From 9a74fa4c9c855df7d16324d4f1d9a3044a7a9811 Mon Sep 17 00:00:00 2001
From: Toni Tauro <toni.tauro@secretz.io>
Date: Mon, 1 Sep 2025 14:14:42 +0200
Subject: [PATCH] feat: add OpenBao as provider

Signed-off-by: Toni Tauro <toni.tauro@secretz.io>
---
 README.md                                     |  17 +-
 docs/book/src/providers.md                    |  12 +-
 test/bats/openbao.bats                        | 314 ++++++++++++++++++
 .../tests/openbao/deployment-synck8s.yaml     |  41 +++
 .../tests/openbao/deployment-two-synck8s.yaml |  41 +++
 ...penbao_synck8s_v1_secretproviderclass.yaml |  33 ++
 ...enbao_v1_multiple_secretproviderclass.yaml |  49 +++
 .../openbao_v1_secretproviderclass.yaml       |  16 +
 .../openbao_v1_secretproviderclass_ns.yaml    |  51 +++
 ...od-openbao-inline-volume-multiple-spc.yaml |  44 +++
 ...bao-inline-volume-secretproviderclass.yaml |  23 ++
 .../tests/openbao/pod-openbao-rotation.yaml   |  37 +++
 12 files changed, 664 insertions(+), 14 deletions(-)
 create mode 100644 test/bats/openbao.bats
 create mode 100644 test/bats/tests/openbao/deployment-synck8s.yaml
 create mode 100644 test/bats/tests/openbao/deployment-two-synck8s.yaml
 create mode 100644 test/bats/tests/openbao/openbao_synck8s_v1_secretproviderclass.yaml
 create mode 100644 test/bats/tests/openbao/openbao_v1_multiple_secretproviderclass.yaml
 create mode 100644 test/bats/tests/openbao/openbao_v1_secretproviderclass.yaml
 create mode 100644 test/bats/tests/openbao/openbao_v1_secretproviderclass_ns.yaml
 create mode 100644 test/bats/tests/openbao/pod-openbao-inline-volume-multiple-spc.yaml
 create mode 100644 test/bats/tests/openbao/pod-openbao-inline-volume-secretproviderclass.yaml
 create mode 100644 test/bats/tests/openbao/pod-openbao-rotation.yaml

diff --git a/README.md b/README.md
index e104032d1..950e6e201 100644
--- a/README.md
+++ b/README.md
@@ -12,14 +12,15 @@ The Secrets Store CSI Driver `secrets-store.csi.k8s.io` allows Kubernetes to mou
 
 ## Test Status
 
-| Test                   | Status                                                                                                                                                                                                                                                                                                                                                                   |
-| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| periodic/image-scan    | [![sig-auth-secrets-store-csi-driver-periodic/secrets-store-csi-driver-image-scan](https://testgrid.k8s.io/q/summary/sig-auth-secrets-store-csi-driver-periodic/secrets-store-csi-driver-image-scan/tests_status?style=svg)](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver-periodic#secrets-store-csi-driver-image-scan)                                     |
-| periodic/e2e-provider-upgrade | [![sig-auth-secrets-store-csi-driver-periodic/secrets-store-csi-driver-upgrade-test-e2e-provider](https://testgrid.k8s.io/q/summary/sig-auth-secrets-store-csi-driver-periodic/secrets-store-csi-driver-upgrade-test-e2e-provider/tests_status?style=svg)](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver-periodic#secrets-store-csi-driver-upgrade-test-e2e-provider)             |
-| postsubmit/aws         | [![sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-aws-postsubmit](https://testgrid.k8s.io/q/summary/sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-aws-postsubmit/tests_status?style=svg)](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver-postsubmit#secrets-store-csi-driver-e2e-aws-postsubmit)       |
-| postsubmit/azure       | [![sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-azure-postsubmit](https://testgrid.k8s.io/q/summary/sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-azure-postsubmit/tests_status?style=svg)](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver-postsubmit#secrets-store-csi-driver-e2e-azure-postsubmit) |
-| postsubmit/gcp         | [![sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-gcp-postsubmit](https://testgrid.k8s.io/q/summary/sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-gcp-postsubmit/tests_status?style=svg)](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver-postsubmit#secrets-store-csi-driver-e2e-gcp-postsubmit)       |
-| postsubmit/vault       | [![sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-vault-postsubmit](https://testgrid.k8s.io/q/summary/sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-vault-postsubmit/tests_status?style=svg)](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver-postsubmit#secrets-store-csi-driver-e2e-vault-postsubmit) |
+| Test                          | Status                                                                                                                                                                                                                                                                                                                                                                            |
+| ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| periodic/image-scan           | [![sig-auth-secrets-store-csi-driver-periodic/secrets-store-csi-driver-image-scan](https://testgrid.k8s.io/q/summary/sig-auth-secrets-store-csi-driver-periodic/secrets-store-csi-driver-image-scan/tests_status?style=svg)](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver-periodic#secrets-store-csi-driver-image-scan)                                              |
+| periodic/e2e-provider-upgrade | [![sig-auth-secrets-store-csi-driver-periodic/secrets-store-csi-driver-upgrade-test-e2e-provider](https://testgrid.k8s.io/q/summary/sig-auth-secrets-store-csi-driver-periodic/secrets-store-csi-driver-upgrade-test-e2e-provider/tests_status?style=svg)](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver-periodic#secrets-store-csi-driver-upgrade-test-e2e-provider) |
+| postsubmit/aws                | [![sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-aws-postsubmit](https://testgrid.k8s.io/q/summary/sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-aws-postsubmit/tests_status?style=svg)](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver-postsubmit#secrets-store-csi-driver-e2e-aws-postsubmit)                |
+| postsubmit/azure              | [![sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-azure-postsubmit](https://testgrid.k8s.io/q/summary/sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-azure-postsubmit/tests_status?style=svg)](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver-postsubmit#secrets-store-csi-driver-e2e-azure-postsubmit)          |
+| postsubmit/gcp                | [![sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-gcp-postsubmit](https://testgrid.k8s.io/q/summary/sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-gcp-postsubmit/tests_status?style=svg)](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver-postsubmit#secrets-store-csi-driver-e2e-gcp-postsubmit)                |
+| postsubmit/vault              | [![sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-vault-postsubmit](https://testgrid.k8s.io/q/summary/sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-vault-postsubmit/tests_status?style=svg)](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver-postsubmit#secrets-store-csi-driver-e2e-vault-postsubmit)          |
+| postsubmit/openbao            | [![sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-openbao-postsubmit](https://testgrid.k8s.io/q/summary/sig-auth-secrets-store-csi-driver-postsubmit/secrets-store-csi-driver-e2e-openbao-postsubmit/tests_status?style=svg)](https://testgrid.k8s.io/sig-auth-secrets-store-csi-driver-postsubmit#secrets-store-csi-driver-e2e-openbao-postsubmit)    |
 
 ## Want to help?
 
diff --git a/docs/book/src/providers.md b/docs/book/src/providers.md
index 2a140a4fa..d24c36ace 100644
--- a/docs/book/src/providers.md
+++ b/docs/book/src/providers.md
@@ -37,9 +37,9 @@ See [design doc](https://docs.google.com/document/d/10-RHUJGM0oMN88AZNxjOmGz0NsW
 
 ## Features supported by current providers
 
-| Features \ Providers      | Azure | GCP | AWS | Vault | Akeyless | Conjur |
-| ------------------------- | ----- | --- | --- | ----- | -------- | ------ |
-| Sync as Kubernetes secret | Yes   | Yes | Yes | Yes   | Yes      | Yes    |
-| Rotation                  | Yes   | Yes | Yes | Yes   | Yes      | Yes    |
-| Windows                   | Yes   | No  | No  | No    | No       | No     |
-| Helm Chart                | Yes   | No  | Yes | Yes   | Yes      | Yes    |
+| Features \ Providers      | Azure | GCP | AWS | Vault | Akeyless | Conjur | OpenBao |
+| ------------------------- | ----- | --- | --- | ----- | -------- | ------ | ------- |
+| Sync as Kubernetes secret | Yes   | Yes | Yes | Yes   | Yes      | Yes    | Yes     |
+| Rotation                  | Yes   | Yes | Yes | Yes   | Yes      | Yes    | Yes     |
+| Windows                   | Yes   | No  | No  | No    | No       | No     | No      |
+| Helm Chart                | Yes   | No  | Yes | Yes   | Yes      | Yes    | Yes     |
