Problem

The SPIFFE CSI driver (csi.spiffe.io) only exposes the SPIRE Agent's Unix Domain Socket into pods. Applications that need on-disk certificate files (tls.crt, tls.key, ca.crt) — which is most non-SPIFFE-native software — currently require manually adding spiffe-helper init containers and sidecars to every deployment.

This is error-prone, boilerplate-heavy, and doesn't scale.

Proposed Solution

Add a MutatingAdmissionWebhook to the operator that automatically injects spiffe-helper containers into pods based on a pod annotation, eliminating manual sidecar configuration.

How it works

1. User annotates a pod template with spiffe.openshift.io/inject-helper: "true"
2. The webhook intercepts Pod CREATE requests
3. It injects: an init container (fetches initial SVID), a sidecar container (continuous rotation), the CSI volume, an emptyDir for certs, and a ConfigMap volume for helper config
4. The main container reads certs from /var/run/secrets/tls/

What gets injected

• Init container (spiffe-helper-init): runs once to fetch initial certificates, then exits
• Sidecar container (spiffe-helper): runs continuously for certificate rotation
• Volumes: spiffe-workload-api (CSI), spiffe-certs (emptyDir), spiffe-helper-config (ConfigMap)

Optional annotations for customization

Implementation scope

• Webhook handler implementing admission.Handler
• Controller/reconciler managing the MutatingWebhookConfiguration and webhook Service (tied to SpiffeCSIDriver CR lifecycle)
• RELATED_IMAGE_SPIFFE_HELPER env var for disconnected/air-gapped environments
• RBAC for mutatingwebhookconfigurations
• failurePolicy: Ignore so pods still start if the webhook is down
• Unit tests for webhook injection and controller reconciliation