Describe the solution you'd like
Add support for automatic SecretProviderClass CRD validation during creation and update. This feature would use admission webhooks to run schema and semantic checks (e.g., ensure secretObjects have required fields, provider is a known value, and parameters conform to expected types). The webhook would reject misconfigured or incomplete SecretProviderClass resources before they are committed to the cluster, preventing runtime errors and deployment failures later.
Benefits:
- Catch config errors early, improving reliability for users.
- Reduce support and debugging burdens caused by misconfigured CRDs.
- Make onboarding easier by providing clear error messages when CRDs are malformed.
Anything else you would like to add:
- The validation logic could leverage existing openAPI v3 schema and extend with custom checks for semantic correctness.
- Allow extensibility so new providers or secret object types can be plugged into validation rules easily.
- Optionally make validation strictness configurable via annotations for power users.
Environment:
- Secrets Store CSI Driver version: (use the image tag):
- Kubernetes version: (use
kubectl version):
Describe the solution you'd like
Add support for automatic SecretProviderClass CRD validation during creation and update. This feature would use admission webhooks to run schema and semantic checks (e.g., ensure secretObjects have required fields, provider is a known value, and parameters conform to expected types). The webhook would reject misconfigured or incomplete SecretProviderClass resources before they are committed to the cluster, preventing runtime errors and deployment failures later.
Benefits:
Anything else you would like to add:
Environment:
kubectl version):