gcpsm provider - Would like the ability to auto detect default values for auth.workloadIdentity cluster(Location|Name|Project)

[jbehrends]

This is a feature request/enhancement

This is for clusters running in GKE.

When defining a SecretStore that uses the gcpsm (Google Secret Manager) provider, you are required to define "clusterLocation", "clusterName" and "clusterProjectID" when setting up workloadIdentity authentication.

Exampoe:

spec:
  provider:
    gcpsm:
      auth:
        workloadIdentity:
          clusterLocation: <CLUSTER REGION>
          clusterName: <CLUSTER NAME>
          clusterProjectID: <CLUSTER PROJECT ID>

If your cluster has many workspaces or just a lot of SecretStores this ends up being a lot of duplicate configuration to maintain and also makes the configuration a tad more complex that what it needs to be.

So my request would be for the following enhancement.

Make these three values auto detected. The google metadata service is available to all pods by default in a GKE cluster. So if the external-secret operator detected (or was told) it was running in GKE then it could just query these values from the metadata REST endpoint and use them in the SecretStore configuration unless they were manually defined (ie. overridden) in the SecretStore object.
Metadata Service documentation: https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#instance_metadata
Example REST calls from inside of a pod running in GKE which will return the above values:

curl http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-location -H "Metadata-Flavor: Google"
us-east1
curl http://metadata.google.internal/computeMetadata/v1/instance/attributes/cluster-name -H "Metadata-Flavor: Google"
mycoolcluster
curl http://metadata.google.internal/computeMetadata/v1/project/project-id -H "Metadata-Flavor: Google
myawesomeproject

[gusfcarvalho]

this could be done as part of GCP auth. - if the values are not set we default to try getting them from instance metadata. If that fails, we should error out as it means this cluster is either not a GKE cluster or not set up to use GKE metadata server.

[felipecdmoura]

Hi! I'm starting contributing with ESO. May i try resolving this one?

[jbehrends]

I'd say go for it! This is blocking the adoption of External Secrets at my organization. So I'd love to see this implemented!

[xinau]

@gusfcarvalho @Skarlso I'd like to work on this feature request. An initial implementation should be quite similar to the one in GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp¹, where the information is read from the metadata server. Would this be a welcome contribution?

How should the behavior be when the fields clusterLocation, clusterName and clusterProjectID (all/some) aren't provided? This being especially interesting when the gcpsm.projectID is set, yet the desire is to have the ProjectID be determined from the metadata server.

A good approach to this could be, that when neither clusterLocation, clusterName and clusterProjecID are being set to ask the metadata server and otherwise fallback to the current behavior.

Footnotes

1. https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp/blob/56d55d6c69fa1c62b20c78283cce10bb311ab257/auth/auth.go#L234 ↩

[gusfcarvalho]

Yes, it would be a valuable contribution.

IMO, it should be following:

• if WorkloadIdentity is set, for all the fields that are not filled in, query the metadata server. If any of those fail, error out.
• If the field is manually specified, use the manually specified field instead.

I think this won't be a breaking change re: gcpsm.projectID as when this is used for the clusterProjectID, this would also be the value queried from the metadata server, so we should be fine.

We might need to test impact on performance, though, as now we're doing 3 new calls to metadata server per auth🤔