Merge pull request #339 from mouhsen-ibrahim/add-workload-identity-support

Add support for Google Cloud Identity

apis/externalsecrets/v1alpha1/secretstore_gcpsm_types.go

@@ -31,7 +31,8 @@ type GCPSMAuthSecretRef struct {
 // GCPSMProvider Configures a store to sync secrets using the GCP Secret Manager provider.
 type GCPSMProvider struct {
 	// Auth defines the information necessary to authenticate against GCP
-	Auth GCPSMAuth `json:"auth"`
+	// +optional
+	Auth GCPSMAuth `json:"auth,omitempty"`
 
 	// ProjectID project where secret is located
 	ProjectID string `json:"projectID,omitempty"`

apis/meta/v1/types.go

@@ -18,7 +18,7 @@ package v1
 // In some instances, `key` is a required field.
 type SecretKeySelector struct {
 	// The name of the Secret resource being referred to.
-	Name string `json:"name"`
+	Name string `json:"name,omitempty"`
 	// Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
 	// to the namespace of the referent.
 	// +optional

deploy/crds/external-secrets.io_clustersecretstores.yaml

@@ -108,8 +108,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                               secretAccessKeySecretRef:
                                 description: The SecretAccessKey is used for authentication
@@ -130,8 +128,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                         type: object
@@ -179,8 +175,6 @@ spec:
                                   to. Ignored if referent is not cluster-scoped. cluster-scoped
                                   defaults to the namespace of the referent.
                                 type: string
-                            required:
-                            - name
                             type: object
                           clientSecret:
                             description: The Azure ClientSecret of the service principle
@@ -200,8 +194,6 @@ spec:
                                   to. Ignored if referent is not cluster-scoped. cluster-scoped
                                   defaults to the namespace of the referent.
                                 type: string
-                            required:
-                            - name
                             type: object
                         required:
                         - clientId
@@ -249,8 +241,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                         required:
@@ -259,8 +249,6 @@ spec:
                       projectID:
                         description: ProjectID project where secret is located
                         type: string
-                    required:
-                    - auth
                     type: object
                   ibm:
                     description: IBM configures this store to sync secrets using IBM
@@ -291,8 +279,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                         required:
@@ -351,8 +337,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             required:
                             - path
@@ -384,8 +368,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                               secretRef:
                                 description: SecretRef to a key in a Secret resource
@@ -408,8 +390,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                           jwt:
@@ -441,8 +421,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                           kubernetes:
@@ -483,8 +461,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                               serviceAccountRef:
                                 description: Optional service account field containing
@@ -537,8 +513,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                               username:
                                 description: Username is a LDAP user name used to
@@ -566,8 +540,6 @@ spec:
                                   to. Ignored if referent is not cluster-scoped. cluster-scoped
                                   defaults to the namespace of the referent.
                                 type: string
-                            required:
-                            - name
                             type: object
                         type: object
                       caBundle:

deploy/crds/external-secrets.io_secretstores.yaml

@@ -108,8 +108,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                               secretAccessKeySecretRef:
                                 description: The SecretAccessKey is used for authentication
@@ -130,8 +128,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                         type: object
@@ -179,8 +175,6 @@ spec:
                                   to. Ignored if referent is not cluster-scoped. cluster-scoped
                                   defaults to the namespace of the referent.
                                 type: string
-                            required:
-                            - name
                             type: object
                           clientSecret:
                             description: The Azure ClientSecret of the service principle
@@ -200,8 +194,6 @@ spec:
                                   to. Ignored if referent is not cluster-scoped. cluster-scoped
                                   defaults to the namespace of the referent.
                                 type: string
-                            required:
-                            - name
                             type: object
                         required:
                         - clientId
@@ -249,8 +241,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                         required:
@@ -259,8 +249,6 @@ spec:
                       projectID:
                         description: ProjectID project where secret is located
                         type: string
-                    required:
-                    - auth
                     type: object
                   ibm:
                     description: IBM configures this store to sync secrets using IBM
@@ -291,8 +279,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                         required:
@@ -351,8 +337,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             required:
                             - path
@@ -384,8 +368,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                               secretRef:
                                 description: SecretRef to a key in a Secret resource
@@ -408,8 +390,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                           jwt:
@@ -441,8 +421,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                             type: object
                           kubernetes:
@@ -483,8 +461,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                               serviceAccountRef:
                                 description: Optional service account field containing
@@ -537,8 +513,6 @@ spec:
                                       cluster-scoped defaults to the namespace of
                                       the referent.
                                     type: string
-                                required:
-                                - name
                                 type: object
                               username:
                                 description: Username is a LDAP user name used to
@@ -566,8 +540,6 @@ spec:
                                   to. Ignored if referent is not cluster-scoped. cluster-scoped
                                   defaults to the namespace of the referent.
                                 type: string
-                            required:
-                            - name
                             type: object
                         type: object
                       caBundle:

