Add tooling around secrets-management in openshift.

[shivprakashmuley]

This PR introduces a toolset designed to simplify and automate the entire lifecycle of managing external secrets in OpenShift. It provides a guided workflow that addresses the most common challenges developers face when integrating with providers like AWS, GCP, and Vault.

In summary, the PR provides the following key capabilities:
Recommendation (recommend_secrets_management): Helps users choose the right tool for their needs, differentiating between native Kubernetes Secrets for internal use and recommending either the External Secrets Operator (ESO) or the Secrets Store CSI Driver (SSCSI) for external secrets based on the desired integration pattern (syncing vs. mounting).
Guided Setup (generate_prerequisites_plan, secrets_management_configure):
Generates clear, provider-specific instructions for configuring the necessary cloud-side prerequisites (like IAM roles for Workload Identity).
Provides the correct manifests (SecretStore, SecretProviderClass) and instructions for installing the necessary operators from the OpenShift Software Catalog.
Usage Examples (generate_example_*):
Offers ready-to-use YAML examples for an ExternalSecret and an application Pod with a CSI volume, demonstrating how to consume secrets with either ESO or SSCSI.
Automated Auditing & Debugging (secrets_management_debug):
This is the core feature, acting as a "Secret Management Auditor." It performs a comprehensive, automated health check of a user's entire secrets configuration.
It systematically inspects everything from the application pod, ServiceAccount annotations, custom resources (ExternalSecret, SecretProviderClass), operator health, and RBAC permissions.
It generates a structured report with clear PASS/FAIL statuses and provides actionable, precise instructions to fix any identified misconfigurations, transforming a complex debugging process into a simple, deterministic audit.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: shivprakashmuley
Once this PR has been reviewed and has the lgtm label, please assign matzew for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@shivprakashmuley: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/test	97733cf	link	true	/test test

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[Cali0707]

/cc @matzew

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 83fbf46a-2146-4ebc-b54e-436e5c62c5fb

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale