deploy: ac4d5525c89a76867e018176193d01420c2ed298

provider-google-secrets-manager/index.html

@@ -611,26 +611,41 @@
     Google Cloud Secret Manager
   </a>
   
-    <nav class="md-nav" aria-label="Google Cloud Secret Manager">
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#authentication" class="md-nav__link">
+    Authentication
+  </a>
+  
+    <nav class="md-nav" aria-label="Authentication">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#workload-identity" class="md-nav__link">
+    Workload Identity
+  </a>
+  
+    <nav class="md-nav" aria-label="Workload Identity">
       <ul class="md-nav__list">
         
           <li class="md-nav__item">
-  <a href="#service-account-key-authentication" class="md-nav__link">
-    Service account key authentication
+  <a href="#creating-workload-identity-service-accounts" class="md-nav__link">
+    Creating Workload Identity Service Accounts
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#update-secret-store" class="md-nav__link">
-    Update secret store
+  <a href="#using-service-accounts-directly" class="md-nav__link">
+    Using Service Accounts directly
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#creating-external-secret" class="md-nav__link">
-    Creating external secret
+  <a href="#using-pod-based-workload-identity" class="md-nav__link">
+    Using Pod-based Workload Identity
   </a>
   
 </li>
@@ -639,40 +654,25 @@
     </nav>
   
 </li>
-      
-        <li class="md-nav__item">
-  <a href="#authentication-with-workload-identity" class="md-nav__link">
-    Authentication with Workload Identity
-  </a>
-  
-    <nav class="md-nav" aria-label="Authentication with Workload Identity">
-      <ul class="md-nav__list">
         
           <li class="md-nav__item">
-  <a href="#following-the-documentation" class="md-nav__link">
-    Following the documentation
+  <a href="#gcp-service-account-authentication" class="md-nav__link">
+    GCP Service Account authentication
   </a>
   
-    <nav class="md-nav" aria-label="Following the documentation">
+    <nav class="md-nav" aria-label="GCP Service Account authentication">
       <ul class="md-nav__list">
         
           <li class="md-nav__item">
-  <a href="#changing-values" class="md-nav__link">
-    Changing Values
-  </a>
-  
-</li>
-        
-          <li class="md-nav__item">
-  <a href="#following-through" class="md-nav__link">
-    Following through
+  <a href="#update-secret-store" class="md-nav__link">
+    Update secret store
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#secretstore-with-workloadidentity" class="md-nav__link">
-    SecretStore with WorkloadIdentity
+  <a href="#creating-external-secret" class="md-nav__link">
+    Creating external secret
   </a>
   
 </li>
@@ -1038,26 +1038,41 @@
     Google Cloud Secret Manager
   </a>
   
-    <nav class="md-nav" aria-label="Google Cloud Secret Manager">
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#authentication" class="md-nav__link">
+    Authentication
+  </a>
+  
+    <nav class="md-nav" aria-label="Authentication">
       <ul class="md-nav__list">
         
           <li class="md-nav__item">
-  <a href="#service-account-key-authentication" class="md-nav__link">
-    Service account key authentication
+  <a href="#workload-identity" class="md-nav__link">
+    Workload Identity
+  </a>
+  
+    <nav class="md-nav" aria-label="Workload Identity">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#creating-workload-identity-service-accounts" class="md-nav__link">
+    Creating Workload Identity Service Accounts
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#update-secret-store" class="md-nav__link">
-    Update secret store
+  <a href="#using-service-accounts-directly" class="md-nav__link">
+    Using Service Accounts directly
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#creating-external-secret" class="md-nav__link">
-    Creating external secret
+  <a href="#using-pod-based-workload-identity" class="md-nav__link">
+    Using Pod-based Workload Identity
   </a>
   
 </li>
@@ -1066,40 +1081,25 @@
     </nav>
   
 </li>
-      
-        <li class="md-nav__item">
-  <a href="#authentication-with-workload-identity" class="md-nav__link">
-    Authentication with Workload Identity
-  </a>
-  
-    <nav class="md-nav" aria-label="Authentication with Workload Identity">
-      <ul class="md-nav__list">
         
           <li class="md-nav__item">
-  <a href="#following-the-documentation" class="md-nav__link">
-    Following the documentation
+  <a href="#gcp-service-account-authentication" class="md-nav__link">
+    GCP Service Account authentication
   </a>
   
