feat(vault): add GCP Workload Identity authentication support#5356
Merged
Skarlso merged 37 commits intoexternal-secrets:mainfrom Nov 17, 2025
Merged
Conversation
1b4f037 to
5afe082
Compare
0b84f4f to
2860de0
Compare
Contributor
bharath-b-rh
left a comment
There was a problem hiding this comment.
Had a couple of nit suggestions, I am still going through the changes. Thank you!
Contributor
Author
Thanks for the suggestions, can you review it again? |
Skarlso
reviewed
Sep 26, 2025
Comment on lines
+397
to
+424
| // Path where the GCP auth method is enabled in Vault, e.g: "gcp" | ||
| // +kubebuilder:default=gcp | ||
| // +optional | ||
| Path string `json:"path,omitempty"` | ||
|
|
||
| // Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine | ||
| Role string `json:"role"` | ||
|
|
||
| // Project ID of the Google Cloud Platform project | ||
| // +optional | ||
| ProjectID string `json:"projectID,omitempty"` | ||
|
|
||
| // Location optionally defines a location/region for the secret | ||
| // +optional | ||
| Location string `json:"location,omitempty"` | ||
|
|
||
| // Specify credentials in a Secret object | ||
| // +optional | ||
| SecretRef *GCPSMAuthSecretRef `json:"secretRef,omitempty"` | ||
|
|
||
| // Specify a service account with Workload Identity | ||
| // +optional | ||
| WorkloadIdentity *GCPWorkloadIdentity `json:"workloadIdentity,omitempty"` | ||
|
|
||
| // ServiceAccountRef to a service account for impersonation | ||
| // +optional | ||
| ServiceAccountRef *esmeta.ServiceAccountSelector `json:"serviceAccountRef,omitempty"` | ||
| } |
Contributor
There was a problem hiding this comment.
I know it's nitpicking but revive will die wants it's enabled. :D Please end sentences with a dot. :)
1ff5844 to
2428096
Compare
Contributor
Author
|
@Skarlso can you review again? |
Contributor
|
Can you take care of the check-diff and the unit test please? :) I'll take a look after. :) |
63d873d to
186f15d
Compare
- Add GCP Workload Identity auth method for Vault provider - Update CRDs to support new authentication configuration - Add comprehensive tests for GCP auth implementation - Update dependencies for GCP authentication libraries Signed-off-by: Samuel Molling <samuelmolling@fireflies.ai> Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit c415097) Signed-off-by: Samuel Molling <samuelmolling@gmail.com>
…ion fields - Updated the API specification to include the new VaultGcpAuth authentication method. - Added optional fields for GCP authentication, including `path`, `role`, `projectID`, `location`, `secretRef`, `workloadIdentity`, and `serviceAccountRef`. - Updated references to include VaultGcpAuth in related sections. Signed-off-by: [Samuel Molling] <samuelmolling@gmail.com> Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 77f933d) Signed-off-by: Samuel Molling <samuelmolling@gmail.com>
- Introduced a new test file for GCP authentication methods, covering various scenarios for setting environment variables and GCP authentication setup. - Enhanced the `setupGCPAuth` function to prioritize authentication methods: SecretRef, Workload Identity, ServiceAccountRef, and Default ADC. - Added helper functions for handling service account key authentication and workload identity setup. - Improved error handling and logging for environment variable management. Signed-off-by: [Samuel Molling] <samuelmolling@gmail.com> Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 9737cfc) Signed-off-by: Samuel Molling <samuelmolling@gmail.com>
…on scenarios - Renamed the test function to `TestGCPAuthMethodSelection` for clarity. - Introduced a table-driven test structure to cover multiple GCP authentication methods: SecretRef, Workload Identity, and Default ADC. - Each test case now includes setup logic, expected outcomes, and descriptive logging for better test traceability. - Improved error handling to ensure tests accurately reflect expected behavior in various scenarios. Signed-off-by: [Samuel Molling] <samuelmolling@gmail.com> Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 56b3c5f) Signed-off-by: Samuel Molling <samuelmolling@gmail.com>
- Renamed the `Gcp` authentication struct and related fields to `GCP` for consistency with naming conventions. - Updated all references across the codebase, including deep copy functions and tests. - Improved clarity in GCP authentication test cases by reflecting the new naming. Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 5e3e1cb) Signed-off-by: Samuel Molling <samuelmolling@gmail.com>
