Use ClusterSecretStore so we set namespace of SA

e2e/framework/util/util.go

@@ -229,6 +229,11 @@ func UpdateKubeSA(baseName string, kubeClientSet kubernetes.Interface, ns string
 	return kubeClientSet.CoreV1().ServiceAccounts(ns).Update(context.TODO(), sa, metav1.UpdateOptions{})
 }
 
+// UpdateKubeSA updates a new Kubernetes Service Account for a test.
+func GetKubeSA(baseName string, kubeClientSet kubernetes.Interface, ns string) (*v1.ServiceAccount, error) {
+	return kubeClientSet.CoreV1().ServiceAccounts(ns).Get(context.TODO(), baseName, metav1.GetOptions{})
+}
+
 // NewConfig loads and returns the kubernetes credentials from the environment.
 // KUBECONFIG env var takes precedence and falls back to in-cluster config.
 func NewConfig() (*restclient.Config, *kubernetes.Clientset, crclient.Client) {

e2e/suite/gcp/provider.go

@@ -29,12 +29,15 @@ import (
 	"google.golang.org/api/option"
 	secretmanagerpb "google.golang.org/genproto/googleapis/cloud/secretmanager/v1"
 	v1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 	utilpointer "k8s.io/utils/pointer"
 
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
 	"github.com/external-secrets/external-secrets/e2e/framework"
+	"github.com/external-secrets/external-secrets/e2e/framework/log"
 	gcpsm "github.com/external-secrets/external-secrets/pkg/provider/gcp/secretmanager"
 )
 
@@ -59,6 +62,22 @@ func makeStore(s *GcpProvider) *esv1alpha1.SecretStore {
 	}
 }
 
+func makeCStore(s *GcpProvider) *esv1alpha1.ClusterSecretStore {
+	return &esv1alpha1.ClusterSecretStore{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      s.framework.Namespace.Name,
+			Namespace: s.framework.Namespace.Name,
+		},
+		Spec: esv1alpha1.SecretStoreSpec{
+			Provider: &esv1alpha1.SecretStoreProvider{
+				GCPSM: &esv1alpha1.GCPSMProvider{
+					ProjectID: s.projectID,
+				},
+			},
+		},
+	}
+}
+
 // nolint // Better to keep names consistent even if it stutters;
 type GcpProvider struct {
 	credentials             string
@@ -189,9 +208,9 @@ func (s *GcpProvider) CreatePodIDStore(ns string) {
 }
 
 func (s *GcpProvider) CreateSpecifcSASecretStore(ns string) {
-	secretStore := makeStore(s)
-	secretStore.ObjectMeta.Name = SpecifcSASecretStoreName
-	secretStore.Spec.Provider.GCPSM.Auth = esv1alpha1.GCPSMAuth{
+	clusterSecretStore := makeCStore(s)
+	clusterSecretStore.ObjectMeta.Name = SpecifcSASecretStoreName
+	clusterSecretStore.Spec.Provider.GCPSM.Auth = esv1alpha1.GCPSMAuth{
 		WorkloadIdentity: &esv1alpha1.GCPWorkloadIdentity{
 			ClusterLocation: s.clusterLocation,
 			ClusterName:     s.clusterName,
@@ -201,6 +220,16 @@ func (s *GcpProvider) CreateSpecifcSASecretStore(ns string) {
 			},
 		},
 	}
-	err := s.framework.CRClient.Create(context.Background(), secretStore)
-	Expect(err).ToNot(HaveOccurred())
+
+	var cSS esv1alpha1.ClusterSecretStore
+
+	err := s.framework.CRClient.Get(context.Background(), types.NamespacedName{
+		Name: SpecifcSASecretStoreName,
+	}, &cSS)
+	if apierrors.IsNotFound(err) {
+		err := s.framework.CRClient.Create(context.Background(), clusterSecretStore)
+		Expect(err).ToNot(HaveOccurred())
+	} else {
+		log.Logf("%s CSStore already created", SpecifcSASecretStoreName)
+	}
 }

e2e/suite/gcpmanaged/gcpmanaged.go

@@ -22,6 +22,7 @@ import (
 
 	// nolint
 	// . "github.com/onsi/gomega"
+	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 	"github.com/external-secrets/external-secrets/e2e/framework"
 	"github.com/external-secrets/external-secrets/e2e/suite/common"
 	"github.com/external-secrets/external-secrets/e2e/suite/gcp"
@@ -80,5 +81,6 @@ func usePodIDESReference(tc *framework.TestCase) {
 }
 
 func useSpecifcSAESReference(tc *framework.TestCase) {
+	tc.ExternalSecret.Spec.SecretStoreRef.Kind = esv1alpha1.ClusterSecretStoreKind
 	tc.ExternalSecret.Spec.SecretStoreRef.Name = gcp.SpecifcSASecretStoreName
 }