema_openshift_api_operator_v1_SecretsStoreCSIDriverConfigSpec(ref), + "github.com/openshift/api/operator/v1.SecretsStoreSecretRotation": schema_openshift_api_operator_v1_SecretsStoreSecretRotation(ref), + "github.com/openshift/api/operator/v1.SecretsStoreTokenRequest": schema_openshift_api_operator_v1_SecretsStoreTokenRequest(ref), "github.com/openshift/api/operator/v1.Server": schema_openshift_api_operator_v1_Server(ref), "github.com/openshift/api/operator/v1.ServiceAccountIssuerStatus": schema_openshift_api_operator_v1_ServiceAccountIssuerStatus(ref), "github.com/openshift/api/operator/v1.ServiceCA": schema_openshift_api_operator_v1_ServiceCA(ref), @@ -52657,7 +52660,7 @@ func schema_openshift_api_operator_v1_CSIDriverConfigSpec(ref common.ReferenceCa Properties: map[string]spec.Schema{ "driverType": { SchemaProps: spec.SchemaProps{ - Description: "driverType indicates type of CSI driver for which the driverConfig is being applied to. Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. Consumers should treat unknown values as a NO-OP.", + Description: "driverType indicates type of CSI driver for which the driverConfig is being applied to. Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP.", Default: "", Type: []string{"string"}, Format: "", @@ -52693,6 +52696,12 @@ func schema_openshift_api_operator_v1_CSIDriverConfigSpec(ref common.ReferenceCa Ref: ref("github.com/openshift/api/operator/v1.VSphereCSIDriverConfigSpec"), }, }, + "secretsStore": { + SchemaProps: spec.SchemaProps{ + Description: "secretsStore is used to configure the Secrets Store CSI driver.", + Ref: ref("github.com/openshift/api/operator/v1.SecretsStoreCSIDriverConfigSpec"), + }, + }, }, Required: []string{"driverType"}, }, @@ -52702,11 +52711,12 @@ func schema_openshift_api_operator_v1_CSIDriverConfigSpec(ref common.ReferenceCa map[string]interface{}{ "discriminator": "driverType", "fields-to-discriminateBy": map[string]interface{}{ - "aws": "AWS", - "azure": "Azure", - "gcp": "GCP", - "ibmcloud": "IBMCloud", - "vSphere": "VSphere", + "aws": "AWS", + "azure": "Azure", + "gcp": "GCP", + "ibmcloud": "IBMCloud", + "secretsStore": "SecretsStore", + "vSphere": "VSphere", }, }, }, @@ -52714,7 +52724,7 @@ func schema_openshift_api_operator_v1_CSIDriverConfigSpec(ref common.ReferenceCa }, }, Dependencies: []string{ - "github.com/openshift/api/operator/v1.AWSCSIDriverConfigSpec", "github.com/openshift/api/operator/v1.AzureCSIDriverConfigSpec", "github.com/openshift/api/operator/v1.GCPCSIDriverConfigSpec", "github.com/openshift/api/operator/v1.IBMCloudCSIDriverConfigSpec", "github.com/openshift/api/operator/v1.VSphereCSIDriverConfigSpec"}, + "github.com/openshift/api/operator/v1.AWSCSIDriverConfigSpec", "github.com/openshift/api/operator/v1.AzureCSIDriverConfigSpec", "github.com/openshift/api/operator/v1.GCPCSIDriverConfigSpec", "github.com/openshift/api/operator/v1.IBMCloudCSIDriverConfigSpec", "github.com/openshift/api/operator/v1.SecretsStoreCSIDriverConfigSpec", "github.com/openshift/api/operator/v1.VSphereCSIDriverConfigSpec"}, } } @@ -62237,6 +62247,103 @@ func schema_openshift_api_operator_v1_SFlowConfig(ref common.ReferenceCallback) } } +func schema_openshift_api_operator_v1_SecretsStoreCSIDriverConfigSpec(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SecretsStoreCSIDriverConfigSpec defines properties that can be configured for the Secrets Store CSI driver.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "secretRotation": { + SchemaProps: spec.SchemaProps{ + Description: "secretRotation controls automatic secret rotation behavior. When omitted, secret rotation is enabled with a default poll interval of 2 minutes.", + Ref: ref("github.com/openshift/api/operator/v1.SecretsStoreSecretRotation"), + }, + }, + "tokenRequests": { + VendorExtensible: spec.VendorExtensible{ + Extensions: spec.Extensions{ + "x-kubernetes-list-type": "atomic", + }, + }, + SchemaProps: spec.SchemaProps{ + Description: "tokenRequests specifies service account token audiences that kubelet will provide to the CSI driver during NodePublishVolume calls. These tokens enable workload identity federation (WIF) with cloud providers such as AWS, Azure, and GCP. An empty audience string means the token uses the kube-apiserver's default APIAudiences.", + Type: []string{"array"}, + Items: &spec.SchemaOrArray{ + Schema: &spec.Schema{ + SchemaProps: spec.SchemaProps{ + Default: map[string]interface{}{}, + Ref: ref("github.com/openshift/api/operator/v1.SecretsStoreTokenRequest"), + }, + }, + }, + }, + }, + }, + }, + }, + Dependencies: []string{ + "github.com/openshift/api/operator/v1.SecretsStoreSecretRotation", "github.com/openshift/api/operator/v1.SecretsStoreTokenRequest"}, + } +} + +func schema_openshift_api_operator_v1_SecretsStoreSecretRotation(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SecretsStoreSecretRotation configures the automatic secret rotation behavior for the Secrets Store CSI driver.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "enabled": { + SchemaProps: spec.SchemaProps{ + Description: "enabled controls whether automatic secret rotation is active. When true, the CSIDriver object sets requiresRepublish and the driver re-fetches secrets from providers. When false, secrets are only fetched at initial pod mount time. Default is true.", + Type: []string{"boolean"}, + Format: "", + }, + }, + "rotationPollInterval": { + SchemaProps: spec.SchemaProps{ + Description: "rotationPollInterval is the minimum duration between secret rotation attempts. The driver skips provider calls if less than this interval has elapsed since the last successful rotation. Format is a Go duration string (e.g. \"2m\", \"1h30m\"). Default is \"2m\".", + Ref: ref(metav1.Duration{}.OpenAPIModelName()), + }, + }, + }, + }, + }, + Dependencies: []string{ + metav1.Duration{}.OpenAPIModelName()}, + } +} + +func schema_openshift_api_operator_v1_SecretsStoreTokenRequest(ref common.ReferenceCallback) common.OpenAPIDefinition { + return common.OpenAPIDefinition{ + Schema: spec.Schema{ + SchemaProps: spec.SchemaProps{ + Description: "SecretsStoreTokenRequest specifies a service account token audience configuration for workload identity federation (WIF) with the Secrets Store CSI driver.", + Type: []string{"object"}, + Properties: map[string]spec.Schema{ + "audience": { + SchemaProps: spec.SchemaProps{ + Description: "audience is the intended audience of the service account token. An empty string means the issued token will use the kube-apiserver's default APIAudiences.", + Default: "", + Type: []string{"string"}, + Format: "", + }, + }, + "expirationSeconds": { + SchemaProps: spec.SchemaProps{ + Description: "expirationSeconds is the requested duration of validity of the service account token. The token issuer may return a token with a different validity duration.", + Type: []string{"integer"}, + Format: "int64", + }, + }, + }, + Required: []string{"audience"}, + }, + }, + } +} + func schema_openshift_api_operator_v1_Server(ref common.ReferenceCallback) common.OpenAPIDefinition { return common.OpenAPIDefinition{ Schema: spec.Schema{ diff --git a/operator/v1/types_csi_cluster_driver.go b/operator/v1/types_csi_cluster_driver.go index 52f5db78d51..06ccf0f64e1 100644 --- a/operator/v1/types_csi_cluster_driver.go +++ b/operator/v1/types_csi_cluster_driver.go @@ -113,25 +113,27 @@ type ClusterCSIDriverSpec struct { } // CSIDriverType indicates type of CSI driver being configured. -// +kubebuilder:validation:Enum="";AWS;Azure;GCP;IBMCloud;vSphere +// +kubebuilder:validation:Enum="";AWS;Azure;GCP;IBMCloud;vSphere;SecretsStore type CSIDriverType string const ( - AWSDriverType CSIDriverType = "AWS" - AzureDriverType CSIDriverType = "Azure" - GCPDriverType CSIDriverType = "GCP" - IBMCloudDriverType CSIDriverType = "IBMCloud" - VSphereDriverType CSIDriverType = "vSphere" + AWSDriverType CSIDriverType = "AWS" + AzureDriverType CSIDriverType = "Azure" + GCPDriverType CSIDriverType = "GCP" + IBMCloudDriverType CSIDriverType = "IBMCloud" + VSphereDriverType CSIDriverType = "vSphere" + SecretsStoreDriverType CSIDriverType = "SecretsStore" ) // CSIDriverConfigSpec defines configuration spec that can be // used to optionally configure a specific CSI Driver. // +kubebuilder:validation:XValidation:rule="has(self.driverType) && self.driverType == 'IBMCloud' ? has(self.ibmcloud) : !has(self.ibmcloud)",message="ibmcloud must be set if driverType is 'IBMCloud', but remain unset otherwise" +// +kubebuilder:validation:XValidation:rule="has(self.driverType) && self.driverType == 'SecretsStore' ? has(self.secretsStore) : !has(self.secretsStore)",message="secretsStore must be set if driverType is 'SecretsStore', but remain unset otherwise" // +union type CSIDriverConfigSpec struct { // driverType indicates type of CSI driver for which the // driverConfig is being applied to. - // Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + // Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. // Consumers should treat unknown values as a NO-OP. // +required // +unionDiscriminator @@ -156,6 +158,10 @@ type CSIDriverConfigSpec struct { // vSphere is used to configure the vsphere CSI driver. // +optional VSphere *VSphereCSIDriverConfigSpec `json:"vSphere,omitempty"` + + // secretsStore is used to configure the Secrets Store CSI driver. + // +optional + SecretsStore *SecretsStoreCSIDriverConfigSpec `json:"secretsStore,omitempty"` } // AWSCSIDriverConfigSpec defines properties that can be configured for the AWS CSI driver. @@ -389,6 +395,59 @@ type VSphereCSIDriverConfigSpec struct { MaxAllowedBlockVolumesPerNode int32 `json:"maxAllowedBlockVolumesPerNode,omitempty"` } +// SecretsStoreCSIDriverConfigSpec defines properties that can be configured for the Secrets Store CSI driver. +type SecretsStoreCSIDriverConfigSpec struct { + // secretRotation controls automatic secret rotation behavior. + // When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + // +optional + SecretRotation *SecretsStoreSecretRotation `json:"secretRotation,omitempty"` + + // tokenRequests specifies service account token audiences that kubelet will provide + // to the CSI driver during NodePublishVolume calls. These tokens enable workload + // identity federation (WIF) with cloud providers such as AWS, Azure, and GCP. + // An empty audience string means the token uses the kube-apiserver's default APIAudiences. + // +optional + // +listType=atomic + TokenRequests []SecretsStoreTokenRequest `json:"tokenRequests,omitempty"` +} + +// SecretsStoreSecretRotation configures the automatic secret rotation behavior +// for the Secrets Store CSI driver. +type SecretsStoreSecretRotation struct { + // enabled controls whether automatic secret rotation is active. + // When true, the CSIDriver object sets requiresRepublish and the driver + // re-fetches secrets from providers. + // When false, secrets are only fetched at initial pod mount time. + // Default is true. + // +kubebuilder:default=true + // +optional + Enabled *bool `json:"enabled,omitempty"` + + // rotationPollInterval is the minimum duration between secret rotation attempts. + // The driver skips provider calls if less than this interval has elapsed since + // the last successful rotation. Format is a Go duration string (e.g. "2m", "1h30m"). + // Default is "2m". + // +kubebuilder:default="2m" + // +kubebuilder:validation:Pattern=`^([0-9]+(\.