SSCSI-259: Rebase openshift/main to upstream v1.5.6 for OCP 4.22

[chiragkyal]

This PR rebases the driver on the v.1.5.6 upstream release, bringing the following changes since v.1.5.4 (last rebase)

Changes between v.1.5.4 and v1.5.6:

kubernetes-sigs/secrets-store-csi-driver@v1.5.4...v1.5.6

File Changes

https://github.com/kubernetes-sigs/secrets-store-csi-driver/compare/v1.5.4..v1.5.6

$ git diff v1.5.4 v1.5.6

$ git log v1.5.4...v1.5.6 --oneline --reverse --no-merges

Change logs after v1.5.4

• https://github.com/kubernetes-sigs/secrets-store-csi-driver/releases/tag/v1.5.5
• https://github.com/kubernetes-sigs/secrets-store-csi-driver/releases/tag/v1.5.6

Diff to upstream v1.5.6

kubernetes-sigs/secrets-store-csi-driver@v1.5.6...chiragkyal:rebase-1.5.6

> git diff --name-only v1.5.6 rebase-1.5.6 | grep -v -E '^(vendor/|test/e2eprovider/vendor/|.github/)'

.ci-operator.yaml
.snyk
Dockerfile.bats
Dockerfile.e2eprovider
Dockerfile.openshift
Makefile
OWNERS
OWNERS_ALIASES
go.mod
hack/tools/go.mod
test/bats/aws.bats
test/bats/azure.bats
test/bats/gcp.bats
test/bats/tests/gcp/gcp_v1_secretproviderclass.yaml
test/bats/vault.bats
test/e2eprovider/go.mod

Steps Followed

• Peform git merge

$ git checkout -b rebase-1.5.6 v1.5.6
$ git merge -s ours openshift/main

• Cheery pick the following carry commits

git log --oneline $(git merge-base openshift/main v1.5.6)..openshift/main  --reverse --ancestry-path --no-merges

The above command will list all the commits from the common merge base, but we want to pick only the carry commits which were added after our last rebase point

16d0a035 UPSTREAM: <carry>: Remove .github directory from downstream
3a584a6e UPSTREAM: <carry>: Add OpenShift files
5397b55d UPSTREAM: <carry>: Make upstream e2e tests compatible with downstream
4cfde9d2 UPSTREAM: <drop>: go mod tidy && go mod vendor
867f431c UPSTREAM: <drop>: test/e2eprovide: go mod tidy && go mod vendor
f7ae6ef1 (origin/rebase-1.5.4, rebase-1.5.4) UPSTREAM: <drop>: Update go.mod to 1.24.6
7c63e0ed UPSTREAM: <carry>: Updating ose-secrets-store-csi-driver-container image to be consistent with ART for 4.22 Reconciling with https://github.com/openshift/ocp-build-data/tree/087d1930e36b609f77d73bd8a313d85c940cff4d/images/ose-secrets-store-csi-driver.yml

• Vendor update

• Perform vendor updates in root and add the changes with <drop> commit

• Perform vendor updates in test/e2eprovider and add the changes with <drop> commit

• Update Dockerfile.{bats,e2eprovider} to 4.22

• After initial reviews, the carry commits were squashed accordingly.

• Update the golang version to 1.24.11 since ART's golang builder image doesnot supprot 1.24.13

Issue

https://issues.redhat.com//browse/SSCSI-259

Summary by CodeRabbit

• New Features

  • Added configurable automountServiceAccountToken parameter for pod security settings.

• Chores

  • Version bump to v1.5.6.
  • Upgraded Go toolchain to 1.24.13.
  • Updated container base images to OpenShift 4.22.
  • Updated kubectl and Go module dependencies.

[openshift-ci-robot]

@chiragkyal: This pull request references SSCSI-259 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chiragkyal

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [chiragkyal]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Release bump v1.5.4 → v1.5.6, update Go toolchain to 1.24.11, upgrade builder images to golang:1.24.13, OpenShift base images 4.21 → 4.22, kubectl v1.34.1 → v1.34.3, dependency refresh, and add automountServiceAccountToken Helm option for pods.

Changes

Cohort / File(s)	Summary
Version & Release Makefile, docker/Makefile, charts/secrets-store-csi-driver/Chart.yaml, manifest_staging/charts/secrets-store-csi-driver/Chart.yaml	Bumped RELEASE_VERSION/IMAGE_VERSION and Helm chart version/appVersion from 1.5.4 to 1.5.6.
Helm charts & manifests charts/secrets-store-csi-driver/values.yaml, charts/secrets-store-csi-driver/README.md, charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml, charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml, deploy/secrets-store-csi-driver.yaml, deploy/secrets-store-csi-driver-windows.yaml, manifest_staging/...	Updated image tags to v1.5.6; added new automountServiceAccountToken value and propagated it into Linux and Windows DaemonSet pod specs; README updated with the new parameter.
Dockerfile and builder images docker/Dockerfile, docker/windows.Dockerfile, test/e2eprovider/Dockerfile, docker/crd.Dockerfile, Dockerfile.bats, Dockerfile.e2eprovider, test/e2eprovider/Dockerfile	Replaced builder/base image references: golang builder images updated to 1.24.13, OpenShift images updated 4.21 → 4.22, and kubectl version bumped to v1.34.3 in crd Dockerfile.
Go toolchain & modules go.mod, hack/tools/go.mod, test/e2eprovider/go.mod	Go toolchain in modules updated from 1.24.6 → 1.24.11; dependency upgrades (golang.org/x/*, go-logr/stdr, kube-openapi reorganization and version bumps) and require-block adjustments.
Makefiles (docker) docker/Makefile	Updated IMAGE_VERSION default to v1.5.6 (affects derived IMAGE_TAG/CRD_IMAGE_TAG).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Test Structure And Quality	❓ Inconclusive	PR changes focus on version bumps, dependencies, and build configurations without modifications to test code files (*_test.go or test implementations).	Verify if PR includes test code modifications. If not, check should pass. If test files were modified, provide specific test files and changes for quality assessment.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main objective: rebasing to upstream v1.5.6 for OCP 4.22, which aligns with the primary purpose reflected across all file changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	The PR modifies only infrastructure and configuration files without changing any test code, so stable test name requirements are not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@chiragkyal: This pull request references SSCSI-259 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary by CodeRabbit

• New Features

• Added configurable automountServiceAccountToken parameter for pod security settings.

• Chores

• Version bump to v1.5.6.

• Upgraded Go toolchain to 1.24.13.

• Updated container base images to OpenShift 4.22.

• Updated kubectl and Go module dependencies.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

docker/crd.Dockerfile (1)

16-21: ⚠️ Potential issue | 🟠 Major

Add checksum validation for kubectl binary download

Lines 19-21 download and execute kubectl without signature or checksum verification, creating a supply-chain integrity risk. The Kubernetes release endpoints provide checksums for all supported architectures—add validation to prevent tampering or mismatched artifacts.

Suggested fix

 RUN apk add --no-cache curl && \
-    curl -LO https://dl.k8s.io/release/${KUBE_VERSION}/bin/linux/${TARGETARCH}/kubectl && \
+    curl -fsSLO https://dl.k8s.io/release/${KUBE_VERSION}/bin/linux/${TARGETARCH}/kubectl && \
+    curl -fsSLO https://dl.k8s.io/release/${KUBE_VERSION}/bin/linux/${TARGETARCH}/kubectl.sha256 && \
+    echo "$(cat kubectl.sha256)  kubectl" | sha256sum -c - && \
     chmod +x kubectl

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docker/crd.Dockerfile` around lines 16 - 21, Add integrity verification for
the kubectl download by fetching the corresponding checksum file from the
Kubernetes release (using KUBE_VERSION and TARGETARCH) and verifying the
downloaded kubectl binary before making it executable; update the RUN block that
downloads kubectl to also curl the release's checksum (or kubectl.sha256),
compute the downloaded binary's checksum (e.g., sha256sum), compare it to the
expected value, and abort (remove the binary and exit non‑zero) if the check
fails, then only run chmod +x kubectl after successful verification.

