SSCSI-254: Configurable secret rotation and WIF support for SSCSI

[chiragkyal]

Summary

This enhancement proposal adds configurable secret rotation and workload identity federation (WIF) support to the OpenShift Secrets Store CSI Driver Operator via the ClusterCSIDriver CR.

Changes

• Extends CSIDriverConfigSpec with a new SecretsStore discriminated union
  variant containing secretRotation and tokenRequests fields.
• The operator will dynamically propagate these settings to:
  • The storage.k8s.io/v1 CSIDriver object (requiresRepublish, tokenRequests)
  • The driver DaemonSet container args (--enable-secret-rotation, --rotation-poll-interval)
• Aligns with upstream Secrets Store CSI Driver v1.6.0 which replaced the internal
  rotation controller with kubelet-native requiresRepublish.

Tracking

• Jira: https://redhat.atlassian.net/browse/SSCSI-254

/cc @mytreya-rh @dobsonj

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@chiragkyal: This pull request references SSCSI-254 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign suleymanakbas91 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[chiragkyal]

/cc @mytreya-rh @dobsonj

[openshift-ci]

@chiragkyal: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.