[0-9]+)?(s|m|h))+$` + // +kubebuilder:validation:Type:=string + // +optional + RotationPollInterval *metav1.Duration `json:"rotationPollInterval,omitempty"` +} + +// SecretsStoreTokenRequest specifies a service account token audience configuration +// for workload identity federation (WIF) with the Secrets Store CSI driver. +type SecretsStoreTokenRequest struct { + // audience is the intended audience of the service account token. + // An empty string means the issued token will use the kube-apiserver's default APIAudiences. + // +required + Audience string `json:"audience"` + + // expirationSeconds is the requested duration of validity of the service account token. + // The token issuer may return a token with a different validity duration. + // +optional + ExpirationSeconds *int64 `json:"expirationSeconds,omitempty"` +} + // ClusterCSIDriverStatus is the observed status of CSI driver operator type ClusterCSIDriverStatus struct { OperatorStatus `json:",inline"` diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml index 19b319fcb8d..de581c07a41 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,62 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + properties: + enabled: + default: true + description: |- + enabled controls whether automatic secret rotation is active. + When true, the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When false, secrets are only fetched at initial pod mount time. + Default is true. + type: boolean + rotationPollInterval: + default: 2m + description: |- + rotationPollInterval is the minimum duration between secret rotation attempts. + The driver skips provider calls if less than this interval has elapsed since + the last successful rotation. Format is a Go duration string (e.g. "2m", "1h30m"). + Default is "2m". + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))+$ + type: string + type: object + tokenRequests: + description: |- + tokenRequests specifies service account token audiences that kubelet will provide + to the CSI driver during NodePublishVolume calls. These tokens enable workload + identity federation (WIF) with cloud providers such as AWS, Azure, and GCP. + An empty audience string means the token uses the kube-apiserver's default APIAudiences. + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + format: int64 + type: integer + required: + - audience + type: object + type: array + x-kubernetes-list-type: atomic + type: object vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -328,6 +385,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml index 5bb6bdddcfb..98770a3a0a7 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,62 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + properties: + enabled: + default: true + description: |- + enabled controls whether automatic secret rotation is active. + When true, the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When false, secrets are only fetched at initial pod mount time. + Default is true. + type: boolean + rotationPollInterval: + default: 2m + description: |- + rotationPollInterval is the minimum duration between secret rotation attempts. + The driver skips provider calls if less than this interval has elapsed since + the last successful rotation. Format is a Go duration string (e.g. "2m", "1h30m"). + Default is "2m". + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))+$ + type: string + type: object + tokenRequests: + description: |- + tokenRequests specifies service account token audiences that kubelet will provide + to the CSI driver during NodePublishVolume calls. These tokens enable workload + identity federation (WIF) with cloud providers such as AWS, Azure, and GCP. + An empty audience string means the token uses the kube-apiserver's default APIAudiences. + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + format: int64 + type: integer + required: + - audience + type: object + type: array + x-kubernetes-list-type: atomic + type: object vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -313,6 +370,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml index a03dd7d88db..d0cc9798d64 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,62 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + properties: + enabled: + default: true + description: |- + enabled controls whether automatic secret rotation is active. + When true, the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When false, secrets are only fetched at initial pod mount time. + Default is true. + type: boolean + rotationPollInterval: + default: 2m + description: |- + rotationPollInterval is the minimum duration between secret rotation attempts. + The driver skips provider calls if less than this interval has elapsed since + the last successful