🧹 Nitpick comments (2)

Dockerfile.e2eprovider (1)

6-6: Drop root privileges in the runtime stage.

At Line 6, the runtime stage does not set USER, so the container runs as root by default. Set a non-root UID before entrypoint.

Suggested patch

 FROM registry.ci.openshift.org/ocp/4.22:base-rhel9
 COPY --from=builder /go/src/github.com/openshift/secrets-store-csi-driver/test/e2eprovider/e2e-provider /e2e-provider
+USER 65532:65532
 
 LABEL description="Mock provider for Secrets Store CSI Driver"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.e2eprovider` at line 6, The runtime stage in
Dockerfile.e2eprovider currently runs as root; set a non-root user by adding a
USER instruction with a non-root UID (e.g., 1000) in the runtime stage before
the ENTRYPOINT/CMD, and ensure any required files/directories are chown'd to
that UID in the Dockerfile (or created with proper permissions) so the process
can run without root; update the Dockerfile runtime stage around the FROM
registry.ci.openshift.org/ocp/4.22:base-rhel9 line to create or use a non-root
UID and then add USER <uid> prior to the container start instructions.

Dockerfile.bats (1)

1-1: Run the final image as a non-root user.

At Line 1, this file still builds a runtime image with no USER set, so it defaults to root. Add a non-root user at the end of the Dockerfile after package installs.

Suggested patch

 RUN dnf install -y gettext less && dnf clean all
+RUN useradd --create-home --uid 10001 csi
+USER 10001

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.bats` at line 1, The final image currently runs as root because
there is no USER set; after you finish package installs and file ownership setup
in the Dockerfile (the image built from FROM
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.22 AS
builder), create a dedicated non-root account (e.g., adduser/groupadd or
useradd) and chown any app/runtime directories to that user, then add a USER
<username> directive at the end of the Dockerfile so the container runs as the
non-root account instead of root.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@docker/crd.Dockerfile`:
- Around line 16-21: Add integrity verification for the kubectl download by
fetching the corresponding checksum file from the Kubernetes release (using
KUBE_VERSION and TARGETARCH) and verifying the downloaded kubectl binary before
making it executable; update the RUN block that downloads kubectl to also curl
the release's checksum (or kubectl.sha256), compute the downloaded binary's
checksum (e.g., sha256sum), compare it to the expected value, and abort (remove
the binary and exit non‑zero) if the check fails, then only run chmod +x kubectl
after successful verification.

---

Nitpick comments:
In `@Dockerfile.bats`:
- Line 1: The final image currently runs as root because there is no USER set;
after you finish package installs and file ownership setup in the Dockerfile
(the image built from FROM
registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.22 AS
builder), create a dedicated non-root account (e.g., adduser/groupadd or
useradd) and chown any app/runtime directories to that user, then add a USER
<username> directive at the end of the Dockerfile so the container runs as the
non-root account instead of root.

In `@Dockerfile.e2eprovider`:
- Line 6: The runtime stage in Dockerfile.e2eprovider currently runs as root;
set a non-root user by adding a USER instruction with a non-root UID (e.g.,
1000) in the runtime stage before the ENTRYPOINT/CMD, and ensure any required
files/directories are chown'd to that UID in the Dockerfile (or created with
proper permissions) so the process can run without root; update the Dockerfile
runtime stage around the FROM registry.ci.openshift.org/ocp/4.22:base-rhel9 line
to create or use a non-root UID and then add USER <uid> prior to the container
start instructions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: dc497e7c-464b-439e-ad54-128798607271

📥 Commits

Reviewing files that changed from the base of the PR and between b5d3f5c and c8559ad.

