Lookup cluster workload identity from instance metadata#4575
Merged
gusfcarvalho merged 2 commits intoexternal-secrets:mainfrom Mar 23, 2025
Merged
Conversation
Contributor
Author
issues: external-secrets#3540 This change adds the capability to the gcp secret manager provider to lookup the clusters workload id pool and provider from the metadata server. Signed-off-by: Felix Ehrenpfort <felix@ehrenpfort.de>
f043b98 to
e5af20c
Compare
Member
|
Hi @xinau ! Thanks for your contribution 💪 🥳 |
|
Member
|
/ok-to-test sha=bcfd9183ebd16f61a8e610bc3b34ef45046b84ca |
Contributor
gusfcarvalho
approved these changes
Mar 23, 2025
Member
|
Thanks for your contribution!! 🚀🚀 |
ivankatliarchuk
added a commit
to gofogo/external-secrets-fork
that referenced
this pull request
Mar 25, 2025
* main: update dependencies (external-secrets#4589) chore(deps): bump fossas/fossa-action from 1.5.0 to 1.6.0 (external-secrets#4586) chore(deps): bump mkdocs-material from 9.6.8 to 9.6.9 in /hack/api-docs (external-secrets#4588) chore(deps): bump platformdirs from 4.3.6 to 4.3.7 in /hack/api-docs (external-secrets#4587) chore(deps): bump github/codeql-action from 3.28.11 to 3.28.12 (external-secrets#4585) chore(deps): bump actions/setup-go from 5.3.0 to 5.4.0 (external-secrets#4584) chore(deps): bump golangci/golangci-lint-action from 6.5.1 to 6.5.2 (external-secrets#4583) chore(deps): bump actions/cache from 4.2.2 to 4.2.3 (external-secrets#4582) chore(deps): bump ubi8/ubi from `5993454` to `8bd1b63` (external-secrets#4581) Lookup cluster identity from instance metadata (external-secrets#4575) adding conjur description (external-secrets#4578) fix: bump jwt for cve fix (external-secrets#4580) Add `webhook.create: false` warning comment (external-secrets#4579)
Merged
5 tasks
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Feb 3, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
5 tasks
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Feb 9, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Mar 4, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Mar 6, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Mar 6, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Mar 6, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Mar 11, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem Statement
When defining a SecretStore that uses the gcpsm (Google Secret Manager) provider, and one wants to use use workload identitity, the spec requires the values for
ClusterLocation,ClusterNameandClusterProjectIDare set. This adds additional configuration to maintain and makes the configuration more complex then required, as these values can be looked up from the metadata server available to all pods inside a GKE cluster.Related Issue
Fixes #3540
Proposed Changes
This change solves this issue by looking up the
project-id,cluster-locationandcluster-namefrom the metadata server when the values for eitherClusterProjectID,ClusterLocationorClusterNamearen't provided.Checklist
git commit --signoffmake testmake reviewable