diff --git a/test/bats/openbao.bats b/test/bats/openbao.bats
new file mode 100644
index 000000000..8054dd058
--- /dev/null
+++ b/test/bats/openbao.bats
@@ -0,0 +1,314 @@
+#!/usr/bin/env bats
+
+# mostly inspired by the vault provider tests
+# https://github.com/kubernetes-sigs/secrets-store-csi-driver/blob/main/test/bats/vault.bats
+# credits to @sozercan @aramase @ritazh and the rest of the community
+
+load helpers
+
+BATS_TESTS_DIR=test/bats/tests/openbao
+WAIT_TIME=120
+SLEEP_TIME=1
+
+export LABEL_VALUE=${LABEL_VALUE:-"test"}
+export ANNOTATION_VALUE=${ANNOTATION_VALUE:-"app=test"}
+
+@test "install openbao provider" {
+  # install openbao including the csi provider using helm
+  helm repo add openbao https://openbao.github.io/openbao-helm
+  helm repo update
+  helm install openbao openbao/openbao -n openbao --create-namespace \
+    --set "server.dev.enabled=true" \
+    --set "injector.enabled=false" \
+    --set "csi.enabled=true"
+
+  # wait for openbao and openbao-csi-provider pods to be running
+  kubectl wait --for=condition=Ready --timeout=120s pods --all -n openbao
+}
+
+@test "configure openbao" {
+  # create the secrets pair in openbao
+  kubectl exec openbao-0 -n openbao -- bao secrets enable -version=2 -path=secrets kv
+  kubectl exec openbao-0 -n openbao -- bao kv put secrets/foo foo=openbao-foo
+  kubectl exec openbao-0 -n openbao -- bao kv put secrets/bar bar=openbao-bar
+
+  # enable authentication
+  kubectl exec openbao-0 -n openbao -- bao auth enable kubernetes
+
+  local token_reviewer_jwt="$(kubectl exec openbao-0 -n openbao -- cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
+  local kubernetes_service_ip="$(kubectl get svc kubernetes -o go-template="{{ .spec.clusterIP }}")"
+  # enable authentication using the kubernetes service token from openbao pod
+  kubectl exec -i openbao-0 -n openbao -- bao write auth/kubernetes/config \
+    issuer="https://kubernetes.default.svc.cluster.local" \
+    token_reviewer_jwt="${token_reviewer_jwt}" \
+    kubernetes_host="https://${kubernetes_service_ip}:443" \
+    kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+
+  # create openbao policy to allow access to created secrets
+  kubectl exec -i openbao-0 -n openbao -- bao policy write csi - <<EOF
+path "secrets/data/*" {
+ capabilities = ["read"]
+}
+EOF
+
+  # create authentication role
+  kubectl exec -i openbao-0 -n openbao -- bao write auth/kubernetes/role/csi \
+    bound_service_account_names=default \
+    bound_service_account_namespaces=default,test-ns,negative-test-ns \
+    policies=csi \
+    ttl=20m
+}
+
+@test "deploy openbao secretproviderclass crd" {
+  kubectl apply -f $BATS_TESTS_DIR/openbao_v1_secretproviderclass.yaml
+  kubectl wait --for condition=established --timeout=60s crd/secretproviderclasses.secrets-store.csi.x-k8s.io
+
+  cmd="kubectl get secretproviderclasses.secrets-store.csi.x-k8s.io/openbao-foo -o yaml | grep openbao"
+  wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd"
+}
+
+@test "CSI inline volume test with pod portability" {
+  kubectl apply -f $BATS_TESTS_DIR/pod-openbao-inline-volume-secretproviderclass.yaml
+  # wait for pod to be running
+  kubectl wait --for=condition=Ready --timeout=60s pod/secrets-store-inline
+
+  run kubectl get pod/secrets-store-inline
+  assert_success
+}
+
+@test "CSI inline volume test with pod portability - read openbao secret from pod" {
+  result=$(kubectl exec secrets-store-inline -- cat /mnt/secrets-store/foo)
+  [[ "$result" == "openbao-foo" ]]
+
+  result=$(kubectl exec secrets-store-inline -- cat /mnt/secrets-store/bar)
+  [[ "$result" == "openbao-bar" ]]
+}
+
+@test "CSI inline volume test with pod portability - rotation succeeds" {
+  # seed first value
+  kubectl exec openbao-0 -n openbao -- bao kv put secrets/rotation foo=start
+
+  # deploy pod
+  kubectl apply -f $BATS_TESTS_DIR/pod-openbao-rotation.yaml
+  kubectl wait --for=condition=Ready --timeout=60s pod/secrets-store-rotation
+
+  run kubectl get pod/secrets-store-rotation
+  assert_success
+
+  # verify starting value
+  result=$(kubectl exec secrets-store-rotation -- cat /mnt/secrets-store/foo)
+  [[ "$result" == "start" ]]
+
+  # update the secret value
+  kubectl exec openbao-0 -n openbao -- bao kv put secrets/rotation foo=rotated
+
+  sleep 60
+
+  # verify rotated value
+  result=$(kubectl exec secrets-store-rotation -- cat /mnt/secrets-store/foo)
+  [[ "$result" == "rotated" ]]
+}
+
+@test "CSI inline volume test with pod portability - unmount succeeds" {
+  # On Linux a failure to unmount the tmpfs will block the pod from being
+  # deleted.
+  run kubectl delete pod secrets-store-inline
+  assert_success
+
+  run kubectl wait --for=delete --timeout=${WAIT_TIME}s pod/secrets-store-inline
+  assert_success
+
+  # Sleep to allow time for logs to propagate.
+  sleep 10
+
+  # save debug information to archive in case of failure
+  archive_info
+
+  # On Windows, the failed unmount calls from: https://github.com/kubernetes-sigs/secrets-store-csi-driver/pull/545
+  # do not prevent the pod from being deleted. Search through the driver logs
+  # for the error.
+  run bash -c "kubectl logs -l app=secrets-store-csi-driver --tail -1 -c secrets-store -n kube-system | grep '^E.*failed to clean and unmount target path.*$'"
+  assert_failure
+}
+
+@test "Sync with K8s secrets - create deployment" {
+  kubectl apply -f $BATS_TESTS_DIR/openbao_synck8s_v1_secretproviderclass.yaml
+  kubectl wait --for condition=established --timeout=60s crd/secretproviderclasses.secrets-store.csi.x-k8s.io
+
+  cmd="kubectl get secretproviderclasses.secrets-store.csi.x-k8s.io/openbao-foo-sync -o yaml | grep openbao"
+  wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd"
+
+  run kubectl apply -f $BATS_TESTS_DIR/deployment-synck8s.yaml
+  assert_success
+
+  run kubectl apply -f $BATS_TESTS_DIR/deployment-two-synck8s.yaml
+  assert_success
+
+  kubectl wait --for=condition=Ready --timeout=120s pod -l app=busybox
+}
+
+@test "Sync with K8s secrets - read secret from pod, read K8s secret, read env var, check secret ownerReferences with multiple owners" {
+  POD=$(kubectl get pod -l app=busybox -o jsonpath="{.items[0].metadata.name}")
+  result=$(kubectl exec $POD -- cat /mnt/secrets-store/foo)
+  [[ "$result" == "openbao-foo" ]]
+
+  result=$(kubectl exec $POD -- cat /mnt/secrets-store/bar)
+  [[ "$result" == "openbao-bar" ]]
+
+  result=$(kubectl exec $POD -- cat /mnt/secrets-store/nested/foo)
+  [[ "$result" == "openbao-foo" ]]
+
+  result=$(kubectl get secret foosecret -o jsonpath="{.data.pwd}" | base64 -d)
+  [[ "$result" == "openbao-foo" ]]
+
+  result=$(kubectl get secret foosecret -o jsonpath="{.data.nested}" | base64 -d)
+  [[ "$result" == "openbao-foo" ]]
+
+  result=$(kubectl exec $POD -- printenv | grep SECRET_USERNAME | awk -F"=" '{ print $2 }' | tr -d '\r\n')
+  [[ "$result" == "openbao-bar" ]]
+
+  result=$(kubectl get secret foosecret -o jsonpath="{.metadata.labels.environment}")
+  [[ "${result//$'\r'/}" == "${LABEL_VALUE}" ]]
+
+  result=$(kubectl get secret foosecret -o jsonpath="{.metadata.annotations.kubed\.appscode\.com\/sync}")
+  [[ "${result//$'\r'/}" == "${ANNOTATION_VALUE}" ]]
+
+  result=$(kubectl get secret foosecret -o jsonpath="{.metadata.labels.secrets-store\.csi\.k8s\.io/managed}")
+  [[ "${result//$'\r'/}" == "true" ]]
+
+  run wait_for_process $WAIT_TIME $SLEEP_TIME "compare_owner_count foosecret default 2"
+  assert_success
+}
+
+@test "Sync with K8s secrets - delete deployment, check secret is deleted" {
+  run kubectl delete -f $BATS_TESTS_DIR/deployment-synck8s.yaml
+  assert_success
+
+  run wait_for_process $WAIT_TIME $SLEEP_TIME "compare_owner_count foosecret default 1"
+  assert_success
+
+  run kubectl delete -f $BATS_TESTS_DIR/deployment-two-synck8s.yaml
+  assert_success
+
+  run wait_for_process $WAIT_TIME $SLEEP_TIME "check_secret_deleted foosecret default"
+  assert_success
+
+  run kubectl delete -f $BATS_TESTS_DIR/openbao_synck8s_v1_secretproviderclass.yaml
+  assert_success
+}
+
+@test "Test Namespaced scope SecretProviderClass - create deployment" {
+  kubectl create ns test-ns
+
+  kubectl apply -f $BATS_TESTS_DIR/openbao_v1_secretproviderclass_ns.yaml
+  kubectl wait --for condition=established --timeout=60s crd/secretproviderclasses.secrets-store.csi.x-k8s.io
+
+  cmd="kubectl get secretproviderclasses.secrets-store.csi.x-k8s.io/openbao-foo-sync -o yaml | grep openbao"
+  wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd"
+
+  cmd="kubectl get secretproviderclasses.secrets-store.csi.x-k8s.io/openbao-foo-sync -n test-ns -o yaml | grep openbao"
+  wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd"
+
+  kubectl apply -n test-ns -f $BATS_TESTS_DIR/deployment-synck8s.yaml
+
+  kubectl wait --for=condition=Ready --timeout=90s pod -l app=busybox -n test-ns
+}
+
+@test "Test Namespaced scope SecretProviderClass - Sync with K8s secrets - read secret from pod, read K8s secret, read env var, check secret ownerReferences" {
+  POD=$(kubectl get pod -l app=busybox -n test-ns -o jsonpath="{.items[0].metadata.name}")
+  result=$(kubectl exec -n test-ns $POD -- cat /mnt/secrets-store/foo)
+  [[ "$result" == "openbao-foo" ]]
+
+  result=$(kubectl exec -n test-ns $POD -- cat /mnt/secrets-store/bar)
+  [[ "$result" == "openbao-bar" ]]
+
+  result=$(kubectl get secret foosecret -n test-ns -o jsonpath="{.data.pwd}" | base64 -d)
+  [[ "$result" == "openbao-foo" ]]
+
+  result=$(kubectl exec -n test-ns $POD -- printenv | grep SECRET_USERNAME | awk -F"=" '{ print $2 }' | tr -d '\r\n')
+  [[ "$result" == "openbao-bar" ]]
+
+  run wait_for_process $WAIT_TIME $SLEEP_TIME "compare_owner_count foosecret test-ns 1"
+  assert_success
+}
+
+@test "Test Namespaced scope SecretProviderClass - Sync with K8s secrets - delete deployment, check secret deleted" {
+  run kubectl delete -f $BATS_TESTS_DIR/deployment-synck8s.yaml -n test-ns
+  assert_success
+
+  run wait_for_process $WAIT_TIME $SLEEP_TIME "check_secret_deleted foosecret test-ns"
+  assert_success
+}
+
+@test "Test Namespaced scope SecretProviderClass - Should fail when no secret provider class in same namespace" {
+  kubectl create ns negative-test-ns
+
+  kubectl apply -n negative-test-ns -f $BATS_TESTS_DIR/deployment-synck8s.yaml
+
+  POD=$(kubectl get pod -l app=busybox -n negative-test-ns -o jsonpath="{.items[0].metadata.name}")
+  cmd="kubectl describe pod $POD -n negative-test-ns | grep 'FailedMount.*failed to get secretproviderclass negative-test-ns/openbao-foo-sync.*not found'"
+  wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd"
+
+  run kubectl delete -f $BATS_TESTS_DIR/deployment-synck8s.yaml -n negative-test-ns
+  assert_success
+
+  run kubectl delete ns negative-test-ns
+  assert_success
+}
+
+@test "deploy multiple openbao secretproviderclass crd" {
+  kubectl apply -f $BATS_TESTS_DIR/openbao_v1_multiple_secretproviderclass.yaml
+
+  cmd="kubectl wait --for condition=established --timeout=60s crd/secretproviderclasses.secrets-store.csi.x-k8s.io"
+  wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd"
+
+  cmd="kubectl get secretproviderclasses.secrets-store.csi.x-k8s.io/openbao-foo-sync-0 -o yaml | grep openbao-foo-sync-0"
+  wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd"
+
+  cmd="kubectl get secretproviderclasses.secrets-store.csi.x-k8s.io/openbao-foo-sync-1 -o yaml | grep openbao-foo-sync-1"
+  wait_for_process $WAIT_TIME $SLEEP_TIME "$cmd"
+}
+
+@test "deploy pod with multiple secret provider class" {
+  kubectl apply -f $BATS_TESTS_DIR/pod-openbao-inline-volume-multiple-spc.yaml
+  kubectl wait --for=condition=Ready --timeout=90s pod/secrets-store-inline-multiple-crd
+
+  run kubectl get pod/secrets-store-inline-multiple-crd
+  assert_success
+}
+
+@test "CSI inline volume test with multiple secret provider class" {
+  result=$(kubectl exec secrets-store-inline-multiple-crd -- cat /mnt/secrets-store-0/foo)
+  [[ "$result" == "openbao-foo" ]]
+
+  result=$(kubectl exec secrets-store-inline-multiple-crd -- cat /mnt/secrets-store-0/bar)
+  [[ "$result" == "openbao-bar" ]]
+
+  result=$(kubectl get secret foosecret-0 -o jsonpath="{.data.pwd}" | base64 -d)
+  [[ "$result" == "openbao-foo" ]]
+
+  result=$(kubectl exec secrets-store-inline-multiple-crd -- printenv | grep SECRET_USERNAME_0 | awk -F"=" '{ print $2 }' | tr -d '\r\n')