pkg/provider/gcp/secretmanager/secretsmanager.go

@@ -39,12 +39,12 @@ const (
 	defaultVersion    = "latest"
 
 	errGCPSMStore                             = "received invalid GCPSM SecretStore resource"
-	errGCPSMCredSecretName                    = "invalid GCPSM SecretStore resource: missing GCP Secret Access Key"
 	errClientClose                            = "unable to close SecretManager client: %w"
 	errInvalidClusterStoreMissingSAKNamespace = "invalid ClusterSecretStore: missing GCP SecretAccessKey Namespace"
 	errFetchSAKSecret                         = "could not fetch SecretAccessKey secret: %w"
 	errMissingSAK                             = "missing SecretAccessKey"
 	errUnableProcessJSONCredentials           = "failed to process the provided JSON credentials: %w"
+	errUnableProcessDefaultCredentials        = "failed to process the default credentials: %w"
 	errUnableCreateGCPSMClient                = "failed to create GCP secretmanager client: %w"
 	errUninitalizedGCPProvider                = "provider GCP is not initialized"
 	errClientGetSecretAccess                  = "unable to access Secret from SecretManager Client: %w"
@@ -73,9 +73,6 @@ type gClient struct {
 func (c *gClient) setAuth(ctx context.Context) error {
 	credentialsSecret := &corev1.Secret{}
 	credentialsSecretName := c.store.Auth.SecretRef.SecretAccessKey.Name
-	if credentialsSecretName == "" {
-		return fmt.Errorf(errGCPSMCredSecretName)
-	}
 	objectKey := types.NamespacedName{
 		Name:      credentialsSecretName,
 		Namespace: c.namespace,
@@ -88,7 +85,10 @@ func (c *gClient) setAuth(ctx context.Context) error {
 		}
 		objectKey.Namespace = *c.store.Auth.SecretRef.SecretAccessKey.Namespace
 	}
-
+	if credentialsSecretName == "" {
+		c.credentials = nil
+		return nil
+	}
 	err := c.kube.Get(ctx, objectKey, credentialsSecret)
 	if err != nil {
 		return fmt.Errorf(errFetchSAKSecret, err)
@@ -122,12 +122,23 @@ func (sm *ProviderGCP) NewClient(ctx context.Context, store esv1alpha1.GenericSt
 
 	sm.projectID = cliStore.store.ProjectID
 
-	config, err := google.JWTConfigFromJSON(cliStore.credentials, CloudPlatformRole)
+	if cliStore.credentials != nil {
+		config, err := google.JWTConfigFromJSON(cliStore.credentials, CloudPlatformRole)
+		if err != nil {
+			return nil, fmt.Errorf(errUnableProcessJSONCredentials, err)
+		}
+		ts := config.TokenSource(ctx)
+		clientGCPSM, err := secretmanager.NewClient(ctx, option.WithTokenSource(ts))
+		if err != nil {
+			return nil, fmt.Errorf(errUnableCreateGCPSMClient, err)
+		}
+		sm.SecretManagerClient = clientGCPSM
+		return sm, nil
+	}
+	ts, err := google.DefaultTokenSource(ctx, CloudPlatformRole)
 	if err != nil {
-		return nil, fmt.Errorf(errUnableProcessJSONCredentials, err)
+		return nil, fmt.Errorf(errUnableProcessDefaultCredentials, err)
 	}
-	ts := config.TokenSource(ctx)
-
 	clientGCPSM, err := secretmanager.NewClient(ctx, option.WithTokenSource(ts))
 	if err != nil {
 		return nil, fmt.Errorf(errUnableCreateGCPSMClient, err)