test(gcp): add managed provider v2 coverage

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

e2e/suites/provider/cases/gcp/gcp_v2_managed.go

@@ -0,0 +1,80 @@
+/*
+Copyright © The ESO Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package gcp
+
+import (
+	. "github.com/onsi/ginkgo/v2"
+
+	"github.com/external-secrets/external-secrets-e2e/framework"
+	"github.com/external-secrets/external-secrets-e2e/framework/addon"
+	"github.com/external-secrets/external-secrets-e2e/suites/provider/cases/common"
+)
+
+var _ = Describe("[gcpmanaged] v2 with pod identity", Label("gcp", "secretsmanager", "managed", "pod-identity", "v2"), Ordered, func() {
+	f := framework.New("eso-gcpmanaged-v2-podid")
+	prov := NewProviderV2(f)
+
+	BeforeEach(func() {
+		if !framework.IsV2ProviderMode() {
+			Skip("v2 mode only")
+		}
+		skipIfGCPManagedEnvMissing(prov.access)
+
+		f.Install(addon.NewESO(
+			addon.WithControllerClass(f.BaseName),
+			addon.WithReleaseName(f.Namespace.Name),
+			addon.WithNamespace(prov.backend.ServiceAccountNamespace),
+			addon.WithV2GCPProvider(),
+			addon.WithV2ProviderServiceAccount("gcp", prov.backend.ServiceAccountName),
+			addon.WithoutWebhook(),
+			addon.WithoutCertController(),
+		))
+	})
+
+	DescribeTable("sync secrets",
+		framework.TableFuncWithExternalSecret(f, prov),
+		framework.Compose(withPodID, f, common.SimpleDataSync, useV2MountedPodIdentity(prov)),
+		framework.Compose(withPodID, f, common.FindByName, useV2MountedPodIdentity(prov)),
+	)
+})
+
+var _ = Describe("[gcpmanaged] v2 with referenced service account", Label("gcp", "secretsmanager", "managed", "service-account", "v2"), Ordered, func() {
+	f := framework.New("eso-gcpmanaged-v2-ref")
+	prov := NewProviderV2(f)
+
+	BeforeEach(func() {
+		if !framework.IsV2ProviderMode() {
+			Skip("v2 mode only")
+		}
+		skipIfGCPManagedEnvMissing(prov.access)
+
+		f.Install(addon.NewESO(
+			addon.WithControllerClass(f.BaseName),
+			addon.WithReleaseName(f.Namespace.Name),
+			addon.WithNamespace(prov.backend.ServiceAccountNamespace),
+			addon.WithV2GCPProvider(),
+			addon.WithoutWebhook(),
+			addon.WithoutCertController(),
+		))
+	})
+
+	DescribeTable("sync secrets",
+		framework.TableFuncWithExternalSecret(f, prov),
+		framework.Compose(withSpecifcSA, f, common.SimpleDataSync, useV2ReferencedServiceAccount(prov)),
+		framework.Compose(withSpecifcSA, f, common.FindByName, useV2ReferencedServiceAccount(prov)),
+	)
+})

e2e/suites/provider/cases/gcp/provider_support_v2.go

@@ -93,19 +93,50 @@ func (p *ProviderV2) DeleteSecret(key string) {
 
 func useV2StaticAuth(prov *ProviderV2) func(*framework.TestCase) {
 	return func(tc *framework.TestCase) {
-		tc.Prepare = prov.prepareNamespacedProviderWithStaticAuth(frameworkv2.ProviderAddress("gcp"))
+		tc.Prepare = prov.prepareNamespacedProviderWithStaticAuthAtAddress(
+			providerConfigNamespaceForStaticAuth(prov),
+			frameworkv2.ProviderAddress("gcp"),
+		)
 	}
 }
 
 func useV2WorkloadIdentity(prov *ProviderV2) func(*framework.TestCase) {
 	return func(tc *framework.TestCase) {
-		tc.Prepare = prov.prepareNamespacedProviderWithWorkloadIdentity(frameworkv2.ProviderAddress("gcp"))
+		tc.Prepare = prov.prepareNamespacedProviderWithWorkloadIdentityAtAddress(
+			providerConfigNamespaceForWorkloadIdentity(prov),
+			frameworkv2.ProviderAddress("gcp"),
+		)
+	}
+}
+
+func useV2MountedPodIdentity(prov *ProviderV2) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		tc.Prepare = prov.prepareNamespacedProviderWithWorkloadIdentityAtAddress(
+			providerConfigNamespaceForWorkloadIdentity(prov),
+			frameworkv2.ProviderAddressInNamespace("gcp", prov.backend.ServiceAccountNamespace),
+		)
+	}
+}
+
+func useV2ReferencedServiceAccount(prov *ProviderV2) func(*framework.TestCase) {
+	return func(tc *framework.TestCase) {
+		tc.Prepare = prov.prepareReferencedServiceAccountProvider(
+			frameworkv2.ProviderAddressInNamespace("gcp", prov.backend.ServiceAccountNamespace),
+		)
 	}
 }
 
