feat: add API types for secrets sync controller

[mandreap]

What type of PR is this?
/kind feature

What this PR does / why we need it:
Provides the API for the Secret Store Sync Controller.

At the end this feature will:

• remove the secret sync controller from the Secret Store CSI driver
• create a new secret store sync controller to synchronize secrets as kubernetes secrets
• update the RBAC permissions for the Secret Store CSI controllers

Special notes for your reviewer:

• This will be moved in a separate project. Added here for review during the next Sig Auth API review meeting.

TODOs:

• squashed commits
• includes documentation
• adds unit tests

[k8s-ci-robot]

Hi @mandreap. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[enj]

I think the controller's RBAC, admission policy, and CLI config are required to complete the picture on this API.

[enj]

@aramase this does means you could try to use the same SPC across multiple SAs. That sounds like something that is possible today via the pod mount, but does anyone actually do that?

[aramase]

it is used when the same SPC needs to be mounted in 2 different pods that have different SA. I don't think it's done explicitly but because the pods already have a SA configured they would just use that as-is.

[aramase]

/retitle feat: add API for secrets sync

[aramase]

it is used when the same SPC needs to be mounted in 2 different pods that have different SA. I don't think it's done explicitly but because the pods already have a SA configured they would just use that as-is.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mandreap
Once this PR has been reviewed and has the lgtm label, please assign ritazh for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[liggitt]

a few other notes at https://docs.google.com/document/d/1k3XxUTEjcQifSXjoy5CcQY9QttdhQ-EG-R3vrKq6SUc/edit?resourcekey=0-5xMYchKvoisABPw9tsR3nA&tab=t.0#heading=h.rjd15w9fa88v

[liggitt]

@jpbetz @cici37 we ran into a gap here where CEL validation of the key hits budget limits because there's no way to constrain the maxLength of the key in openapi, so the worst-case 1-3MB size is used for the key. This meant a normal regex to check qualified name got rejected as too expensive.

[liggitt]

Probably worth opening an issue for kubebuilder to be able to specify constraints on the value (like maxLength). CRDs can express this but it doesn't seem like kubebuilder can.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale