Replace upstream Secrets Store CSI driver manifests with OCP operator

[psalajova]

The upstream CSI driver images don't support s390x/ppc64le architectures, causing CrashLoopBackOff on multi-arch nodes. This replaces the manually-managed upstream manifests (DaemonSet, CRDs, RBAC, CSIDriver) with the Red Hat Secrets Store CSI Driver Operator installed via OLM, whose images support all architectures. The GCP provider DaemonSet and SecretProviderClass are kept as-is since the operator doesn't manage those. Tested on build11 -- operator deploys driver pods successfully on all nodes including s390x.

Summary by CodeRabbit

This PR updates build-cluster CSI secrets management to use the Red Hat Secrets Store CSI Driver Operator (installed via OLM) instead of the upstream manually-managed Secrets Store CSI driver manifests.

Infrastructure affected: build clusters' CSI secrets configuration under clusters/build-clusters/build-shared/csi-secrets-gcp/

What changed in practical terms:

• Replaced locally managed upstream CSI driver artifacts with an OLM-managed operator subscription:
  • Added secrets-store-csi-driver-operator.yaml to create an OperatorGroup, a Subscription (stable channel, manual installPlanApproval, pinned startingCSV), and a ClusterCSIDriver configuration in the openshift-cluster-csi-drivers namespace.
• Removed the upstream-managed driver components from the repo so the operator provides them at runtime:
  • Deleted DaemonSet that deployed the driver on nodes.
  • Deleted CSIDriver manifest.
  • Deleted RBAC objects (ServiceAccount, ClusterRole, ClusterRoleBinding).
  • Deleted CRDs for SecretProviderClass and SecretProviderClassPodStatus.
• Kept provider-specific resources in this repo:
  • GCP provider DaemonSet and SecretProviderClass remain in place because the operator does not manage provider DaemonSets or SecretProviderClass CRs.

Why this was done:

• Upstream driver images lacked s390x/ppc64le support causing CrashLoopBackOff on multi-arch nodes. The Red Hat operator images support all architectures. The change was validated on build11 where the operator successfully deployed driver pods on all node types, including s390x.

Notes:

• Subscription uses manual installPlanApproval and a pinned startingCSV (secrets-store-csi-driver-operator.v4.21.0-202605260453).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 030b5512-ad0b-4dcf-942a-f34ed3fbfd26

📥 Commits

Reviewing files that changed from the base of the PR and between 9fecb01 and aba6d35.

📒 Files selected for processing (1)

• clusters/build-clusters/build-shared/csi-secrets-gcp/secrets-store-csi-driver-operator.yaml

---

Walkthrough

Replace manual Secrets Store CSI Driver manifests with an OLM-based installation: add OperatorGroup and Subscription for Red Hat's secrets-store-csi-driver-operator and register a ClusterCSIDriver; README updated to document operator-managed components in the openshift-cluster-csi-drivers namespace.

Changes

Operator-Managed CSI Driver Migration

Layer / File(s)	Summary
OperatorGroup and Subscription clusters/build-clusters/build-shared/csi-secrets-gcp/secrets-store-csi-driver-operator.yaml	Adds an OperatorGroup scoped to openshift-cluster-csi-drivers and a Subscription for secrets-store-csi-driver-operator from redhat-operators on the stable channel with installPlanApproval: Manual and a pinned startingCSV.
ClusterCSIDriver and docs clusters/build-clusters/build-shared/csi-secrets-gcp/secrets-store-csi-driver-operator.yaml, clusters/build-clusters/build-shared/csi-secrets-gcp/README.md	Adds a ClusterCSIDriver resource for secrets-store.csi.k8s.io and updates README to document that the Secrets Store CSI Driver is managed by the Red Hat operator (operator provides DaemonSet, CRDs, RBAC, and CSIDriver resource placement in openshift-cluster-csi-drivers).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

ok-to-test

Suggested reviewers

• deepsm007
• danilo-gemoli

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Container-Privileges	❌ Error	PR contains privileged: true in provider-gcp-plugin.yaml DaemonSet container, required for cluster SCC compatibility.	Document security justification for privileged mode or explore SCC adjustments to avoid privilege escalation.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: replacing upstream CSI driver manifests with the OCP operator, which is reflected across all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	No Ginkgo test files are present in this PR. Changes are exclusively to Kubernetes manifest YAML files and documentation in the csi-secrets-gcp directory.
Test Structure And Quality	✅ Passed	This PR contains only Kubernetes/OpenShift YAML manifests and README documentation—no Ginkgo test code. The check is not applicable.
Microshift Test Compatibility	✅ Passed	This PR modifies only YAML manifest and markdown documentation files (no Go test code). No new Ginkgo e2e tests are added, so the MicroShift test compatibility check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No e2e tests are added in this PR. Changes are limited to Kubernetes manifests and documentation in the csi-secrets-gcp directory.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only adds OLM manifests (OperatorGroup, Subscription, ClusterCSIDriver) with no scheduling constraints. Driver scheduling is delegated to Red Hat operator. No topology-breaking patterns introduced.
Ote Binary Stdout Contract	✅ Passed	PR contains only Kubernetes manifest and documentation changes; no executable code exists that could violate OTE binary stdout contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR makes no changes to Ginkgo e2e tests. It only modifies Kubernetes manifest files (YAML) and documentation for CSI driver deployment configuration. The check is not applicable.
No-Weak-Crypto	✅ Passed	PR adds only Kubernetes manifest files; no weak crypto algorithms, custom crypto, or non-constant-time secret comparisons detected.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data exposure detected. Log levels set to "Normal", no credentials embedded, and secret references use standard Kubernetes mechanisms without exposing their contents.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: psalajova

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• clusters/build-clusters/build-shared/OWNERS [psalajova]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[psalajova]

/hold

we need to first upgrade all build clusters to 4.21

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@psalajova: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@psalajova: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.