-func (p *ProviderV2) prepareNamespacedProviderWithStaticAuth(address string) func(*framework.TestCase, framework.SecretStoreProvider) {
+func providerConfigNamespaceForStaticAuth(prov *ProviderV2) string {
+	return prov.framework.Namespace.Name
+}
+
+func providerConfigNamespaceForWorkloadIdentity(prov *ProviderV2) string {
+	return prov.backend.ServiceAccountNamespace
+}
+
+func (p *ProviderV2) prepareNamespacedProviderWithStaticAuthAtAddress(configNamespace, address string) func(*framework.TestCase, framework.SecretStoreProvider) {
 	return func(_ *framework.TestCase, _ framework.SecretStoreProvider) {
-		createSecretManagerV2StaticConfig(p.framework, p.framework.Namespace.Name, p.framework.Namespace.Name, p.access)
+		createSecretManagerV2StaticConfig(p.framework, configNamespace, p.framework.Namespace.Name, p.access)
 		frameworkv2.CreateProviderConnection(
 			p.framework,
 			p.framework.Namespace.Name,
@@ -114,22 +145,22 @@ func (p *ProviderV2) prepareNamespacedProviderWithStaticAuth(address string) fun
 			gcpsmv2alpha1.GroupVersion.String(),
 			gcpsmv2alpha1.SecretManagerKind,
 			p.framework.Namespace.Name,
-			p.backend.ServiceAccountNamespace,
+			configNamespace,
 		)
 		frameworkv2.WaitForProviderConnectionReady(p.framework, p.framework.Namespace.Name, p.framework.Namespace.Name, defaultV2WaitTimeout)
 	}
 }
 
-func (p *ProviderV2) prepareNamespacedProviderWithWorkloadIdentity(address string) func(*framework.TestCase, framework.SecretStoreProvider) {
+func (p *ProviderV2) prepareNamespacedProviderWithWorkloadIdentityAtAddress(configNamespace, address string) func(*framework.TestCase, framework.SecretStoreProvider) {
 	return func(_ *framework.TestCase, _ framework.SecretStoreProvider) {
 		skipIfGCPManagedEnvMissing(p.access)
 
 		createSecretManagerV2WorkloadIdentityConfig(
 			p.framework,
-			p.backend.ServiceAccountNamespace,
+			configNamespace,
 			p.framework.Namespace.Name,
 			p.access,
-			p.backend.ServiceAccountNamespace,
+			configNamespace,
 		)
 		frameworkv2.CreateProviderConnection(
 			p.framework,
@@ -139,12 +170,52 @@ func (p *ProviderV2) prepareNamespacedProviderWithWorkloadIdentity(address strin
 			gcpsmv2alpha1.GroupVersion.String(),
 			gcpsmv2alpha1.SecretManagerKind,
 			p.framework.Namespace.Name,
-			p.framework.Namespace.Name,
+			configNamespace,
 		)
 		frameworkv2.WaitForProviderConnectionReady(p.framework, p.framework.Namespace.Name, p.framework.Namespace.Name, defaultV2WaitTimeout)
 	}
 }
 
+func (p *ProviderV2) prepareReferencedServiceAccountProvider(address string) func(*framework.TestCase, framework.SecretStoreProvider) {
+	return func(tc *framework.TestCase, _ framework.SecretStoreProvider) {
+		skipIfGCPManagedEnvMissing(p.access)
+
+		configNamespace := providerConfigNamespaceForWorkloadIdentity(p)
+		configName := p.framework.Namespace.Name
+		clusterProviderName := referencedServiceAccountClusterProviderName(p.framework.Namespace.Name)
+
+		createSecretManagerV2WorkloadIdentityConfig(
+			p.framework,
+			configNamespace,
+			configName,
+			p.access,
+			configNamespace,
+		)
+		frameworkv2.CreateClusterProviderConnection(
+			p.framework,
+			clusterProviderName,
+			address,
+			gcpsmv2alpha1.GroupVersion.String(),
+			gcpsmv2alpha1.SecretManagerKind,
+			configName,
+			configNamespace,
+			esv1.AuthenticationScopeManifestNamespace,
+			nil,
+		)
+		frameworkv2.WaitForClusterProviderReady(p.framework, clusterProviderName, defaultV2WaitTimeout)
+		configureV2ReferencedServiceAccountStoreRef(tc, clusterProviderName)
+	}
+}
+
+func referencedServiceAccountClusterProviderName(namespace string) string {
+	return namespace + "-referenced-service-account"
+}
+
+func configureV2ReferencedServiceAccountStoreRef(tc *framework.TestCase, clusterProviderName string) {
+	tc.ExternalSecret.Spec.SecretStoreRef.Kind = esv1.ClusterProviderKindStr
+	tc.ExternalSecret.Spec.SecretStoreRef.Name = clusterProviderName
+}
+
 func newSecretManagerV2StaticConfig(namespace, name string, access gcpAccessConfig) *gcpsmv2alpha1.SecretManager {
 	return &gcpsmv2alpha1.SecretManager{
 		TypeMeta: metav1.TypeMeta{