fix(gcp): makes workload identity parameters optional#4622
Merged
gusfcarvalho merged 4 commits intomainfrom Apr 8, 2025
Merged
fix(gcp): makes workload identity parameters optional#4622gusfcarvalho merged 4 commits intomainfrom
gusfcarvalho merged 4 commits intomainfrom
Conversation
Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>
Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>
moolen
approved these changes
Apr 8, 2025
|
This was referenced Jun 20, 2025
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Feb 3, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
5 tasks
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Feb 9, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Mar 4, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Mar 6, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Mar 6, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Mar 6, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
patjlm
added a commit
to patjlm/external-secrets
that referenced
this pull request
Mar 11, 2026
Extends metadata server auto-detection to include the projectID field when using Workload Identity in GKE. Builds upon the foundation from external-secrets#4575, external-secrets#4622, and external-secrets#5208 which made cluster identity parameters optional. Problem: While cluster identity parameters (ClusterLocation, ClusterName, ClusterProjectID) became optional via metadata server lookup, the main projectID field (specifying where secrets are stored) remained required. This forced users to parameterize SecretStore configurations per-cluster, preventing static GitOps deployments via Config Sync/Fleet in multi-project environments. Solution: When projectID is omitted from SecretStore/ClusterSecretStore spec: 1. clusterProjectID() falls back to GCP metadata server 2. NewClient() populates gcpStore.ProjectID with detected value This allows the operator to access secrets in the same project as the GKE cluster without explicit configuration. Use Cases: - Portable SecretStore configs across multiple GCP projects - Static bootstrap manifests via Config Sync without parameterization - Eliminates cross-cluster network dependencies for private GKE clusters Changes: - provider.go: Add metadata server fallback in clusterProjectID() - provider.go: Populate gcpStore.ProjectID from clusterProjectID when empty - workload_identity_test.go: Add TestClusterProjectIDMetadataFallback - docs: Document projectID auto-detection feature with examples Note: projectID remains required when using static service account credentials, running outside GKE, or accessing secrets in a different project than the GKE cluster. Signed-off-by: Patrick Martin <patmarti@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #4616