+  [[ "$result" == "openbao-bar" ]]
+
+  run wait_for_process $WAIT_TIME $SLEEP_TIME "compare_owner_count foosecret-0 default 1"
+  assert_success
+
+  result=$(kubectl exec secrets-store-inline-multiple-crd -- cat /mnt/secrets-store-1/foo)
+  [[ "$result" == "openbao-foo" ]]
+
+  result=$(kubectl exec secrets-store-inline-multiple-crd -- cat /mnt/secrets-store-1/bar)
+  [[ "$result" == "openbao-bar" ]]
+
+  result=$(kubectl get secret foosecret-1 -o jsonpath="{.data.pwd}" | base64 -d)
+  [[ "$result" == "openbao-foo" ]]
+
+  result=$(kubectl exec secrets-store-inline-multiple-crd -- printenv | grep SECRET_USERNAME_1 | awk -F"=" '{ print $2 }' | tr -d '\r\n')
+  [[ "$result" == "openbao-bar" ]]
+
+  run wait_for_process $WAIT_TIME $SLEEP_TIME "compare_owner_count foosecret-1 default 1"
+  assert_success
+}
+
+teardown_file() {
+  archive_info || true
+}
diff --git a/test/bats/tests/openbao/deployment-synck8s.yaml b/test/bats/tests/openbao/deployment-synck8s.yaml
new file mode 100644
index 000000000..240c0f92b
--- /dev/null
+++ b/test/bats/tests/openbao/deployment-synck8s.yaml
@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: busybox-deployment
+  labels:
+    app: busybox
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: busybox
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      terminationGracePeriodSeconds: 0
+      containers:
+        - image: registry.k8s.io/e2e-test-images/busybox:1.29-4
+          name: busybox
+          imagePullPolicy: IfNotPresent
+          command:
+            - "/bin/sleep"
+            - "10000"
+          env:
+            - name: SECRET_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: foosecret
+                  key: username
+          volumeMounts:
+            - name: secrets-store-inline
+              mountPath: "/mnt/secrets-store"
+              readOnly: true
+      volumes:
+        - name: secrets-store-inline
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: "openbao-foo-sync"
diff --git a/test/bats/tests/openbao/deployment-two-synck8s.yaml b/test/bats/tests/openbao/deployment-two-synck8s.yaml
new file mode 100644
index 000000000..e1eafcf9c
--- /dev/null
+++ b/test/bats/tests/openbao/deployment-two-synck8s.yaml
@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: busybox-deployment-two
+  labels:
+    app: busybox
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: busybox
+  template:
+    metadata:
+      labels:
+        app: busybox
+    spec:
+      terminationGracePeriodSeconds: 0
+      containers:
+        - image: registry.k8s.io/e2e-test-images/busybox:1.29-4
+          name: busybox
+          imagePullPolicy: IfNotPresent
+          command:
+            - "/bin/sleep"
+            - "10000"
+          env:
+            - name: SECRET_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: foosecret
+                  key: username
+          volumeMounts:
+            - name: secrets-store-inline
+              mountPath: "/mnt/secrets-store"
+              readOnly: true
+      volumes:
+        - name: secrets-store-inline
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: "openbao-foo-sync"
diff --git a/test/bats/tests/openbao/openbao_synck8s_v1_secretproviderclass.yaml b/test/bats/tests/openbao/openbao_synck8s_v1_secretproviderclass.yaml
new file mode 100644
index 000000000..fd8ce2da4
--- /dev/null
+++ b/test/bats/tests/openbao/openbao_synck8s_v1_secretproviderclass.yaml
@@ -0,0 +1,33 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: openbao-foo-sync
+spec:
+  provider: openbao
+  secretObjects:
+    - secretName: foosecret
+      type: Opaque
+      labels:
+        environment: "test"
+      annotations:
+        kubed.appscode.com/sync: "app=test"
+      data:
+        - objectName: foo
+          key: pwd
+        - objectName: bar