⛔ Files ignored due to path filters (194)

• go.sum is excluded by !**/*.sum
• test/e2eprovider/go.sum is excluded by !**/*.sum
• test/e2eprovider/vendor/golang.org/x/net/http2/config.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/net/http2/config_go124.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/net/http2/config_go125.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/net/http2/config_go126.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/net/http2/config_pre_go124.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/net/http2/gotrack.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/net/http2/timer.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/net/http2/writesched.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/net/http2/writesched_roundrobin.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/net/internal/httpcommon/request.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/net/trace/events.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/affinity_linux.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/fdset.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/ifreq_linux.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/mkall.sh is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/syscall_darwin.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/syscall_netbsd.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.s is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.s is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsysnum_linux_386.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/ztypes_linux_386.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/ztypes_linux_arm.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/ztypes_linux_mips.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/windows/security_windows.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/golang.org/x/text/unicode/bidi/core.go is excluded by !**/vendor/**
• test/e2eprovider/vendor/modules.txt is excluded by !**/vendor/**
• vendor/golang.org/x/crypto/cryptobyte/asn1.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/crypto/pkcs12/pkcs12.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/escape.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/parse.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/html/render.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/config.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/config_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/config_go125.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/config_go126.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/config_pre_go124.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/frame.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/gotrack.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/http2.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/server.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/timer.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/transport.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched_priority_rfc7540.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched_priority_rfc9218.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/http2/writesched_roundrobin.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/internal/httpcommon/request.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/net/trace/events.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/plan9/pwd_go15_plan9.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/plan9/pwd_plan9.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/affinity_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/fdset.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ifreq_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/mkall.sh is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/mkerrors.sh is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_darwin.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_netbsd.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/syscall_solaris.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zerrors_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.s is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsyscall_solaris_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/zsysnum_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_386.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_amd64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_arm64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_loong64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mips.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mips64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mips64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_mipsle.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_ppc64le.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_riscv64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_s390x.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_linux_sparc64.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/unix/ztypes_netbsd_arm.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/registry/key.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/registry/value.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/registry/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/security_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/syscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/types_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/sys/windows/zsyscall_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/term/term_windows.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/term/terminal.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/japanese/eucjp.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/japanese/iso2022jp.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/japanese/shiftjis.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/korean/euckr.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/simplifiedchinese/gbk.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/simplifiedchinese/hzgb2312.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/traditionalchinese/big5.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/encoding/unicode/unicode.go is excluded by !**/vendor/**, !vendor/**
• vendor/golang.org/x/text/unicode/bidi/core.go is excluded by !**/vendor/**, !vendor/**
• vendor/modules.txt is excluded by !**/vendor/**, !vendor/**

📒 Files selected for processing (23)

• Dockerfile.bats
• Dockerfile.e2eprovider
• Makefile
• charts/secrets-store-csi-driver/Chart.yaml
• charts/secrets-store-csi-driver/README.md
• charts/secrets-store-csi-driver/templates/secrets-store-csi-driver-windows.yaml
• charts/secrets-store-csi-driver/templates/secrets-store-csi-driver.yaml
• charts/secrets-store-csi-driver/values.yaml
• deploy/secrets-store-csi-driver-windows.yaml
• deploy/secrets-store-csi-driver.yaml
• docker/Dockerfile
• docker/Makefile
• docker/crd.Dockerfile
• docker/windows.Dockerfile
• go.mod
• hack/tools/go.mod
• manifest_staging/charts/secrets-store-csi-driver/Chart.yaml
• manifest_staging/charts/secrets-store-csi-driver/README.md
• manifest_staging/charts/secrets-store-csi-driver/values.yaml
• manifest_staging/deploy/secrets-store-csi-driver-windows.yaml
• manifest_staging/deploy/secrets-store-csi-driver.yaml
• test/e2eprovider/Dockerfile
• test/e2eprovider/go.mod

[openshift-ci-robot]

@chiragkyal: This pull request references SSCSI-259 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary by CodeRabbit

• New Features

• Added configurable automountServiceAccountToken parameter for pod security settings.

