feat: add support for GCP Workload Identity Federation

[bharath-b-rh]

Problem Statement

PR adds support for Workload Identity Federation in GCP SecretStore.

Related Issue

Fixes #1038

Proposed Changes

The GCP SecretStore API is updated with new auth field for configuring the Workload Identity Federation similar to existing Workload Identity. In which an user can configure the audience value to be used to obtain the STS and the configmap reference containing the external_account type credential configuration in json format.

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[torfjor]

I don't see why we need this. Both in terms of functionality and API surface. The identity used for the token exchange will in this case always be that of the controller Pod's ServiceAccount. Having the option to reference multiple external account credentials doesn't result in any significant improvement in terms of tenant isolation or security, as the identity used for accessing the API is identical.

If you provide a unique ESO instance to tenant namespaces, you can achieve what this PR implements by supplying adc to the controller Pod:

# kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: external-secrets
helmCharts:
  - includeCRDs: true
    name: external-secrets
    releaseName: external-secrets
    repo: https://charts.external-secrets.io
    version: 0.16.1
resources:
  - store.yaml
  - externalsecret.yaml
configMapGenerator:
  - name: adc
    options:
      disableNameSuffixHash: true
    literals:
      - |-
        adc.json={
          "type": "external_account",
          "audience": "//iam.googleapis.com/projects/PROJECT_ID/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID",
          "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
          "token_url": "https://sts.googleapis.com/v1/token",
          "credential_source": {
            "file": "/var/run/secrets/credentials/token",
            "format": {
              "type": "text"
            }
          }
        }
patches:
  - target:
      kind: Deployment
      name: external-secrets
    patch: |-
      - op: add
        path: /spec/template/spec/containers/0/env
        value:
          - name: GOOGLE_APPLICATION_CREDENTIALS
            value: /var/run/secrets/credentials/adc.json
      - op: add
        path: /spec/template/spec/containers/0/volumeMounts
        value:
          - name: credentials
            mountPath: /var/run/secrets/credentials
      - op: add
        path: /spec/template/spec/volumes
        value:
          - name: credentials
            projected:
              defaultMode: 420
              sources:
              - serviceAccountToken:
                  path: token
                  audience: "https://iam.googleapis.com/projects/PROJECT_ID/locations/global/workloadIdentityPools/POOL_ID/providers/PROVIDER_ID"
                  expirationSeconds: 172800
              - configMap:
                  name: adc
                  items:
                    - key: adc.json

For the ESO-as-a-service model, we just need a way to override the identity provider and pool (audience) like mentioned here.

[dronenb]

For ESO as a service / multitenancy, you should only need to provide the projectID, provider and pool, as well as the service account reference, and an optional audience (not all workload identity pools use the default audience, some have custom), so that ESO can create a tokenRequest for the service account in the tenant's namespace, then perform the token exchange using the tenant's service account token rather than the controller.

Tenants should not be using the controller's token, since that would mean that any namespace in the cluster would have access to any secret the controller has access to.

Should be similar to how it works for secrets store CSI driver: GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp#459

[gusfcarvalho]

Tenants should not be using the controller's token, since that would mean that any namespace in the cluster would have access to any secret the controller has access to.

I generally agree with this logic ☝️. TBH, I think just allowing for 'ServiceAccountRef' to provide an Audience, plus the scope for the workload Identity pools should be enough.

[bharath-b-rh]

Should we add ServiceAccountRef only for the generators? So that in the providers where its just for controller makes use of own service account and in generators indicated ServiceAccount will be used for getting the tokens?

[gusfcarvalho]

Should we add ServiceAccountRef only for the generators? So that in the providers where its just for controller makes use of own service account and in generators indicated ServiceAccount will be used for getting the tokens?

I'm not sure if I follow. Do you have an example?

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[bharath-b-rh]

I apologize for the delay. I couldn't work on this issue at the intended pace.

I'm not sure if I follow. Do you have an example?

@gusfcarvalho Would having two config options like here in secretstore and generators be feasible? For secret store since it's only used by the operator, own service account will be used and for a generating a token using generators user provided service account will be used.

[y4ri]

Thank you for this patch. My use case is to produce username and password in a secret for crossplane helm provider to pull charts from Google Artifact Registry. I have Crossplane running on AWS, using GCP Workload Identity Federation for GCP providers. Thanks to your work here, that same identity setup can now be used by the Helm provider to pull charts as well. I hope this will be merged soon. Cheers!

[alexandrst88]

Hi! Will this feature be merged soon, it will help to interact with Google Artifact Registry from other clouds like AWS and others? I have the similar use case as @y4ri.

[bharath-b-rh]

Apologies for the delay. I'll prioritize this work this week.

[bharath-b-rh]

@gusfcarvalho During a discussion about this issue in a community call, suggestion I received was to extend GCPWorkloadIdentity to include PoolID, PoolProvider and Audience params, but I think with that we will be able to support only Kubernetes WIF provider and other scenarios like @y4ri , @alexandrst88 has mentioned wouldn't be supported.
I think adding new GCPWorkloadIdentityFederation with a param to configure the credentials config would cover most WIF providers. I have updated the PR with new changes, please take a look and let me know what you think.

[bharath-b-rh]

When credentials config has a URL configured in credential_source, which could be self created service to issue tokens, I thought to make use of ExternalTokenEndpoint to assert user knows about the configuration. I am not sure if it's really required though :)

[gusfcarvalho]

@bharath-b-rh - can you make sure the CI tests pass? 😄 I think there are no other changes aside from making sure everything works

[bharath-b-rh]

@bharath-b-rh - can you make sure the CI tests pass? 😄 I think there are no other changes aside from making sure everything works

@gusfcarvalho I have captured list of test scenarios with the outputs in a github gist here. PTAL. Thank you!

[Skarlso]

Just initial thoughts and comments for now. :)

[Skarlso]

I'm not sure I understand this comment about if empty a configmap key will be used. Could you add an example please?

[bharath-b-rh]

I had a condition in code, when a key is not provided, to use the first key read in map, just with the intention not fix the name for key or user must have to provide it. I will word it better.

[Skarlso]

Is that a good thing? Shouldn't rather the key be mandatory? Like, this is behind the scenes behaviour that might catch people off guard when suddenly, by default, the first key is used without warning. WDYT?

[bharath-b-rh]

Yeah, I agree, will update it make it mandatory.

[bharath-b-rh]

@Skarlso In case of ClusterGenerator, only in GCPSM we are reusing method for obtaining the TokenSource, unlike other providers where the logic for obtaining token is defined in the generator package. And the checks for if not cluster scoped resource look for referenced resources in same ExternalSecret namespace isn't used.
In GCPSM this check will not match for ClusterGenerators and we have to create the referenced objects in the same namespace as of ExternalSecrets, and this is not expected, correct?

[gusfcarvalho]

@Skarlso In case of ClusterGenerator, only in GCPSM we are reusing method for obtaining the TokenSource, unlike other providers where the logic for obtaining token is defined in the generator package.

I think both AWS and Azure registry token generators are leveraging common auth with their providers.

I would expect this to be the way to go when generators are driven from a common provider

Or did you mean something else I failed to understand? 😄

[Skarlso]

@bharath-b-rh Technically, the Generator should not be aware that it is in fact a ClusterGenerator, because it creates a virtual Generator that is effectively a Generator. :) Basically, a ClusterGenerator type is never asserted anywhere because it should always be just a Generator if that makes sense?

[bharath-b-rh]

@Skarlso Ah ok, I get it now. When I read the code and the comments, I thought it was mainly for extracting the embedded generator type, it makes sense now.

@gusfcarvalho I should have worded it better, what I meant to say was the GCPSM implementation we can't distinguish for what scenario auth is invoked, like though SecretStore, GCRAccessToken or ClusterGenerator. Basically I was looking if we could make that. Because I read this limitation on ClusterGenerator and I was thinking does it apply for reading the referenced objects too, like Secrets, ServiceAccounts etc...
And I was looking if there is a way to solve it, and my comment was coming from code changes pov :) Sorry for the confusions.

So ClusterGenerators are cluster scoped in existence terms, but the embedded generators are all namespaced variants, and hence every behavior should align with it.

Do we need an update to the limitation section in the docs? To mention referenced objects in the embedded types should also reside in the ExternalSecrets namespace.

[Skarlso]

@bharath-b-rh we can if it's not already mentioned.

[Skarlso]

Please run make helm.test.update and commit the diff. :) 🙇

[Skarlso]

Looks okay to me now after the make targets are run this can be merged. :)

[Skarlso]

Oh, and also, could you show a successful run using this feature please? 🙇
Edit: #4654 (comment)

This should be good enough.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud