apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: example
spec:
  provider:
    gcpsm:
      projectID: my-project
      auth:
        workloadIdentity:
          # name of the cluster region
          clusterLocation: europe-central2
          # name of the GKE cluster
          clusterName: example-workload-identity
          # projectID of the cluster (if omitted defaults to spec.provider.gcpsm.projectID)
          clusterProjectID: my-cluster-project
          # reference the sa from above
          serviceAccountRef:
            name: team-a
            namespace: team-a