feat: Add poll-based secret synchronization with configurable sync interval

[gouthamMN]

What type of PR is this?
/kind feature

What this PR does / why we need it:
Adds support for automatic, periodic secret synchronization from external providers using a configurable sync interval. This enables secrets to be automatically updated when they change in the external secret store without requiring manual updates to the SecretSync resource.

Key Changes:

• Added optional syncInterval field to SecretSyncSpec allowing users to configure polling frequency (e.g., "5m", "10m", "1h")
• Implemented automatic requeuing in the controller with configurable interval
• Added validation for sync interval with min (1m) and max (24h) constraints
• Maintained backward compatibility - secrets without syncInterval continue to sync only on resource create/update (existing behavior)

Implementation Details:

• Controller fetches secrets from provider on each reconciliation cycle
• When syncInterval is set, controller requeues after the specified duration
• Hash-based change detection ensures secrets are only updated when data changes
• Status conditions and lastSuccessfulSyncTime are updated on each sync

Testing:

• Added unit tests for sync interval validation and requeue logic
• Added e2e test verifying secret creation with sync interval configured
• All existing tests pass, confirming backward compatibility
• Tested with minimum interval (1m) in e2e environment

Examples:

apiVersion: secret-sync.x-k8s.io/v1alpha1
kind: SecretSync
metadata:
  name: my-secret
spec:
  serviceAccountName: default
  secretProviderClassName: my-provider
  syncInterval: "10m"  # Poll every 10 minutes
  secretObject:
    type: Opaque
    data:
      - sourcePath: foo
        targetKey: bar

Related: Addresses user feedback for automatic secret rotation and updates without requiring CSI driver mounts or manual resource updates.

Signed-off-by: Goutham Niranjan goutham.mn034@gmail.com

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: gouthamMN / name: Goutham Muguluvalli Niranjan (6ce05c5, 982c798, bb40535)

[k8s-ci-robot]

This issue is currently awaiting triage.

If secrets-store-sync-controller contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gouthamMN
Once this PR has been reviewed and has the lgtm label, please assign enj for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Welcome @gouthamMN!

It looks like this is your first PR to kubernetes-sigs/secrets-store-sync-controller 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/secrets-store-sync-controller has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @gouthamMN. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[gouthamMN]

/triage accepted

[k8s-ci-robot]

@gouthamMN: The label triage/accepted cannot be applied. Only GitHub organization members can add the label.

Details

In response to this:

/triage accepted

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.