IBM
diff --git a/‎bundle/manifests/ibm-iam-operator.clusterserviceversion.yaml
Lines changed: 8 additions & 0 deletions b/‎bundle/manifests/ibm-iam-operator.clusterserviceversion.yaml
Lines changed: 8 additions & 0 deletions
diff --git a/‎config/rbac/role.yaml
Lines changed: 8 additions & 0 deletions b/‎config/rbac/role.yaml
Lines changed: 8 additions & 0 deletions
diff --git a/‎controllers/common/constants.go
Lines changed: 9 additions & 0 deletions b/‎controllers/common/constants.go
Lines changed: 9 additions & 0 deletions
diff --git a/‎controllers/common/utils.go
Lines changed: 6 additions & 0 deletions b/‎controllers/common/utils.go
Lines changed: 6 additions & 0 deletions
diff --git a/‎controllers/operator/authentication_controller.go
Lines changed: 6 additions & 1 deletion b/‎controllers/operator/authentication_controller.go
Lines changed: 6 additions & 1 deletion
@@ -589,6 +589,14 @@ spec:
                 - patch
                 - update
                 - watch
+            - apiGroups:
+                - secrets-store.csi.x-k8s.io
+              resources:
+                - secretproviderclasses
+              verbs:
+                - get
+                - list
+                - watch
           serviceAccountName: ibm-iam-operator
     strategy: deployment
   installModes:
 
@@ -258,6 +258,14 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - secrets-store.csi.x-k8s.io
+  resources:
+  - secretproviderclasses
+  verbs:
+  - get
+  - list
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 
@@ -37,6 +37,15 @@ const MongoStatefulsetName string = "icp-mongodb"
 // Name of CommonService created by IM Operator to provision EDB share
 const DatastoreEDBCSName string = "im-common-service"
 
+// Name of SecretProvoderClass created by Paks that contains ldap bindpassword
+const IMLdapBindPwdSpc string = "im-ldap-bind-pwd-spc"
+
+// Name of SecretProvoderClass created by Paks that contains external edb certs
+const IMExtEDBSecretSpc string = "im-external-edb-certs-spc"
+
+// Name of volume that holds ldap bindpassword spc
+const IMLdapBindPwdVolume string = "ldap-bind-cred-vol"
+
 type DeploymentName string
 
 // The current names of Deployments managed by this Operator
 
@@ -37,6 +37,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/config"
+	sscsidriverv1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1"
 
 	operatorv1alpha1 "github.com/IBM/ibm-iam-operator/apis/operator/v1alpha1"
 	zenv1 "github.com/IBM/ibm-iam-operator/apis/zen.cpd.ibm.com/v1"
@@ -190,6 +191,11 @@ func ClusterHasZenExtensionGroupVersion(dc *discovery.DiscoveryClient) (found bo
 	return
 }
 
+func ClusterHasCSIGroupVersion(dc *discovery.DiscoveryClient) (found bool) {
+	found, _ = clusterHasGroupVersion(dc, sscsidriverv1.SchemeGroupVersion)
+	return
+}
+
 func ClusterHasOperandRequestAPIResource(dc *discovery.DiscoveryClient) (found bool) {
 	found, _ = clusterHasAPIResource(dc, operatorv1alpha1.GroupVersion, "operandrequests")
 	return
 
@@ -48,6 +48,7 @@ import (
 	handler "sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	sscsidriverv1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1"
 
 	certmgr "github.com/IBM/ibm-iam-operator/apis/certmanager/v1"
 	operatorv1alpha1 "github.com/IBM/ibm-iam-operator/apis/operator/v1alpha1"
@@ -382,7 +383,8 @@ func (r *AuthenticationReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Watches(&corev1.Service{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner())).
 		Watches(&netv1.Ingress{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner())).
 		Watches(&appsv1.Deployment{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner())).
-		Watches(&autoscalingv2.HorizontalPodAutoscaler{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner()))
+		Watches(&autoscalingv2.HorizontalPodAutoscaler{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner())).
+		Watches(&sscsidriverv1.SecretProviderClass{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner()))
 
 	//Add routes
 	if ctrlcommon.ClusterHasOpenShiftConfigGroupVerison(&r.DiscoveryClient) {
@@ -397,6 +399,9 @@ func (r *AuthenticationReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	if ctrlcommon.ClusterHasOperandBindInfoAPIResource(&r.DiscoveryClient) {
 		authCtrl.Watches(&operatorv1alpha1.OperandBindInfo{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner()))
 	}
+	if ctrlcommon.ClusterHasCSIGroupVersion(&r.DiscoveryClient) {
+		authCtrl.Watches(&sscsidriverv1.SecretProviderClass{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner()))
+	}
 
 	productCMPred := predicate.Funcs{
 		UpdateFunc: func(e event.UpdateEvent) bool {