-    <nav class="md-nav" aria-label="Following the documentation">
+    <nav class="md-nav" aria-label="GCP Service Account authentication">
       <ul class="md-nav__list">
         
           <li class="md-nav__item">
-  <a href="#changing-values" class="md-nav__link">
-    Changing Values
-  </a>
-  
-</li>
-        
-          <li class="md-nav__item">
-  <a href="#following-through" class="md-nav__link">
-    Following through
+  <a href="#update-secret-store" class="md-nav__link">
+    Update secret store
   </a>
   
 </li>
         
           <li class="md-nav__item">
-  <a href="#secretstore-with-workloadidentity" class="md-nav__link">
-    SecretStore with WorkloadIdentity
+  <a href="#creating-external-secret" class="md-nav__link">
+    Creating external secret
   </a>
   
 </li>
@@ -1135,8 +1135,86 @@
                 
                 <h2 id="google-cloud-secret-manager">Google Cloud Secret Manager</h2>
 <p>External Secrets Operator integrates with <a href="https://cloud.google.com/secret-manager">GCP Secret Manager</a> for secret management.</p>
-<h3 id="service-account-key-authentication">Service account key authentication</h3>
-<p>A service account key is created and the JSON keyfile is stored in a <code>Kind=Secret</code>. The <code>project_id</code> and <code>private_key</code> should be configured for the project.</p>
+<h2 id="authentication">Authentication</h2>
+<h3 id="workload-identity">Workload Identity</h3>
+<p>Your Google Kubernetes Engine (GKE) applications can consume GCP services like Secrets Manager without using static, long-lived authentication tokens. This is our recommended approach of handling credentials in GCP. ESO offers two options for integrating with GKE workload identity: <strong>pod-based workload identity</strong> and <strong>using service accounts directly</strong>. Before using either way you need to create a service account - this is covered below.</p>
+<h4 id="creating-workload-identity-service-accounts">Creating Workload Identity Service Accounts</h4>
+<p>You can find the documentation for Workload Identity <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">here</a>. We will walk you through how to navigate it here.</p>
+<p>Search <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">the documment</a> for this editable values and change them to your values:</p>
+<ul>
+<li><code>CLUSTER_NAME</code>: The name of your cluster</li>
+<li><code>PROJECT_ID</code>: Your project ID (not your Project number nor your Project name)</li>
+<li><code>K8S_NAMESPACE</code>: For us folowing these steps here it will be <code>es</code>, but this will be the namespace where you deployed the external-secrets operator</li>
+<li><code>KSA_NAME</code>: external-secrets (if you are not creating a new one to attach to the deployemnt)</li>
+<li><code>GSA_NAME</code>: external-secrets for simplicity, or something else if you have to follow different naming convetions for cloud resources</li>
+<li><code>ROLE_NAME</code>: should be <code>roles/secretmanager.secretAccessor</code> - so you make the pod only be able to access secrets on Secret Manager</li>
+</ul>
+<h4 id="using-service-accounts-directly">Using Service Accounts directly</h4>
+<p>Let's assume you have created a service account correctly and attached a appropriate workload identity. It should roughly look like this:</p>
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
+<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ServiceAccount</span>
+<span class="nt">metadata</span><span class="p">:</span>
+  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">team-a</span>
+  <span class="nt">namespace</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">team-a</span>
+  <span class="nt">annotations</span><span class="p">:</span>
+    <span class="nt">iam.gke.io/gcp-service-account</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example-team-a@my-project.iam.gserviceaccount.com</span>
+</code></pre></div>
+
+<p>You can reference this particular ServiceAccount in a <code>SecretStore</code> or <code>ClusterSecretStore</code>. It's important that you also set the <code>projectID</code>, <code>clusterLocation</code> and <code>clusterName</code>. The Namespace on the <code>serviceAccountRef</code> is ignored when using a <code>SecretStore</code> resource. This is needed to isolate the namespaces properly.</p>
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
+<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ClusterSecretStore</span>
+<span class="nt">metadata</span><span class="p">:</span>
+  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">gcp-wi</span>
+<span class="nt">spec</span><span class="p">:</span>
+  <span class="nt">provider</span><span class="p">:</span>
+    <span class="nt">gcpsm</span><span class="p">:</span>
+      <span class="nt">projectID</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">my-project</span>
+      <span class="nt">auth</span><span class="p">:</span>
+        <span class="nt">workloadIdentity</span><span class="p">:</span>
+          <span class="c1"># name of the cluster region</span>
+          <span class="nt">clusterLocation</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">europe-central2</span>
+          <span class="c1"># name of the GKE cluster</span>
+          <span class="nt">clusterName</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example-workload-identity</span>
+          <span class="c1"># reference the sa from above</span>
+          <span class="nt">serviceAccountRef</span><span class="p">:</span>
+            <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">team-a</span>
+            <span class="nt">namespace</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">team-a</span>
+</code></pre></div>
+
+<h4 id="using-pod-based-workload-identity">Using Pod-based Workload Identity</h4>
+<p>You can attach a Workload Identity directly to the ESO pod. ESO then has access to all the APIs defined in the attached service account policy. You attach the workload identity by (1) creating a service account with a attached workload identity (described above) and (2) using this particular service account in the pod's <code>serviceAccountName</code> field.</p>
+<p>For this example we will assume that you installed ESO using helm and that you named the chart installation <code>external-secrets</code> and the namespace where it lives <code>es</code> like:</p>
+<div class="highlight"><pre><span></span><code>helm install external-secrets external-secrets/external-secrets --namespace es
+</code></pre></div>
+
+<p>Then most of the resources would have this name, the important one here being the k8s service account attached to the external-secrets operator deployment:</p>
+<div class="highlight"><pre><span></span><code><span class="c1"># ...</span>
+      <span class="nt">containers</span><span class="p">:</span>
+      <span class="p p-Indicator">-</span> <span class="nt">image</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ghcr.io/external-secrets/external-secrets:vVERSION</span>
+        <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets</span>
+        <span class="nt">ports</span><span class="p">:</span>
+        <span class="p p-Indicator">-</span> <span class="nt">containerPort</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">8080</span>
+          <span class="nt">protocol</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">TCP</span>
+      <span class="nt">restartPolicy</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Always</span>
+      <span class="nt">schedulerName</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">default-scheduler</span>
+      <span class="nt">serviceAccount</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets</span>
+      <span class="nt">serviceAccountName</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets</span> <span class="c1"># &lt;--- here</span>
+</code></pre></div>
+
+<p>The pod now has the identity. Now you need to configure the <code>SecretStore</code>.
+You just need to set the <code>projectID</code>, all other fields can be omitted.</p>
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
+<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+<span class="nt">metadata</span><span class="p">:</span>
+  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example</span>
+<span class="nt">spec</span><span class="p">:</span>
+  <span class="nt">provider</span><span class="p">:</span>
+    <span class="nt">gcpsm</span><span class="p">:</span>
+      <span class="nt">projectID</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">pid</span>
+</code></pre></div>
+
+<h3 id="gcp-service-account-authentication">GCP Service Account authentication</h3>
+<p>You can use <a href="https://cloud.google.com/iam/docs/service-accounts">GCP Service Account</a> to authenticate with GCP. These are static, long-lived credentials. A GCP Service Account is a JSON file that needs to be stored in a <code>Kind=Secret</code>. ESO will use that Secret to authenticate with GCP. See here how you <a href="https://cloud.google.com/iam/docs/creating-managing-service-accounts">manage GCP Service Accounts</a>.</p>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
 <span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Secret</span>
 <span class="nt">metadata</span><span class="p">:</span>
@@ -1160,7 +1238,7 @@
     <span class="no">}</span>
 </code></pre></div>
 