rotation. Format is a Go duration string (e.g. "2m", "1h30m"). + Default is "2m". + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))+$ + type: string + type: object + tokenRequests: + description: |- + tokenRequests specifies service account token audiences that kubelet will provide + to the CSI driver during NodePublishVolume calls. These tokens enable workload + identity federation (WIF) with cloud providers such as AWS, Azure, and GCP. + An empty audience string means the token uses the kube-apiserver's default APIAudiences. + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + format: int64 + type: integer + required: + - audience + type: object + type: array + x-kubernetes-list-type: atomic + type: object vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -328,6 +385,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml index 0e925a75110..1e2a061324d 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,62 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + properties: + enabled: + default: true + description: |- + enabled controls whether automatic secret rotation is active. + When true, the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When false, secrets are only fetched at initial pod mount time. + Default is true. + type: boolean + rotationPollInterval: + default: 2m + description: |- + rotationPollInterval is the minimum duration between secret rotation attempts. + The driver skips provider calls if less than this interval has elapsed since + the last successful rotation. Format is a Go duration string (e.g. "2m", "1h30m"). + Default is "2m". + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))+$ + type: string + type: object + tokenRequests: + description: |- + tokenRequests specifies service account token audiences that kubelet will provide + to the CSI driver during NodePublishVolume calls. These tokens enable workload + identity federation (WIF) with cloud providers such as AWS, Azure, and GCP. + An empty audience string means the token uses the kube-apiserver's default APIAudiences. + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + format: int64 + type: integer + required: + - audience + type: object + type: array + x-kubernetes-list-type: atomic + type: object vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -313,6 +370,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml index 3dc68028e00..9167f855304 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,62 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + properties: + enabled: + default: true + description: |- + enabled controls whether automatic secret rotation is active. + When true, the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When false, secrets are only fetched at initial pod mount time. + Default is true. + type: boolean + rotationPollInterval: + default: 2m + description: |- + rotationPollInterval is the minimum duration between secret rotation attempts. + The driver skips provider calls if less than this interval has elapsed since + the last successful rotation. Format is a Go duration string (e.g. "2m", "1h30m"). + Default is "2m". + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))+$ + type: string + type: object + tokenRequests: + description: |- + tokenRequests specifies service account token audiences that kubelet will provide + to the CSI driver during NodePublishVolume calls. These tokens enable workload + identity federation (WIF) with cloud providers such as AWS, Azure, and GCP. + An empty audience string means the token uses the kube-apiserver's default APIAudiences. + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + format: int64 + type: integer + required: + - audience + type: object + type: array + x-kubernetes-list-type: atomic + type: object vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -328,6 +385,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/operator/v1/zz_generated.deepcopy.go b/operator/v1/zz_generated.deepcopy.go index 3d3c8f4f825..3058b6c8cf2 100644 --- a/operator/v1/zz_generated.deepcopy.go +++ b/operator/v1/zz_generated.deepcopy.go @@ -469,6 +469,11 @@ func (in *CSIDriverConfigSpec) DeepCopyInto(out *CSIDriverConfigSpec) { *out = new(VSphereCSIDriverConfigSpec) (*in).DeepCopyInto(*out) } + if in.SecretsStore != nil { + in, out := &in.SecretsStore, &out.SecretsStore + *out = new(SecretsStoreCSIDriverConfigSpec) + (*in).DeepCopyInto(*out) + } return } @@ -4869,6 +4874,81 @@ func (in *SFlowConfig) DeepCopy() *SFlowConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecretsStoreCSIDriverConfigSpec) DeepCopyInto(out *SecretsStoreCSIDriverConfigSpec) { + *out = *in + if in.SecretRotation != nil { + in, out := &in.SecretRotation, &out.SecretRotation + *out = new(SecretsStoreSecretRotation) + (*in).DeepCopyInto(*out) + } + if in.TokenRequests != nil { + in, out := &in.TokenRequests, &out.TokenRequests + *out = make([]SecretsStoreTokenRequest, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsStoreCSIDriverConfigSpec. +func (in *SecretsStoreCSIDriverConfigSpec) DeepCopy() *SecretsStoreCSIDriverConfigSpec { + if in == nil { + return nil + } + out := new(SecretsStoreCSIDriverConfigSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecretsStoreSecretRotation) DeepCopyInto(out *SecretsStoreSecretRotation) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } + if in.RotationPollInterval != nil { + in, out := &in.RotationPollInterval, &out.RotationPollInterval + *out = new(metav1.Duration) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsStoreSecretRotation. +func (in *SecretsStoreSecretRotation) DeepCopy() *SecretsStoreSecretRotation { + if in == nil { + return nil + } + out := new(SecretsStoreSecretRotation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SecretsStoreTokenRequest) DeepCopyInto(out *SecretsStoreTokenRequest) { + *out = *in + if in.ExpirationSeconds != nil { + in, out := &in.ExpirationSeconds, &out.ExpirationSeconds + *out = new(int64) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretsStoreTokenRequest. +func (in *SecretsStoreTokenRequest) DeepCopy() *SecretsStoreTokenRequest { + if in == nil { + return nil + } + out := new(SecretsStoreTokenRequest) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Server) DeepCopyInto(out *Server) { *out = *in diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AAA_ungated.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AAA_ungated.yaml index 12aeaee8795..68c300387b5 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AAA_ungated.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AAA_ungated.yaml @@ -167,7 +167,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -176,6 +176,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -241,6 +242,62 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + properties: + enabled: + default: true + description: |- + enabled controls whether automatic secret rotation is active. + When true, the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When false, secrets are only fetched at initial pod mount time. + Default is true. + type: boolean + rotationPollInterval: + default: 2m + description: |- + rotationPollInterval is the minimum duration between secret rotation attempts. + The driver skips provider calls if less than this interval has elapsed since + the last successful rotation. Format is a Go duration string (e.g. "2m", "1h30m"). + Default is "2m". + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))+$ + type: string + type: object + tokenRequests: + description: |- + tokenRequests specifies service account token audiences that kubelet will provide + to the CSI driver during NodePublishVolume calls. These tokens enable workload + identity federation (WIF) with cloud providers such as AWS, Azure, and GCP. + An empty audience string means the token uses the kube-apiserver's default APIAudiences. + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + format: int64 + type: integer + required: + - audience + type: object + type: array + x-kubernetes-list-type: atomic + type: object vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -293,6 +350,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AWSEuropeanSovereignCloudInstall.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AWSEuropeanSovereignCloudInstall.yaml index 1aeaf6ae0f2..40ee4af1e7d 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AWSEuropeanSovereignCloudInstall.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/AWSEuropeanSovereignCloudInstall.yaml @@ -167,7 +167,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -176,6 +176,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -241,6 +242,62 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + properties: + enabled: + default: true + description: |- + enabled controls whether automatic secret rotation is active. + When true, the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When false, secrets are only fetched at initial pod mount time. + Default is true. + type: boolean + rotationPollInterval: + default: 2m + description: |- + rotationPollInterval is the minimum duration between secret rotation attempts. + The driver skips provider calls if less than this interval has elapsed since + the last successful rotation. Format is a Go duration string (e.g. "2m", "1h30m"). + Default is "2m". + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))+$ + type: string + type: object + tokenRequests: + description: |- + tokenRequests specifies service account token audiences that kubelet will provide + to the CSI driver during NodePublishVolume calls. These tokens enable workload + identity federation (WIF) with cloud providers such as AWS, Azure, and GCP. + An empty audience string means the token uses the kube-apiserver's default APIAudiences. + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + format: int64 + type: integer + required: + - audience + type: object + type: array + x-kubernetes-list-type: atomic + type: object vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -293,6 +350,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/VSphereConfigurableMaxAllowedBlockVolumesPerNode.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/VSphereConfigurableMaxAllowedBlockVolumesPerNode.yaml index f7696f5e1b9..e5d59e93c19 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/VSphereConfigurableMaxAllowedBlockVolumesPerNode.