String APP_DIGEST_ALGORITHM = "app.digest.algorithm";

    /** The key of the configuration. e.g. .*password|.*key|.*token|.*secret */
    String APP_ENCRYPT_PROPERTY_PATTERN = "app.encrypt.property.pattern";

    /** The key of the configuration. e.g. .*password.*|.*secret.*|.*key.*|.*token.*|.*credential.*|.*auth.*|.*private.* */
    String APP_LOG_SENSITIVE_PROPERTY_PATTERN = "app.log.sensitive.property.pattern";

### Immutable Secrets and ConfigMaps (beta)

Secret and ConfigMap volumes can be marked as immutable, which significantly reduces load on the API server if there are many Secret and ConfigMap volumes in the cluster.
See [ConfigMap](https://kubernetes.io/docs/concepts/configuration/configmap/) and [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) for more information.

### CSI Proxy for Windows

- Added a show-secret flag to the diff command to explicitly allow secret values to be displayed during the diff operation. ([#137019](https://github.com/kubernetes/kubernetes/pull/137019), [@olamilekan000](https://github.com/olamilekan000)) [SIG CLI]

- Fixed in-tree to CSI migration for Portworx volumes, in clusters where Portworx security feature is enabled (it's a Portworx feature, not Kubernetes feature). It required secret data from the secret mentioned in-tree SC, to be passed in CSI requests which was not happening before this fix. ([#129675](https://github.com/kubernetes/kubernetes/pull/129675), [@gohilankit](https://github.com/gohilankit)) [SIG Storage]

- Kubelet now cleans up orphaned volume directories automatically ([#95301](https://github.com/kubernetes/kubernetes/pull/95301), [@lorenz](https://github.com/lorenz)) [SIG Node and Storage]
- Resolves spurious `Failed to list *v1.Secret` or `Failed to list *v1.ConfigMap` messages in kubelet logs. ([#99538](https://github.com/kubernetes/kubernetes/pull/99538), [@liggitt](https://github.com/liggitt)) [SIG Auth and Node]
- Sync node status during kubelet node shutdown.

* kubelet: resolved hang/timeout issues when running large numbers of pods with unique configmap/secret references ([#74755](https://github.com/kubernetes/kubernetes/pull/74755), [@liggitt](https://github.com/liggitt))

		//     spark.sparkContext.hadoopConfiguration.set("fs.s3a.path.style.access", "true")
		//     spark.sparkContext.hadoopConfiguration.set("fs.s3a.access.key", "minioadmin")
		//     spark.sparkContext.hadoopConfiguration.set("fs.s3a.secret.key", "minioadmin")
		//
		//     val df = spark.read.json("s3a://testbucket/s3.json")
		//
		//     df.write.parquet("s3a://testbucket/parquet/")
		//   }
		// }
		if matches() {

### Bug or Regression

- Fixed in-tree to CSI migration for Portworx volumes, in clusters where Portworx security feature is enabled (it's a Portworx feature, not Kubernetes feature). It required secret data from the secret mentioned in-tree SC, to be passed in CSI requests which was not happening before this fix. ([#129674](https://github.com/kubernetes/kubernetes/pull/129674), [@gohilankit](https://github.com/gohilankit)) [SIG Storage]

- Introduced new kubelet metrics for the Ensure Secret Pulled Images KEP, including:
      - `kubelet_imagemanager_ondisk_pullintents` for tracking pull intent records on disk
      - `kubelet_imagemanager_ondisk_pulledrecords` for tracking pulled image records on disk

- This release added support for `NodeExpandSecret` for CSI driver client which enables the CSI drivers to make use of this secret while performing node expansion operation based on the user request. Previously there was no secret  provided as part of the `nodeexpansion` call, thus CSI drivers did not make use of the same while expanding the volume at the node side. ([#105963](https://github.com/kubernetes/kubernetes/pull/105963),...