+          key: username
+        - objectName: nested/foo
+          key: nested
+  parameters:
+    roleName: "csi"
+    baoAddress: "http://openbao.openbao:8200"
+    objects: |
+      - secretPath: "secrets/data/foo"
+        objectName: "foo"
+        secretKey: "foo"
+      - secretPath: "secrets/data/bar"
+        objectName: "bar"
+        secretKey: "bar"
+      - secretPath: "secrets/data/foo"
+        objectName: "nested/foo"
+        secretKey: "foo"
diff --git a/test/bats/tests/openbao/openbao_v1_multiple_secretproviderclass.yaml b/test/bats/tests/openbao/openbao_v1_multiple_secretproviderclass.yaml
new file mode 100644
index 000000000..2a4e99dc7
--- /dev/null
+++ b/test/bats/tests/openbao/openbao_v1_multiple_secretproviderclass.yaml
@@ -0,0 +1,49 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: openbao-foo-sync-0
+spec:
+  provider: openbao
+  secretObjects:
+    - secretName: foosecret-0
+      type: Opaque
+      data:
+        - objectName: foo
+          key: pwd
+        - objectName: bar
+          key: username
+  parameters:
+    roleName: "csi"
+    baoAddress: "http://openbao.openbao:8200"
+    objects: |
+      - secretPath: "secrets/data/foo"
+        objectName: "foo"
+        secretKey: "foo"
+      - secretPath: "secrets/data/bar"
+        objectName: "bar"
+        secretKey: "bar"
+---
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: openbao-foo-sync-1
+spec:
+  provider: openbao
+  secretObjects:
+    - secretName: foosecret-1
+      type: Opaque
+      data:
+        - objectName: foo
+          key: pwd
+        - objectName: bar
+          key: username
+  parameters:
+    roleName: "csi"
+    baoAddress: "http://openbao.openbao:8200"
+    objects: |
+      - secretPath: "secrets/data/foo"
+        objectName: "foo"
+        secretKey: "foo"
+      - secretPath: "secrets/data/bar"
+        objectName: "bar"
+        secretKey: "bar"
diff --git a/test/bats/tests/openbao/openbao_v1_secretproviderclass.yaml b/test/bats/tests/openbao/openbao_v1_secretproviderclass.yaml
new file mode 100644
index 000000000..e16d3df17
--- /dev/null
+++ b/test/bats/tests/openbao/openbao_v1_secretproviderclass.yaml
@@ -0,0 +1,16 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: openbao-foo
+spec:
+  provider: openbao
+  parameters:
+    roleName: "csi"
+    baoAddress: "http://openbao.openbao:8200"
+    objects: |
+      - secretPath: "secrets/data/foo"
+        objectName: "foo"
+        secretKey: "foo"
+      - secretPath: "secrets/data/bar"
+        objectName: "bar"
+        secretKey: "bar"
diff --git a/test/bats/tests/openbao/openbao_v1_secretproviderclass_ns.yaml b/test/bats/tests/openbao/openbao_v1_secretproviderclass_ns.yaml
new file mode 100644
index 000000000..49230069a
--- /dev/null
+++ b/test/bats/tests/openbao/openbao_v1_secretproviderclass_ns.yaml
@@ -0,0 +1,51 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: openbao-foo-sync
+  namespace: default
+spec:
+  provider: invalidprovider
+  secretObjects:
+    - secretName: foosecret
+      type: Opaque
+      data:
+        - objectName: foo
+          key: pwd
+        - objectName: bar
+          key: username
+  parameters:
+    roleName: "csi"
+    baoAddress: "http://openbao.openbao:8200"
+    objects: |
+      - secretPath: "secrets/data/foo"
+        objectName: "foo"
+        secretKey: "foo"
+      - secretPath: "secrets/data/bar"
+        objectName: "bar"
+        secretKey: "bar"
+---
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: openbao-foo-sync
+  namespace: test-ns
+spec:
+  provider: openbao
+  secretObjects:
+    - secretName: foosecret
+      type: Opaque
+      data:
+        - objectName: foo
+          key: pwd
+        - objectName: bar
+          key: username
+  parameters:
+    roleName: "csi"
+    baoAddress: "http://openbao.openbao:8200"
