Enable users to configure secret rotation behavior in the Secret Store CSI driver operator, including the ability to enable/disable automatic secret rotation and configure the rotation polling interval. This addresses customer cost concerns when managing large numbers of secrets (200+ per cluster) where continuous polling of secret managers leads to high transaction costs and performance overhead.

Epic Acceptance Criteria

• Users can enable/disable secret rotation via operator configuration
• Users can configure rotation polling interval via operator configuration
• Configuration persists across pod reconciliations and operator restarts
• Configuration is correctly passed from operator to CSI driver operand
• RequiresRepublish is dynamically set: true when rotation enabled, false when disabled
• When secret rotation is disabled, RequiresRepublish=false prevents unnecessary kubelet calls every 90 seconds
• WIF works on Azure clusters without upgrade impact (tokenRequests preserved)
• Cluster admins can configure tokenRequests audience in CSIDriver for WIF scenarios
• TokenRequests configuration is not overwritten during operator upgrades/reconciliation
• Multi-cloud WIF test passes: single SS-CSI driver instance mounts secrets from GCP, Azure, AWS, and Vault using federated identity
• Upgrade test passes: multi-cloud WIF configuration persists and functions after upgrade to latest version
• Default behavior maintains backward compatibility (rotation enabled by default)
• Documentation includes configuration examples, multi-cloud WIF setup, and migration guide
• E2E tests validate configuration propagation and multi-cloud WIF functionality

Scope

In Scope

• Add operator configuration option to enable/disable secret rotation
• Add operator configuration for rotation polling interval
• Pass configuration from operator to operand (CSI driver)
• Persist configuration across pod reconciliations
• Update operator CRD with new configuration fields
• Set RequiresRepublish to true in csidriver.yaml when rotation is enabled (aligning with upstream PR kubernetes-sigs/secrets-store-csi-driver#1622)
• Set RequiresRepublish to false when secret rotation is disabled (prevents unnecessary kubelet calls every 90 seconds)
• Handle tokenRequests audience configuration for WIF (SSCSI-228)
• Prevent tokenRequests from being overwritten during reconciliation/upgrades
• Multi-cloud WIF testing (GCP, Azure, AWS, Vault Secret Managers with federated identity)
• Upgrade testing with multi-cloud WIF configuration
• Documentation for new configuration options and multi-cloud WIF setup

Out of Scope

• Changes to the upstream secret rotation mechanism (handled by kubernetes-sigs/secrets-store-csi-driver#1622)
• Support for secret providers beyond GCP, Azure, AWS, Vault

Timeline

• Target: OpenShift 4.22

Target Users

• Cluster administrators managing SSCSI deployments
• Platform teams with high secret counts (100+ secrets per cluster)
• Cost-conscious customers using Azure Key Vault, AWS Secrets Manager, GCP Secret Manager
• Teams implementing Workload Identity Federation (WIF)

Related Issues

• Implements: RFE-8422 - Configurable secret rotation
• Includes: SSCSI-228 - WIF tokenRequests preservation
• References: kubernetes-sigs/secrets-store-csi-driver#1622 - Upstream rotation changes