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/clustercsidrivers.operator.openshift.io/VSphereConfigurableMaxAllowedBlockVolumesPerNode.yaml @@ -163,7 +163,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -172,6 +172,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -237,6 +238,62 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + properties: + enabled: + default: true + description: |- + enabled controls whether automatic secret rotation is active. + When true, the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When false, secrets are only fetched at initial pod mount time. + Default is true. + type: boolean + rotationPollInterval: + default: 2m + description: |- + rotationPollInterval is the minimum duration between secret rotation attempts. + The driver skips provider calls if less than this interval has elapsed since + the last successful rotation. Format is a Go duration string (e.g. "2m", "1h30m"). + Default is "2m". + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))+$ + type: string + type: object + tokenRequests: + description: |- + tokenRequests specifies service account token audiences that kubelet will provide + to the CSI driver during NodePublishVolume calls. These tokens enable workload + identity federation (WIF) with cloud providers such as AWS, Azure, and GCP. + An empty audience string means the token uses the kube-apiserver's default APIAudiences. + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + format: int64 + type: integer + required: + - audience + type: object + type: array + x-kubernetes-list-type: atomic + type: object vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -304,6 +361,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/operator/v1/zz_generated.swagger_doc_generated.go b/operator/v1/zz_generated.swagger_doc_generated.go index c3ed726028d..53b28911779 100644 --- a/operator/v1/zz_generated.swagger_doc_generated.go +++ b/operator/v1/zz_generated.swagger_doc_generated.go @@ -515,13 +515,14 @@ func (AzureDiskEncryptionSet) SwaggerDoc() map[string]string { } var map_CSIDriverConfigSpec = map[string]string{ - "": "CSIDriverConfigSpec defines configuration spec that can be used to optionally configure a specific CSI Driver.", - "driverType": "driverType indicates type of CSI driver for which the driverConfig is being applied to. Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. Consumers should treat unknown values as a NO-OP.", - "aws": "aws is used to configure the AWS CSI driver.", - "azure": "azure is used to configure the Azure CSI driver.", - "gcp": "gcp is used to configure the GCP CSI driver.", - "ibmcloud": "ibmcloud is used to configure the IBM Cloud CSI driver.", - "vSphere": "vSphere is used to configure the vsphere CSI driver.", + "": "CSIDriverConfigSpec defines configuration spec that can be used to optionally configure a specific CSI Driver.", + "driverType": "driverType indicates type of CSI driver for which the driverConfig is being applied to. Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP.", + "aws": "aws is used to configure the AWS CSI driver.", + "azure": "azure is used to configure the Azure CSI driver.", + "gcp": "gcp is used to configure the GCP CSI driver.", + "ibmcloud": "ibmcloud is used to configure the IBM Cloud CSI driver.", + "vSphere": "vSphere is used to configure the vsphere CSI driver.", + "secretsStore": "secretsStore is used to configure the Secrets Store CSI driver.", } func (CSIDriverConfigSpec) SwaggerDoc() map[string]string { @@ -596,6 +597,36 @@ func (IBMCloudCSIDriverConfigSpec) SwaggerDoc() map[string]string { return map_IBMCloudCSIDriverConfigSpec } +var map_SecretsStoreCSIDriverConfigSpec = map[string]string{ + "": "SecretsStoreCSIDriverConfigSpec defines properties that can be configured for the Secrets Store CSI driver.", + "secretRotation": "secretRotation controls automatic secret rotation behavior. When omitted, secret rotation is enabled with a default poll interval of 2 minutes.", + "tokenRequests": "tokenRequests specifies service account token audiences that kubelet will provide to the CSI driver during NodePublishVolume calls. These tokens enable workload identity federation (WIF) with cloud providers such as AWS, Azure, and GCP. An empty audience string means the token uses the kube-apiserver's default APIAudiences.", +} + +func (SecretsStoreCSIDriverConfigSpec) SwaggerDoc() map[string]string { + return map_SecretsStoreCSIDriverConfigSpec +} + +var map_SecretsStoreSecretRotation = map[string]string{ + "": "SecretsStoreSecretRotation configures the automatic secret rotation behavior for the Secrets Store CSI driver.", + "enabled": "enabled controls whether automatic secret rotation is active. When true, the CSIDriver object sets requiresRepublish and the driver re-fetches secrets from providers. When false, secrets are only fetched at initial pod mount time. Default is true.", + "rotationPollInterval": "rotationPollInterval is the minimum duration between secret rotation attempts. The driver skips provider calls if less than this interval has elapsed since the last successful rotation. Format is a Go duration string (e.g. \"2m\", \"1h30m\"). Default is \"2m\".", +} + +func (SecretsStoreSecretRotation) SwaggerDoc() map[string]string { + return map_SecretsStoreSecretRotation +} + +var map_SecretsStoreTokenRequest = map[string]string{ + "": "SecretsStoreTokenRequest specifies a service account token audience configuration for workload identity federation (WIF) with the Secrets Store CSI driver.", + "audience": "audience is the intended audience of the service account token. An empty string means the issued token will use the kube-apiserver's default APIAudiences.", + "expirationSeconds": "expirationSeconds is the requested duration of