+    objects: |
+      - secretPath: "secrets/data/foo"
+        objectName: "foo"
+        secretKey: "foo"
+      - secretPath: "secrets/data/bar"
+        objectName: "bar"
+        secretKey: "bar"
diff --git a/test/bats/tests/openbao/pod-openbao-inline-volume-multiple-spc.yaml b/test/bats/tests/openbao/pod-openbao-inline-volume-multiple-spc.yaml
new file mode 100644
index 000000000..a95c3746e
--- /dev/null
+++ b/test/bats/tests/openbao/pod-openbao-inline-volume-multiple-spc.yaml
@@ -0,0 +1,44 @@
+kind: Pod
+apiVersion: v1
+metadata:
+  name: secrets-store-inline-multiple-crd
+spec:
+  terminationGracePeriodSeconds: 0
+  containers:
+    - image: registry.k8s.io/e2e-test-images/busybox:1.29-4
+      name: busybox
+      imagePullPolicy: IfNotPresent
+      command:
+        - "/bin/sleep"
+        - "10000"
+      volumeMounts:
+        - name: secrets-store-inline-0
+          mountPath: "/mnt/secrets-store-0"
+          readOnly: true
+        - name: secrets-store-inline-1
+          mountPath: "/mnt/secrets-store-1"
+          readOnly: true
+      env:
+        - name: SECRET_USERNAME_0
+          valueFrom:
+            secretKeyRef:
+              name: foosecret-0
+              key: username
+        - name: SECRET_USERNAME_1
+          valueFrom:
+            secretKeyRef:
+              name: foosecret-1
+              key: username
+  volumes:
+    - name: secrets-store-inline-0
+      csi:
+        driver: secrets-store.csi.k8s.io
+        readOnly: true
+        volumeAttributes:
+          secretProviderClass: "openbao-foo-sync-0"
+    - name: secrets-store-inline-1
+      csi:
+        driver: secrets-store.csi.k8s.io
+        readOnly: true
+        volumeAttributes:
+          secretProviderClass: "openbao-foo-sync-1"
diff --git a/test/bats/tests/openbao/pod-openbao-inline-volume-secretproviderclass.yaml b/test/bats/tests/openbao/pod-openbao-inline-volume-secretproviderclass.yaml
new file mode 100644
index 000000000..d628925ea
--- /dev/null
+++ b/test/bats/tests/openbao/pod-openbao-inline-volume-secretproviderclass.yaml
@@ -0,0 +1,23 @@
+kind: Pod
+apiVersion: v1
+metadata:
+  name: secrets-store-inline
+spec:
+  containers:
+    - image: registry.k8s.io/e2e-test-images/busybox:1.29-4
+      name: busybox
+      imagePullPolicy: IfNotPresent
+      command:
+        - "/bin/sleep"
+        - "10000"
+      volumeMounts:
+        - name: secrets-store-inline
+          mountPath: "/mnt/secrets-store"
+          readOnly: true
+  volumes:
+    - name: secrets-store-inline
+      csi:
+        driver: secrets-store.csi.k8s.io
+        readOnly: true
+        volumeAttributes:
+          secretProviderClass: "openbao-foo"
diff --git a/test/bats/tests/openbao/pod-openbao-rotation.yaml b/test/bats/tests/openbao/pod-openbao-rotation.yaml
new file mode 100644
index 000000000..9fe82f599
--- /dev/null
+++ b/test/bats/tests/openbao/pod-openbao-rotation.yaml
@@ -0,0 +1,37 @@
+kind: Pod
+apiVersion: v1
+metadata:
+  name: secrets-store-rotation
+spec:
+  containers:
+    - image: registry.k8s.io/e2e-test-images/busybox:1.29-4
+      name: busybox
+      imagePullPolicy: IfNotPresent
+      command:
+        - "/bin/sleep"
+        - "10000"
+      volumeMounts:
+        - name: secrets-store-rotation
+          mountPath: "/mnt/secrets-store"
+          readOnly: true
+  volumes:
+    - name: secrets-store-rotation
+      csi:
+        driver: secrets-store.csi.k8s.io
+        readOnly: true
+        volumeAttributes:
+          secretProviderClass: "openbao-rotation"
+---
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: openbao-rotation
+spec:
+  provider: openbao
+  parameters:
+    roleName: "csi"
+    baoAddress: "http://openbao.openbao:8200"
+    objects: |
+      - secretPath: "secrets/data/rotation"
+        objectName: "foo"
+        secretKey: "foo"