- Added missing periods to comments for consistency and clarity in `secretstore_vault_types.go`. - Enhanced error handling in `setupDefaultGCPAuth` to validate Application Default Credentials (ADC) availability. - Updated test cases in `auth_gcp_test.go` to reflect expected behavior when ADC is not configured, ensuring meaningful error messages are provided. - Clarified comments in `auth_gcp.go` regarding the priority order of GCP authentication methods. Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 90bd9f8) Signed-off-by: Samuel Molling <samuelmolling@gmail.com>
- Updated go.mod to include the GCP authentication package for Vault. - Updated go.sum to reflect the new dependency. - Minor documentation fixes in YAML files to ensure proper punctuation in descriptions. Signed-off-by: [Samuel Molling] <samuelmolling@gmail.com> Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 29ce7b2) Signed-off-by: Samuel Molling <samuelmolling@gmail.com>
Resolved conflicts: - apis/externalsecrets/v1/secretstore_vault_types.go: Updated VaultGCPAuth documentation - go.mod: Added hashicorp/vault/api/auth/gcp v0.11.0 dependency - providers/v1/vault/auth_gcp.go: Updated imports to use new structure (providers/v1, runtime) - providers/v1/vault/auth_gcp_test.go: Merged both added versions - docs/api/spec.md: Updated VaultGCPAuth API documentation
Resolved conflicts: - apis/externalsecrets/v1/secretstore_vault_types.go: Updated VaultGCPAuth documentation - go.mod: Added hashicorp/vault/api/auth/gcp v0.11.0 dependency - providers/v1/vault/auth_gcp.go: Updated imports to use new structure (providers/v1, runtime) - providers/v1/vault/auth_gcp_test.go: Merged both added versions - docs/api/spec.md: Updated VaultGCPAuth API documentation
- Kept direct dependencies including hashicorp/vault/api/auth/gcp v0.11.0 - Updated to latest AWS SDK versions (v1.39.5) - Updated cyberark/conjur-api-go to v0.13.8 - Maintained all local module references
Contributor
Author
|
@Skarlso can you run again? I just ran it and it looks ok. |
Contributor
Author
|
@Skarlso looks good now |
Contributor
Author
|
@Skarlso Do I need to do anything else right now, or should I just wait? |
Contributor
|
I will take a look at this again in my office hours. Because this over 2000 lines though another maintainer will also need to take a look at it. 🙂 |
Contributor
|
/ok-to-test sha=b4a4942d105ed0508a86391e577c0b8250c821e7 |
Contributor
|
This looks okay. |
Skarlso
reviewed
Nov 14, 2025
Comment on lines
+117
to
+121
| tokenExists, err = setGcpAuthToken(ctx, c) | ||
| if tokenExists { | ||
| c.log.V(1).Info("Retrieved new token using GCP auth") | ||
| return err | ||
| } |
Contributor
There was a problem hiding this comment.
Shouldn't that check the error...?
Contributor
Signed-off-by: Samuel Molling <samuelmolling@gmail.com>
Contributor
|
/ok-to-test sha=3252a70e13a520d3697fc86fdbdc9864236166fe |
Contributor
Skarlso
approved these changes
Nov 17, 2025
|
Contributor
|
Thank you for the fantastic amount of work! :) |
alexlebens
pushed a commit
to alexlebens/infrastructure
that referenced
this pull request
Nov 22, 2025
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [external-secrets](https://github.com/external-secrets/external-secrets) | minor | `1.0.0` -> `1.1.0` | --- ### Release Notes <details> <summary>external-secrets/external-secrets (external-secrets)</summary> ### [`v1.1.0`](https://github.com/external-secrets/external-secrets/releases/tag/v1.1.0) [Compare Source](external-secrets/external-secrets@v1.0.0...v1.1.0) Image: `ghcr.io/external-secrets/external-secrets:v1.1.0` Image: `ghcr.io/external-secrets/external-secrets:v1.1.0-ubi` Image: `ghcr.io/external-secrets/external-secrets:v1.1.0-ubi-boringssl` <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed !*NOTE*!: During last community meeting we discussed that we are retiring our scarf account. With that, we will be changing back to [ghcr.io/external-secrets/external-secrets](http://ghcr.io/external-secrets/external-secrets) instead of [oci.external-secrets.io/external-secrets/external-secrets](http://oci.external-secrets.io/external-secrets/external-secrets). For now, the old domain will live for a couple months to give people to change back. With this release , the helm chart switched back to ghcr. ##### General - chore(chart): release helm chart 1.0.0 by [@​Skarlso](https://github.com/Skarlso) in [#​5552](external-secrets/external-secrets#5552) - feat(security): add support for ECDSA ssh keys by [@​bigjazzsound](https://github.com/bigjazzsound) in [#​5559](external-secrets/external-secrets#5559) - fix: minor typo in comment of KeeperSecurity example by [@​mdjong1](https://github.com/mdjong1) in [#​5573](external-secrets/external-secrets#5573) - docs(gcp): update documentation for using WorkloadIdentityFederation in non-GKE cluster by [@​jennweir](https://github.com/jennweir) in [#​5556](external-secrets/external-secrets#5556) - chore(release): add darwin\_arm64 releases by [@​lbordowitz](https://github.com/lbordowitz) in [#​5583](external-secrets/external-secrets#5583) - feat: support override IAM endpoint in IBM provider for APIkey auth by [@​fidel-ruiz](https://github.com/fidel-ruiz) in [#​5550](external-secrets/external-secrets#5550) - feat(security): build tags for all the providers to disable them on d… by [@​ShimonDarshan](https://github.com/ShimonDarshan) in [#​5578](external-secrets/external-secrets#5578) - fix: do not include the last element of the path in the iteration by [@​Skarlso](https://github.com/Skarlso) in [#​5588](external-secrets/external-secrets#5588) - fix(k8s): support deleting whole secret by [@​tiagolobocastro](https://github.com/tiagolobocastro) in [#​5538](external-secrets/external-secrets#5538) - fix(provider): configure TLS for secret server provider by [@​Lumexralph](https://github.com/Lumexralph) in [#​5558](external-secrets/external-secrets#5558) - chore(aws): remove any usage of aws-sdk-v1 by [@​Skarlso](https://github.com/Skarlso) in [#​5590](external-secrets/external-secrets#5590) - fix(gcp): check for secret version exists in PushSecret by [@​bpalko](https://github.com/bpalko) in [#​5593](external-secrets/external-secrets#5593) - feat(vault): add GCP Workload Identity authentication support by [@​SamuelMolling](https://github.com/SamuelMolling) in [#​5356](external-secrets/external-secrets#5356) - chore: fix sonar cloud issues by [@​Skarlso](https://github.com/Skarlso) in [#​5405](external-secrets/external-secrets#5405) - chore(aws-sdk-v2): update dependencies to accept new aws regions by [@​damienpuig](https://github.com/damienpuig) in [#​5577](external-secrets/external-secrets#5577) - feat(chart): use ghcr.io instead of our own domain by [@​evrardjp](https://github.com/evrardjp) in [#​5617](external-secrets/external-secrets#5617) ##### Dependencies - chore(deps): bump golang from 1.25.3 to 1.25.4 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5560](external-secrets/external-secrets#5560) - chore(deps): bump golang from 1.25.3-bookworm to 1.25.4-bookworm in /e2e by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5568](external-secrets/external-secrets#5568) - chore(deps): bump step-security/harden-runner from 2.13.1 to 2.13.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5561](external-secrets/external-secrets#5561) - chore(deps): bump softprops/action-gh-release from 2.4.1 to 2.4.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5564](external-secrets/external-secrets#5564) - chore(deps): bump helm/chart-testing-action from 2.7.0 to 2.8.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5565](external-secrets/external-secrets#5565) - chore(deps): bump aws-actions/configure-aws-credentials from [`0d00a56`](external-secrets/external-secrets@0d00a56) to [`2475ef7`](external-secrets/external-secrets@2475ef7) by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5562](external-secrets/external-secrets#5562) - chore(deps): bump helm/kind-action from 1.12.0 to 1.13.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5563](external-secrets/external-secrets#5563) - chore(deps): bump docker/setup-qemu-action from 3.6.0 to 3.7.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5567](external-secrets/external-secrets#5567) - chore(deps): bump regex from 2025.10.23 to 2025.11.3 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5570](external-secrets/external-secrets#5570) - chore(deps): bump markdown from 3.9 to 3.10 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5569](external-secrets/external-secrets#5569) - chore(deps): bump hashicorp/setup-terraform from [`982f6f0`](external-secrets/external-secrets@982f6f0) to [`4c5fdab`](external-secrets/external-secrets@4c5fdab) by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5566](external-secrets/external-secrets#5566) - chore(deps): bump golang from `d3f0cf7` to `d3f0cf7` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5595](external-secrets/external-secrets#5595) - chore(deps): bump github/codeql-action from 4.31.2 to 4.31.3 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5596](external-secrets/external-secrets#5596) - chore(deps): bump click from 8.3.0 to 8.3.1 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5602](external-secrets/external-secrets#5602) - chore(deps): bump ubi9/ubi from `dec374e` to `dcd8128` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5594](external-secrets/external-secrets#5594) - chore(deps): bump aws-actions/configure-aws-credentials from [`2475ef7`](external-secrets/external-secrets@2475ef7) to [`f2964c7`](external-secrets/external-secrets@f2964c7) by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5597](external-secrets/external-secrets#5597) - chore(deps): bump actions/dependency-review-action from 4.8.1 to 4.8.