Hashicorp Vault provider: support GCP authentication method

[bkonicek-calm]

Is your feature request related to a problem? Please describe.
No

Describe the solution you'd like
Based on the documentation for the provider, it does not appear to support GCP authentication to Vault, using workload identity/a GCP service account. This would greatly help streamline setup when ESO and Vault are both running in GKE clusters.

We had no problem getting it working using the Kubernetes auth method, when ESO and Vault were running in the same GKE cluster, but once we deploy ESO in other clusters, or when an HA configured Vault cluster fails over to another cluster, Kubernetes authentication fails because Vault cannot reach the api-server of remote clusters attempting to authenticate to validate their JWT tokens.

Describe alternatives you've considered
We're currently getting around this by using the Vault agent injector, to inject a vault agent sidecar in all ESO pods, and configure it as a proxy with GCP auth, using use_auto_auth_token = force to override a dummy token passed by the secret store. We can then point secret stores using Vault at http://127.0.0.1:8200 instead of the Vault server itself to handle authentication.

Additional context
N/A

[moolen]

Hey, is there any reason not to use kubernetes auth? Why do you specifically need the GCP auh api?

This seems to be a network/config problem when you're unable to authenticate from a different cluster

[bkonicek-calm]

Yes - it adds a lot of complexity to configuring the Vault roles for multiple clusters as we need to allow Vault to access the TokenReview API of every cluster.

Additionally, aside from the configuration issues it's more overhead to configure a separate auth method for every cluster, versus using a single gcp auth method with different roles inside of it.

Is there a reason that GCP auth isn't supported already but AWS IAM auth is? If it's something you don't plan to support that's fine, and we can keep using our existing workaround, it would just be a nice to have.

[moolen]

I see, that's fair.

Its just not inplemented because there was no need for it so far.
So, i'd be happy to accept a PR for that :)

[pawelczuczwara]

First of all I would like to praise External Secrets developer team for great work. Great kudos for this life saving product.

We have that same setup as described here.
And while not really resource consuming, it still requires to add more sidecars, that stripping request token and adding the new one. It is only secure if we have vault proxy(proxies) as sidecar.
Additionally we need to manage multiple dependencies.

[gusfcarvalho]

Hi @pawelczuczwara . This issue has already been triaged as a valid feature request.

Because I believe this should be relatively simple, I suggested it to be a focus for anyone wanting to start their contribution journey to external-secrets (a good first issue).

i.e. You don't need to convince this is needed 😄. We just need to find someone willing to implement it.

[SamuelMolling]

I just create this one to try: #5356