Add support for Google Cloud Identity

If the name of the service account secret is kept
empty, this means we want to use Google Cloud Identity
to authenticate against the GCP project

apis/meta/v1/types.go

@@ -18,7 +18,7 @@ package v1
 // In some instances, `key` is a required field.
 type SecretKeySelector struct {
 	// The name of the Secret resource being referred to.
-	Name string `json:"name"`
+	Name string `json:"name,omitempty"`
 	// Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
 	// to the namespace of the referent.
 	// +optional

deploy/crds/external-secrets.io_clustersecretstores.yaml

@@ -1,3 +1,5 @@
+
+---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -108,8 +110,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                               secretAccessKeySecretRef:
                                 description: The SecretAccessKey is used for authentication
@@ -130,8 +130,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                         type: object
@@ -179,8 +177,6 @@ spec:
                                   to. Ignored if referent is not cluster-scoped. cluster-scoped
                                   defaults to the namespace of the referent.
                                 type: string
-                            required:
-                            - name
                             type: object
                           clientSecret:
                             description: The Azure ClientSecret of the service principle
@@ -200,8 +196,6 @@ spec:
                                   to. Ignored if referent is not cluster-scoped. cluster-scoped
                                   defaults to the namespace of the referent.
                                 type: string
-                            required:
-                            - name
                             type: object
                         required:
                         - clientId
@@ -249,8 +243,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                         required:
@@ -291,8 +283,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                         required:
@@ -351,8 +341,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             required:
                             - path
@@ -384,8 +372,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                               secretRef:
                                 description: SecretRef to a key in a Secret resource
@@ -408,8 +394,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                           jwt:
@@ -441,8 +425,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                           kubernetes:
@@ -483,8 +465,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                               serviceAccountRef:
                                 description: Optional service account field containing
@@ -537,8 +517,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                               username:
                                 description: Username is a LDAP user name used to
@@ -566,8 +544,6 @@ spec:
                                   to. Ignored if referent is not cluster-scoped. cluster-scoped
                                   defaults to the namespace of the referent.
                                 type: string
-                            required:
-                            - name
                             type: object
                         type: object
                       caBundle:

deploy/crds/external-secrets.io_externalsecrets.yaml

@@ -1,3 +1,5 @@
+
+---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:

deploy/crds/external-secrets.io_secretstores.yaml

@@ -1,3 +1,5 @@
+
+---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -108,8 +110,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                               secretAccessKeySecretRef:
                                 description: The SecretAccessKey is used for authentication
@@ -130,8 +130,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                         type: object
@@ -179,8 +177,6 @@ spec:
                                   to. Ignored if referent is not cluster-scoped. cluster-scoped
                                   defaults to the namespace of the referent.
                                 type: string
-                            required:
-                            - name
                             type: object
                           clientSecret:
                             description: The Azure ClientSecret of the service principle
@@ -200,8 +196,6 @@ spec:
                                   to. Ignored if referent is not cluster-scoped. cluster-scoped
                                   defaults to the namespace of the referent.
                                 type: string
-                            required:
-                            - name
                             type: object
                         required:
                         - clientId
@@ -249,8 +243,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                         required:
@@ -291,8 +283,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                         required:
@@ -351,8 +341,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             required:
                             - path
@@ -384,8 +372,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                               secretRef:
                                 description: SecretRef to a key in a Secret resource
@@ -408,8 +394,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                           jwt:
@@ -441,8 +425,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                           kubernetes:
@@ -483,8 +465,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                               serviceAccountRef:
                                 description: Optional service account field containing
@@ -537,8 +517,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                               username:
                                 description: Username is a LDAP user name used to
@@ -566,8 +544,6 @@ spec:
                                   to. Ignored if referent is not cluster-scoped. cluster-scoped
                                   defaults to the namespace of the referent.
                                 type: string
-                            required:
-                            - name
                             type: object
                         type: object
                       caBundle:

pkg/provider/gcp/secretmanager/secretsmanager.go

@@ -39,12 +39,12 @@ const (
 	defaultVersion    = "latest"
 
 	errGCPSMStore                             = "received invalid GCPSM SecretStore resource"
-	errGCPSMCredSecretName                    = "invalid GCPSM SecretStore resource: missing GCP Secret Access Key"
 	errClientClose                            = "unable to close SecretManager client: %w"
 	errInvalidClusterStoreMissingSAKNamespace = "invalid ClusterSecretStore: missing GCP SecretAccessKey Namespace"
 	errFetchSAKSecret                         = "could not fetch SecretAccessKey secret: %w"
 	errMissingSAK                             = "missing SecretAccessKey"
 	errUnableProcessJSONCredentials           = "failed to process the provided JSON credentials: %w"
+	errUnableProcessDefaultCredentials        = "failed to process the default credentials: %w"
 	errUnableCreateGCPSMClient                = "failed to create GCP secretmanager client: %w"
 	errUninitalizedGCPProvider                = "provider GCP is not initialized"
 	errClientGetSecretAccess                  = "unable to access Secret from SecretManager Client: %w"
@@ -73,9 +73,6 @@ type gClient struct {
 func (c *gClient) setAuth(ctx context.Context) error {
 	credentialsSecret := &corev1.Secret{}
 	credentialsSecretName := c.store.Auth.SecretRef.SecretAccessKey.Name
-	if credentialsSecretName == "" {
-		return fmt.Errorf(errGCPSMCredSecretName)
-	}
 	objectKey := types.NamespacedName{
 		Name:      credentialsSecretName,
 		Namespace: c.namespace,
@@ -88,7 +85,10 @@ func (c *gClient) setAuth(ctx context.Context) error {
 		}
 		objectKey.Namespace = *c.store.Auth.SecretRef.SecretAccessKey.Namespace
 	}
-
+	if credentialsSecretName == "" {
+		c.credentials = nil
+		return nil
+	}
 	err := c.kube.Get(ctx, objectKey, credentialsSecret)
 	if err != nil {
 		return fmt.Errorf(errFetchSAKSecret, err)
@@ -122,12 +122,23 @@ func (sm *ProviderGCP) NewClient(ctx context.Context, store esv1alpha1.GenericSt
 
 	sm.projectID = cliStore.store.ProjectID
 
-	config, err := google.JWTConfigFromJSON(cliStore.credentials, CloudPlatformRole)
+	if cliStore.credentials != nil {
+		config, err := google.JWTConfigFromJSON(cliStore.credentials, CloudPlatformRole)
+		if err != nil {
+			return nil, fmt.Errorf(errUnableProcessJSONCredentials, err)
+		}
+		ts := config.TokenSource(ctx)
+		clientGCPSM, err := secretmanager.NewClient(ctx, option.WithTokenSource(ts))
+		if err != nil {
+			return nil, fmt.Errorf(errUnableCreateGCPSMClient, err)
+		}
+		sm.SecretManagerClient = clientGCPSM
+		return sm, nil
+	}
+	ts, err := google.DefaultTokenSource(ctx, CloudPlatformRole)
 	if err != nil {
-		return nil, fmt.Errorf(errUnableProcessJSONCredentials, err)
+		return nil, fmt.Errorf(errUnableProcessDefaultCredentials, err)
 	}
-	ts := config.TokenSource(ctx)
-
 	clientGCPSM, err := secretmanager.NewClient(ctx, option.WithTokenSource(ts))
 	if err != nil {
 		return nil, fmt.Errorf(errUnableCreateGCPSMClient, err)