Loading...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Labels:
- ai-generated-jira
- oap-plan

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Epic Link:
Configurable secret rotation in Secret Store CSI driver operator
Color Status:
Not Selected
Intelligence Requested:
Market:

Sprint:
OAPE Sprint 282
sprint_count:
1

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

PX Impact Score:

As a platform operator, I want to extend the CSIDriverConfigSpec in openshift/api to support secret rotation configuration fields, so that cluster administrators can configure rotation behavior declaratively via the operator CR.

Acceptance Criteria

CSIDriverConfigSpec extended in openshift/api repo with SecretsStore driver-specific configuration
New driver-specific struct: SSCSIDriverConfigSpec containing:
- SecretRotation struct with:
  - Enabled (bool) - enable/disable automatic secret rotation
  - PollingInterval (string) - rotation polling interval (duration format)
- TokenRequests ([]TokenRequest) - for WIF configuration
Pattern follows existing driver-specific configurations (e.g., AWS EBS, GCP PD)
API changes follow OpenShift API conventions and versioning
Generated client code updated (deepcopy, defaulting, validation)
Backward compatibility maintained (new fields optional)

Technical Details

File to modify: https://github.com/openshift/api/blob/3f584b29ee4a4faeb1a733e97c5ba16a1e5ee4f8/operator/v1/types_csi_cluster_driver.go#L131
Add SecretsStore field to CSIDriverConfigSpec struct at line 131
Create new SSCSIDriverConfigSpec struct with rotation configuration
Add OpenAPI schema markers for validation
Run make update to regenerate client code
Add defaulting logic if needed (e.g., default Enabled: true)

Example API Addition

// In CSIDriverConfigSpec struct (line 131)
type CSIDriverConfigSpec struct {
    // ... existing fields (AWS, GCE, Azure, etc.) ...
    
    // SecretsStore configures the Secrets Store CSI driver
    // +optional
    SecretsStore *SSCSIDriverConfigSpec `json:"secretsStore,omitempty"`
}

// New driver-specific configuration
type SSCSIDriverConfigSpec struct {
    // SecretRotation configures automatic secret rotation behavior
    // +optional
    SecretRotation *SecretRotationConfig `json:"secretRotation,omitempty"`
    
    // TokenRequests configures service account token projection for WIF
    // +optional
    TokenRequests []TokenRequest `json:"tokenRequests,omitempty"`
}

type SecretRotationConfig struct {
    // Enabled controls whether automatic secret rotation is enabled
    // Default: true
    // +optional
    Enabled bool `json:"enabled"`
    
    // PollingInterval specifies how often to poll for secret updates
    // Format: duration string (e.g., "2m", "30s")
    // +optional
    PollingInterval string `json:"pollingInterval,omitempty"`
}

Definition of Done

PR merged to openshift/api repo with API changes
API documentation generated
Client code regenerated successfully
Unit tests validate new fields
API changes reviewed by API reviewers

Assignee:: Unassigned

Reporter:: Mytreya Kasturi

Contributing Groups:: Cisco - Waas Confidential Group, Red Hat Bugzilla Authorized, TSX/RH Confidential Group, Unisys Confidential Group, VMware Confidential Group, VVDN Confidential Group, Veeam Confidential Group, Veritas Confidential Group, VerizonWireless Confidential Group, Wacom Confidential Group, Western Digital Confidential Group, Wind River Confidential Group, Wipro Limited Confidential Group, Wiwynn Confidential Group, Xilinx Confidential Group, Yahoo Confidential Group, ZTE Confidential Group, Zettaset Confidential Group

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2025/12/24 9:50 AM

Updated:: 2025/12/24 12:20 PM

Details

Description

Acceptance Criteria

Technical Details

Example API Addition

Definition of Done

Attachments

Easy Agile Planning Poker

Activity

People

Dates

PagerDuty