validity of the service account token. The token issuer may return a token with a different validity duration.", +} + +func (SecretsStoreTokenRequest) SwaggerDoc() map[string]string { + return map_SecretsStoreTokenRequest +} + var map_VSphereCSIDriverConfigSpec = map[string]string{ "": "VSphereCSIDriverConfigSpec defines properties that can be configured for vsphere CSI driver.", "topologyCategories": "topologyCategories indicates tag categories with which vcenter resources such as hostcluster or datacenter were tagged with. If cluster Infrastructure object has a topology, values specified in Infrastructure object will be used and modifications to topologyCategories will be rejected.", diff --git a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml index 19b319fcb8d..de581c07a41 100644 --- a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-CustomNoUpgrade.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,62 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + properties: + enabled: + default: true + description: |- + enabled controls whether automatic secret rotation is active. + When true, the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When false, secrets are only fetched at initial pod mount time. + Default is true. + type: boolean + rotationPollInterval: + default: 2m + description: |- + rotationPollInterval is the minimum duration between secret rotation attempts. + The driver skips provider calls if less than this interval has elapsed since + the last successful rotation. Format is a Go duration string (e.g. "2m", "1h30m"). + Default is "2m". + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))+$ + type: string + type: object + tokenRequests: + description: |- + tokenRequests specifies service account token audiences that kubelet will provide + to the CSI driver during NodePublishVolume calls. These tokens enable workload + identity federation (WIF) with cloud providers such as AWS, Azure, and GCP. + An empty audience string means the token uses the kube-apiserver's default APIAudiences. + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + format: int64 + type: integer + required: + - audience + type: object + type: array + x-kubernetes-list-type: atomic + type: object vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -328,6 +385,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml index 5bb6bdddcfb..98770a3a0a7 100644 --- a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml +++ b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-Default.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,62 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + properties: + enabled: + default: true + description: |- + enabled controls whether automatic secret rotation is active. + When true, the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When false, secrets are only fetched at initial pod mount time. + Default is true. + type: boolean + rotationPollInterval: + default: 2m + description: |- + rotationPollInterval is the minimum duration between secret rotation attempts. + The driver skips provider calls if less than this interval has elapsed since + the last successful rotation. Format is a Go duration string (e.g. "2m", "1h30m"). + Default is "2m". + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))+$ + type: string + type: object + tokenRequests: + description: |- + tokenRequests specifies service account token audiences that kubelet will provide + to the CSI driver during NodePublishVolume calls. These tokens enable workload + identity federation (WIF) with cloud providers such as AWS, Azure, and GCP. + An empty audience string means the token uses the kube-apiserver's default APIAudiences. + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + format: int64 + type: integer + required: + - audience + type: object + type: array + x-kubernetes-list-type: atomic + type: object vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -313,6 +370,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml index a03dd7d88db..d0cc9798d64 100644 --- a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-DevPreviewNoUpgrade.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,62 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + properties: + enabled: + default: true + description: |- + enabled controls whether automatic secret rotation is active. + When true, the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When false, secrets are only fetched at initial pod mount time. + Default is true. + type: boolean + rotationPollInterval: + default: 2m + description: |- + rotationPollInterval is the minimum duration between secret rotation attempts. + The driver skips provider calls if less than this interval has elapsed since + the last successful rotation. Format is a Go duration string (e.g. "2m", "1h30m"). + Default is "2m". + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))+$ + type: string + type: object + tokenRequests: + description: |- + tokenRequests specifies service account token audiences that kubelet will provide + to the CSI driver during NodePublishVolume calls. These tokens enable workload + identity federation (WIF) with cloud providers such as AWS, Azure, and GCP. + An empty audience string means the token uses the kube-apiserver's default APIAudiences. + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + format: int64 + type: integer + required: + - audience + type: object + type: array + x-kubernetes-list-type: atomic + type: object vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -328,6 +385,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml index 0e925a75110..1e2a061324d 100644 --- a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml +++ b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-OKD.