rework clusterProjectID and add test

pkg/provider/gcp/secretmanager/secretsmanager_workload_identity.go

@@ -49,6 +49,7 @@ const (
 	errFetchPodToken  = "unable to fetch pod token: %w"
 	errFetchIBToken   = "unable to fetch identitybindingtoken: %w"
 	errGenAccessToken = "unable to generate gcp access token: %w"
+	errNoProjectID    = "unable to find ProjectID in storeSpec"
 )
 
 // workloadIdentity holds all clients and generators needed
@@ -114,16 +115,12 @@ func (w *workloadIdentity) TokenSource(ctx context.Context, store esv1beta1.Gene
 		saKey.Namespace = *wi.ServiceAccountRef.Namespace
 	}
 
-	// get clusterProjectID from workload identity spec but default to Provider.GCPSM.ProjectID
-	var clusterProjectID string
-	if wi.ClusterProjectID != "" {
-		clusterProjectID = wi.ClusterProjectID
-	} else {
-		clusterProjectID = spec.Provider.GCPSM.ProjectID
+	clusterProjectID, err := clusterProjectID(store)
+	if err != nil {
+		return nil, err
 	}
-
 	sa := &v1.ServiceAccount{}
-	err := kube.Get(ctx, saKey, sa)
+	err = kube.Get(ctx, saKey, sa)
 	if err != nil {
 		return nil, err
 	}
@@ -265,3 +262,14 @@ func (g *gcpIDBindTokenGenerator) Generate(ctx context.Context, client *http.Cli
 	}
 	return idBindToken, nil
 }
+
+func clusterProjectID(store esv1beta1.GenericStore) (string, error) {
+	spec := store.GetSpec()
+	if spec.Provider.GCPSM.Auth.WorkloadIdentity.ClusterProjectID != "" {
+		return spec.Provider.GCPSM.Auth.WorkloadIdentity.ClusterProjectID, nil
+	} else if spec.Provider.GCPSM.ProjectID != "" {
+		return spec.Provider.GCPSM.ProjectID, nil
+	} else {
+		return "", fmt.Errorf(errNoProjectID)
+	}
+}

pkg/provider/gcp/secretmanager/secretsmanager_workload_identity_test.go

@@ -160,6 +160,15 @@ func TestWorkloadIdentity(t *testing.T) {
 	}
 }
 
+func TestClusterProjectID(t *testing.T) {
+	clusterID, err := clusterProjectID(defaultStore())
+	assert.Nil(t, err)
+	assert.Equal(t, clusterID, "1234")
+	externalClusterID, err := clusterProjectID(defaultExternalStore())
+	assert.Nil(t, err)
+	assert.Equal(t, externalClusterID, "5678")
+}
+
 func TestSATokenGen(t *testing.T) {
 	corev1 := &fakeK8sV1{}
 	g := &k8sSATokenGenerator{
@@ -298,6 +307,16 @@ func defaultStore() *esv1beta1.SecretStore {
 	}
 }
 
+func defaultExternalStore() *esv1beta1.SecretStore {
+	return &esv1beta1.SecretStore{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "foobar",
+			Namespace: "default",
+		},
+		Spec: defaultExternalStoreSpec(),
+	}
+}
+
 func defaultClusterStore() *esv1beta1.ClusterSecretStore {
 	return &esv1beta1.ClusterSecretStore{
 		TypeMeta: metav1.TypeMeta{
@@ -329,6 +348,26 @@ func defaultStoreSpec() esv1beta1.SecretStoreSpec {
 	}
 }
 
+func defaultExternalStoreSpec() esv1beta1.SecretStoreSpec {
+	return esv1beta1.SecretStoreSpec{
+		Provider: &esv1beta1.SecretStoreProvider{
+			GCPSM: &esv1beta1.GCPSMProvider{
+				Auth: esv1beta1.GCPSMAuth{
+					WorkloadIdentity: &esv1beta1.GCPWorkloadIdentity{
+						ServiceAccountRef: esmeta.ServiceAccountSelector{
+							Name: "example",
+						},
+						ClusterLocation:  "example",
+						ClusterName:      "foobar",
+						ClusterProjectID: "5678",
+					},
+				},
+				ProjectID: "1234",
+			},
+		},
+	}
+}
+
 type storeMutator func(spc esv1beta1.GenericStore)
 
 func composeStore(store esv1beta1.GenericStore, mutators ...storeMutator) esv1beta1.GenericStore {