-<h3 id="update-secret-store">Update secret store</h3>
+<h4 id="update-secret-store">Update secret store</h4>
 <p>Be sure the <code>gcpsm</code> provider is listed in the <code>Kind=SecretStore</code></p>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
 <span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
@@ -1177,7 +1255,7 @@
         <span class="nt">projectID</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">myproject</span>                  <span class="c1"># name of Google Cloud project</span>
 </code></pre></div>
 
-<h3 id="creating-external-secret">Creating external secret</h3>
+<h4 id="creating-external-secret">Creating external secret</h4>
 <p>To create a kubernetes secret from the GCP Secret Manager secret a <code>Kind=ExternalSecret</code> is needed.</p>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
 <span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
@@ -1200,51 +1278,6 @@
 <p>The operator will fetch the GCP Secret Manager secret and inject it as a <code>Kind=Secret</code>
 <div class="highlight"><pre><span></span><code>kubectl get secret secret-to-be-created -n &lt;namespace&gt; | -o jsonpath=&#39;{.data.dev-secret-test}&#39; | base64 -d
 </code></pre></div></p>
-<h2 id="authentication-with-workload-identity">Authentication with Workload Identity</h2>
-<p>This makes it possible for your Google Kubernetes Engine (GKE) applications to consume services provided by Google APIs, namely Secrets Manager service in this case.</p>
-<p>Here we will assume that you installed ESO using helm and that you named the chart installation <code>external-secrets</code> and the namespace where it lives <code>es</code> like:</p>
-<div class="highlight"><pre><span></span><code>helm install external-secrets external-secrets/external-secrets --namespace es
-</code></pre></div>
-
-<p>Then most of the resources would have this name, the important one here being the k8s service account attached to the external-secrets operator deployment:</p>
-<div class="highlight"><pre><span></span><code># ...
-      containers:
-      - image: ghcr.io/external-secrets/external-secrets:vVERSION
-        name: external-secrets
-        ports:
-        - containerPort: 8080
-          protocol: TCP
-      restartPolicy: Always
-      schedulerName: default-scheduler
-      serviceAccount: external-secrets
-      serviceAccountName: external-secrets # &lt;--- here
-</code></pre></div>
-
-<h3 id="following-the-documentation">Following the documentation</h3>
-<p>You can find the documentation for Workload Identity under <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">this url</a>. We will walk you through how to navigate it here.</p>
-<h4 id="changing-values">Changing Values</h4>
-<p>Search <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity">the documment</a> for this editable values and change them to your values:</p>
-<ul>
-<li>CLUSTER_NAME: The name of your cluster</li>
-<li>PROJECT_ID: Your project ID (not your Project number nor your Project name)</li>
-<li>K8S_NAMESPACE: For us folowing these steps here it will be <code>es</code>, but this will be the namespace where you deployed the external-secrets operator</li>
-<li>KSA_NAME: external-secrets (if you are not creating a new one to attach to the deployemnt)</li>
-<li>GSA_NAME: external-secrets for simplicity, or something else if you have to follow different naming convetions for cloud resources</li>
-<li>ROLE_NAME: roles/secretmanager.secretAccessor so you make the pod only be able to access secrets on Secret Manager</li>
-</ul>
-<h4 id="following-through">Following through</h4>
-<p>You can follow through the documentation and adapt it to your specific use case. If you want to just use the serviceaccount that we deployed with the helm chart, for example, you don't need to create a new service account on 2 of <a href="https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#authenticating_to">Authenticating to Google Cloud</a>.</p>
-<h4 id="secretstore-with-workloadidentity">SecretStore with WorkloadIdentity</h4>
-<p>To use workload identity you can just omit the auth field of the secret store and let the operator client fall back to defaults using the roles attached to your service account.</p>
-<div class="highlight"><pre><span></span><code>apiVersion: external-secrets.io/v1alpha1
-kind: SecretStore
-metadata:
-  name: example
-spec:
-  provider:
-    gcpsm:
-      projectID: pid
-</code></pre></div>
                 
               
               

sitemap.xml

@@ -1,119 +1,119 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-17</lastmod>
+     <lastmod>2021-12-22</lastmod>
      <changefreq>daily</changefreq>
     </url>
 </urlset>

spec/index.html

@@ -2438,6 +2438,20 @@ GCPSMAuthSecretRef
 </em>
 </td>
 <td>
+<em>(Optional)</em>
+</td>
+</tr>
+<tr>
+<td>
+<code>workloadIdentity</code></br>
+<em>
+<a href="#external-secrets.io/v1alpha1.GCPWorkloadIdentity">
+GCPWorkloadIdentity
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
 </td>
 </tr>
 </tbody>
@@ -2516,6 +2530,54 @@ string
 </tr>
 </tbody>
 </table>
+<h3 id="external-secrets.io/v1alpha1.GCPWorkloadIdentity">GCPWorkloadIdentity
+</h3>
+<p>
+(<em>Appears on:</em>
+<a href="#external-secrets.io/v1alpha1.GCPSMAuth">GCPSMAuth</a>)
+</p>
+<p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Field</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>
+<code>serviceAccountRef</code></br>
+<em>
+github.com/external-secrets/external-secrets/apis/meta/v1.ServiceAccountSelector
+</em>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<code>clusterLocation</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+</td>
+</tr>
+<tr>
+<td>
+<code>clusterName</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+</td>
+</tr>
+</tbody>
+</table>
 <h3 id="external-secrets.io/v1alpha1.GenericStore">GenericStore
 </h3>
 <p>