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,62 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + properties: + enabled: + default: true + description: |- + enabled controls whether automatic secret rotation is active. + When true, the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When false, secrets are only fetched at initial pod mount time. + Default is true. + type: boolean + rotationPollInterval: + default: 2m + description: |- + rotationPollInterval is the minimum duration between secret rotation attempts. + The driver skips provider calls if less than this interval has elapsed since + the last successful rotation. Format is a Go duration string (e.g. "2m", "1h30m"). + Default is "2m". + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))+$ + type: string + type: object + tokenRequests: + description: |- + tokenRequests specifies service account token audiences that kubelet will provide + to the CSI driver during NodePublishVolume calls. These tokens enable workload + identity federation (WIF) with cloud providers such as AWS, Azure, and GCP. + An empty audience string means the token uses the kube-apiserver's default APIAudiences. + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + format: int64 + type: integer + required: + - audience + type: object + type: array + x-kubernetes-list-type: atomic + type: object vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -313,6 +370,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |- diff --git a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml index 3dc68028e00..9167f855304 100644 --- a/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml +++ b/payload-manifests/crds/0000_50_csi-driver_01_clustercsidrivers-TechPreviewNoUpgrade.crd.yaml @@ -187,7 +187,7 @@ spec: description: |- driverType indicates type of CSI driver for which the driverConfig is being applied to. - Valid values are: AWS, Azure, GCP, IBMCloud, vSphere and omitted. + Valid values are: AWS, Azure, GCP, IBMCloud, vSphere, SecretsStore and omitted. Consumers should treat unknown values as a NO-OP. enum: - "" @@ -196,6 +196,7 @@ spec: - GCP - IBMCloud - vSphere + - SecretsStore type: string gcp: description: gcp is used to configure the GCP CSI driver. @@ -261,6 +262,62 @@ spec: required: - encryptionKeyCRN type: object + secretsStore: + description: secretsStore is used to configure the Secrets Store + CSI driver. + properties: + secretRotation: + description: |- + secretRotation controls automatic secret rotation behavior. + When omitted, secret rotation is enabled with a default poll interval of 2 minutes. + properties: + enabled: + default: true + description: |- + enabled controls whether automatic secret rotation is active. + When true, the CSIDriver object sets requiresRepublish and the driver + re-fetches secrets from providers. + When false, secrets are only fetched at initial pod mount time. + Default is true. + type: boolean + rotationPollInterval: + default: 2m + description: |- + rotationPollInterval is the minimum duration between secret rotation attempts. + The driver skips provider calls if less than this interval has elapsed since + the last successful rotation. Format is a Go duration string (e.g. "2m", "1h30m"). + Default is "2m". + pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))+$ + type: string + type: object + tokenRequests: + description: |- + tokenRequests specifies service account token audiences that kubelet will provide + to the CSI driver during NodePublishVolume calls. These tokens enable workload + identity federation (WIF) with cloud providers such as AWS, Azure, and GCP. + An empty audience string means the token uses the kube-apiserver's default APIAudiences. + items: + description: |- + SecretsStoreTokenRequest specifies a service account token audience configuration + for workload identity federation (WIF) with the Secrets Store CSI driver. + properties: + audience: + description: |- + audience is the intended audience of the service account token. + An empty string means the issued token will use the kube-apiserver's default APIAudiences. + type: string + expirationSeconds: + description: |- + expirationSeconds is the requested duration of validity of the service account token. + The token issuer may return a token with a different validity duration. + format: int64 + type: integer + required: + - audience + type: object + type: array + x-kubernetes-list-type: atomic + type: object vSphere: description: vSphere is used to configure the vsphere CSI driver. properties: @@ -328,6 +385,10 @@ spec: unset otherwise rule: 'has(self.driverType) && self.driverType == ''IBMCloud'' ? has(self.ibmcloud) : !has(self.ibmcloud)' + - message: secretsStore must be set if driverType is 'SecretsStore', + but remain unset otherwise + rule: 'has(self.driverType) && self.driverType == ''SecretsStore'' + ? has(self.secretsStore) : !has(self.secretsStore)' logLevel: default: Normal description: |-