• Chores

• Bumped release and chart versions to v1.5.6.

• Upgraded Go toolchain and build images.

• Updated base/container images to newer OpenShift tags.

• Updated kubectl and several Go module dependencies.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@hack/tools/go.mod`:
- Line 3: The go version in hack/tools/go.mod is set to 1.24.11 but your CI
Docker images use golang:1.24.13; update the three go.mod files (root go.mod,
hack/tools/go.mod, test/e2eprovider/go.mod) to declare "go 1.24.13" so they
match the CI images, or alternatively change the Dockerfiles in
test/e2eprovider/, docker/, and docker/windows.Dockerfile to use golang:1.24.11;
pick one approach, apply the change consistently across the mentioned files
(root go.mod, hack/tools/go.mod, test/e2eprovider/go.mod OR the three
Dockerfiles), and run `go mod tidy`/rebuild CI to verify no regressions.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 18a4ed8d-21a2-4b9b-a586-b9b1928cb1da

📥 Commits

Reviewing files that changed from the base of the PR and between c8559ad and 4842731.

⛔ Files ignored due to path filters (1)

• test/e2eprovider/vendor/modules.txt is excluded by !**/vendor/**

📒 Files selected for processing (3)

• go.mod
• hack/tools/go.mod
• test/e2eprovider/go.mod

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== go.mod version declarations =="
fd '^go\.mod$' -t f | while read -r f; do
  echo "--- $f"
  rg -n '^\s*(go|toolchain)\s+' "$f"
done

echo
echo "== CI/tooling references to Go versions =="
rg -n '1\.24\.(11|13)|go1\.24\.(11|13)|golang:1\.24\.(11|13)|GO_VERSION|toolchain' \
  -g '!**/vendor/**' -g '!**/.git/**'

Repository: openshift/secrets-store-csi-driver

Length of output: 1053

---

Update Go version in go.mod files to match Docker image version, or update Dockerfiles to test against declared minimum.

All go.mod files declare go 1.24.11, but CI Dockerfiles use golang:1.24.13. This inconsistency means the declared minimum version is not validated by CI. Either update the three go.mod files (root, hack/tools, test/e2eprovider) to go 1.24.13, or update the Dockerfiles in test/e2eprovider/, docker/, and docker/windows.Dockerfile to test against golang:1.24.11.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hack/tools/go.mod` at line 3, The go version in hack/tools/go.mod is set to
1.24.11 but your CI Docker images use golang:1.24.13; update the three go.mod
files (root go.mod, hack/tools/go.mod, test/e2eprovider/go.mod) to declare "go
1.24.13" so they match the CI images, or alternatively change the Dockerfiles in
test/e2eprovider/, docker/, and docker/windows.Dockerfile to use golang:1.24.11;
pick one approach, apply the change consistently across the mentioned files
(root go.mod, hack/tools/go.mod, test/e2eprovider/go.mod OR the three
Dockerfiles), and run `go mod tidy`/rebuild CI to verify no regressions.

[chiragkyal]

Those are upstream Dockerfiles. We have separate Dockerfiles are downstream builds whose base images are maintained by ART team.

[coderabbitai]

@chiragkyal, understood — thanks for the clarification. Since the upstream Dockerfiles are not used for the downstream OpenShift CI builds, and the base images for the downstream Dockerfiles (Dockerfile.bats, Dockerfile.e2eprovider) are managed by the ART team, the version mismatch concern does not apply here. I'll disregard this finding.

