GCP: allow cluster to be in different project

apis/externalsecrets/v1alpha1/secretstore_gcpsm_types.go

@@ -35,6 +35,7 @@ type GCPWorkloadIdentity struct {
 	ServiceAccountRef esmeta.ServiceAccountSelector `json:"serviceAccountRef"`
 	ClusterLocation   string                        `json:"clusterLocation"`
 	ClusterName       string                        `json:"clusterName"`
+	ClusterProjectID  string                        `json:"clusterProjectID"`
 }
 
 // GCPSMProvider Configures a store to sync secrets using the GCP Secret Manager provider.

apis/externalsecrets/v1beta1/secretstore_gcpsm_types.go

@@ -35,6 +35,7 @@ type GCPWorkloadIdentity struct {
 	ServiceAccountRef esmeta.ServiceAccountSelector `json:"serviceAccountRef"`
 	ClusterLocation   string                        `json:"clusterLocation"`
 	ClusterName       string                        `json:"clusterName"`
+	ClusterProjectID  string                        `json:"clusterProjectID"`
 }
 
 // GCPSMProvider Configures a store to sync secrets using the GCP Secret Manager provider.

config/crds/bases/external-secrets.io_clustersecretstores.yaml

@@ -443,6 +443,8 @@ spec:
                                 type: string
                               clusterName:
                                 type: string
+                              clusterProjectID:
+                                type: string
                               serviceAccountRef:
                                 description: A reference to a ServiceAccount resource.
                                 properties:
@@ -462,6 +464,7 @@ spec:
                             required:
                             - clusterLocation
                             - clusterName
+                            - clusterProjectID
                             - serviceAccountRef
                             type: object
                         type: object
@@ -1746,6 +1749,8 @@ spec:
                                 type: string
                               clusterName:
                                 type: string
+                              clusterProjectID:
+                                type: string
                               serviceAccountRef:
                                 description: A reference to a ServiceAccount resource.
                                 properties:
@@ -1765,6 +1770,7 @@ spec:
                             required:
                             - clusterLocation
                             - clusterName
+                            - clusterProjectID
                             - serviceAccountRef
                             type: object
                         type: object

config/crds/bases/external-secrets.io_secretstores.yaml

@@ -443,6 +443,8 @@ spec:
                                 type: string
                               clusterName:
                                 type: string
+                              clusterProjectID:
+                                type: string
                               serviceAccountRef:
                                 description: A reference to a ServiceAccount resource.
                                 properties:
@@ -462,6 +464,7 @@ spec:
                             required:
                             - clusterLocation
                             - clusterName
+                            - clusterProjectID
                             - serviceAccountRef
                             type: object
                         type: object
@@ -1749,6 +1752,8 @@ spec:
                                 type: string
                               clusterName:
                                 type: string
+                              clusterProjectID:
+                                type: string
                               serviceAccountRef:
                                 description: A reference to a ServiceAccount resource.
                                 properties:
@@ -1768,6 +1773,7 @@ spec:
                             required:
                             - clusterLocation
                             - clusterName
+                            - clusterProjectID
                             - serviceAccountRef
                             type: object
                         type: object

deploy/crds/bundle.yaml

@@ -334,6 +334,8 @@ spec:
                                   type: string
                                 clusterName:
                                   type: string
+                                clusterProjectID:
+                                  type: string
                                 serviceAccountRef:
                                   description: A reference to a ServiceAccount resource.
                                   properties:
@@ -349,6 +351,7 @@ spec:
                               required:
                                 - clusterLocation
                                 - clusterName
+                                - clusterProjectID
                                 - serviceAccountRef
                               type: object
                           type: object
@@ -1295,6 +1298,8 @@ spec:
                                   type: string
                                 clusterName:
                                   type: string
+                                clusterProjectID:
+                                  type: string
                                 serviceAccountRef:
                                   description: A reference to a ServiceAccount resource.
                                   properties:
@@ -1310,6 +1315,7 @@ spec:
                               required:
                                 - clusterLocation
                                 - clusterName
+                                - clusterProjectID
                                 - serviceAccountRef
                               type: object
                           type: object
@@ -2771,6 +2777,8 @@ spec:
                                   type: string
                                 clusterName:
                                   type: string
+                                clusterProjectID:
+                                  type: string
                                 serviceAccountRef:
                                   description: A reference to a ServiceAccount resource.
                                   properties:
@@ -2786,6 +2794,7 @@ spec:
                               required:
                                 - clusterLocation
                                 - clusterName
+                                - clusterProjectID
                                 - serviceAccountRef
                               type: object
                           type: object
@@ -3735,6 +3744,8 @@ spec:
                                   type: string
                                 clusterName:
                                   type: string
+                                clusterProjectID:
+                                  type: string
                                 serviceAccountRef:
                                   description: A reference to a ServiceAccount resource.
                                   properties:
@@ -3750,6 +3761,7 @@ spec:
                               required:
                                 - clusterLocation
                                 - clusterName
+                                - clusterProjectID
                                 - serviceAccountRef
                               type: object
                           type: object

pkg/provider/gcp/secretmanager/secretsmanager_workload_identity.go

@@ -114,6 +114,14 @@ func (w *workloadIdentity) TokenSource(ctx context.Context, store esv1beta1.Gene
 		saKey.Namespace = *wi.ServiceAccountRef.Namespace
 	}
 
+	// get clusterProjectID from workload identity spec but default to Provider.GCPSM.ProjectID
+	var clusterProjectID string
+	if wi.ClusterProjectID != "" {
+		clusterProjectID = wi.ClusterProjectID
+	} else {
+		clusterProjectID = spec.Provider.GCPSM.ProjectID
+	}
+
 	sa := &v1.ServiceAccount{}
 	err := kube.Get(ctx, saKey, sa)
 	if err != nil {
@@ -121,10 +129,10 @@ func (w *workloadIdentity) TokenSource(ctx context.Context, store esv1beta1.Gene
 	}
 
 	idProvider := fmt.Sprintf("https://container.googleapis.com/v1/projects/%s/locations/%s/clusters/%s",
-		spec.Provider.GCPSM.ProjectID,
+		clusterProjectID,
 		wi.ClusterLocation,
 		wi.ClusterName)
-	idPool := fmt.Sprintf("%s.svc.id.goog", spec.Provider.GCPSM.ProjectID)
+	idPool := fmt.Sprintf("%s.svc.id.goog", clusterProjectID)
 	gcpSA := sa.Annotations[gcpSAAnnotation]
 
 	resp, err := w.saTokenGenerator.Generate(ctx, idPool, saKey.Name, saKey.Namespace)