---

📝 Learnings were identified and not saved (knowledge base disabled). Enable

[openshift-ci-robot]

@chiragkyal: This pull request references SSCSI-259 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

This PR rebases the driver on the v.1.5.6 upstream release, bringing the following changes since v.1.5.4 (last rebase)

Changes between v.1.5.4 and v1.5.6:

kubernetes-sigs/secrets-store-csi-driver@v1.5.4...v1.5.6

File Changes

https://github.com/kubernetes-sigs/secrets-store-csi-driver/compare/v1.5.4..v1.5.6

$ git diff v1.5.4 v1.5.6

$ git log v1.5.4...v1.5.6 --oneline --reverse --no-merges

Change logs after v1.5.4

• https://github.com/kubernetes-sigs/secrets-store-csi-driver/releases/tag/v1.5.5
• https://github.com/kubernetes-sigs/secrets-store-csi-driver/releases/tag/v1.5.6

Diff to upstream v1.5.6

kubernetes-sigs/secrets-store-csi-driver@v1.5.6...chiragkyal:rebase-1.5.6

> git diff --name-only v1.5.6 rebase-1.5.6 | grep -v -E '^(vendor/|test/e2eprovider/vendor/|.github/)'

.ci-operator.yaml
.snyk
Dockerfile.bats
Dockerfile.e2eprovider
Dockerfile.openshift
Makefile
OWNERS
OWNERS_ALIASES
go.mod
hack/tools/go.mod
test/bats/aws.bats
test/bats/azure.bats
test/bats/gcp.bats
test/bats/tests/gcp/gcp_v1_secretproviderclass.yaml
test/bats/vault.bats
test/e2eprovider/go.mod

Steps Followed

• Peform git merge

$ git checkout -b rebase-1.5.6 v1.5.6
$ git merge -s ours openshift/main

• Cheery pick the following carry commits

git log --oneline $(git merge-base openshift/main v1.5.6)..openshift/main  --reverse --ancestry-path --no-merges

The above command will list all the commits from the common merge base, but we want to pick only the carry commits which were added after our last rebase point

16d0a035 UPSTREAM: <carry>: Remove .github directory from downstream
3a584a6e UPSTREAM: <carry>: Add OpenShift files
5397b55d UPSTREAM: <carry>: Make upstream e2e tests compatible with downstream
4cfde9d2 UPSTREAM: <drop>: go mod tidy && go mod vendor
867f431c UPSTREAM: <drop>: test/e2eprovide: go mod tidy && go mod vendor
f7ae6ef1 (origin/rebase-1.5.4, rebase-1.5.4) UPSTREAM: <drop>: Update go.mod to 1.24.6
7c63e0ed UPSTREAM: <carry>: Updating ose-secrets-store-csi-driver-container image to be consistent with ART for 4.22 Reconciling with https://github.com/openshift/ocp-build-data/tree/087d1930e36b609f77d73bd8a313d85c940cff4d/images/ose-secrets-store-csi-driver.yml

• Vendor update

• Perform vendor updates in root and add the changes with <drop> commit

• Perform vendor updates in test/e2eprovider and add the changes with <drop> commit

• Update Dockerfile.{bats,e2eprovider} to 4.22

• After initial reviews, the carry commits were squashed accordingly.

• Update the golang version to 1.24.11 since ART's golang builder image doesnot supprot 1.24.13

Issue

https://issues.redhat.com//browse/SSCSI-259

Summary by CodeRabbit

• New Features

• Added configurable automountServiceAccountToken parameter for pod security settings.

• Chores

• Version bump to v1.5.6.

• Upgraded Go toolchain to 1.24.13.

• Updated container base images to OpenShift 4.22.

• Updated kubectl and Go module dependencies.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[chiragkyal]

/cc @mytreya-rh

[chiragkyal]

/retest

[chiragkyal]

/retest

[chiragkyal]

/retest-required

[openshift-ci]

@chiragkyal: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws	4842731	link	true	/test e2e-aws
ci/prow/e2e-azure	4842731	link	true	/test e2e-azure
ci/prow/e2e-gcp	4842731	link	true	/test e2e-gcp

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.