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5598](external-secrets/external-secrets#5598) - chore(deps): bump pymdown-extensions from 10.16.1 to 10.17.1 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5599](external-secrets/external-secrets#5599) - chore(deps): bump certifi from 2025.10.5 to 2025.11.12 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5600](external-secrets/external-secrets#5600) - chore(deps): bump mkdocs-material from 9.6.23 to 9.7.0 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5601](external-secrets/external-secrets#5601) - chore(deps): bump mkdocs-macros-plugin from 1.4.1 to 1.5.0 in /hack/api-docs by [@​dependabot](https://github.com/dependabot)\[bot] in [#​5603](external-secrets/external-secrets#5603) #### New Contributors - [@​bigjazzsound](https://github.com/bigjazzsound) made their first contribution in [#​5559](external-secrets/external-secrets#5559) - [@​mdjong1](https://github.com/mdjong1) made their first contribution in [#​5573](external-secrets/external-secrets#5573) - [@​jennweir](https://github.com/jennweir) made their first contribution in [#​5556](external-secrets/external-secrets#5556) - [@​lbordowitz](https://github.com/lbordowitz) made their first contribution in [#​5583](external-secrets/external-secrets#5583) - [@​fidel-ruiz](https://github.com/fidel-ruiz) made their first contribution in [#​5550](external-secrets/external-secrets#5550) - [@​ShimonDarshan](https://github.com/ShimonDarshan) made their first contribution in [#​5578](external-secrets/external-secrets#5578) - [@​bpalko](https://github.com/bpalko) made their first contribution in [#​5593](external-secrets/external-secrets#5593) - [@​SamuelMolling](https://github.com/SamuelMolling) made their first contribution in [#​5356](external-secrets/external-secrets#5356) - [@​damienpuig](https://github.com/damienpuig) made their first contribution in [#​5577](external-secrets/external-secrets#5577) **Full Changelog**: <external-secrets/external-secrets@v1.0.0...v1.1.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi41LjAiLCJ1cGRhdGVkSW5WZXIiOiI0Mi41LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImNoYXJ0Il19--> Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/2081 Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net> Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>
Contributor
Author
|
@Skarlso How is the documentation updated? |
Contributor
|
@SamuelMolling Which one? |
Contributor
Author
Contributor
Author
|
I think I got it, we just need to change it here: https://github.com/external-secrets/external-secrets/blob/main/docs/provider/hashicorp-vault.md I'm going to open a PR with a fix; I found a bug in the token signing process and I'll fix the documentation. |
Contributor
Author
|
fyi #5647 |
Contributor
|
Ah nice, thanks. |
tokiwong
pushed a commit
to tokiwong/external-secrets
that referenced
this pull request
Dec 9, 2025
…al-secrets#5356) * feat(vault): add GCP Workload Identity authentication support - Add GCP Workload Identity auth method for Vault provider - Update CRDs to support new authentication configuration - Add comprehensive tests for GCP auth implementation - Update dependencies for GCP authentication libraries Signed-off-by: Samuel Molling <samuelmolling@fireflies.ai> Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit c415097) Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * docs(api): enhance VaultGcpAuth documentation and add GCP authentication fields - Updated the API specification to include the new VaultGcpAuth authentication method. - Added optional fields for GCP authentication, including `path`, `role`, `projectID`, `location`, `secretRef`, `workloadIdentity`, and `serviceAccountRef`. - Updated references to include VaultGcpAuth in related sections. Signed-off-by: [Samuel Molling] <samuelmolling@gmail.com> Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 77f933d) Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * feat(vault): implement GCP authentication methods and add unit tests - Introduced a new test file for GCP authentication methods, covering various scenarios for setting environment variables and GCP authentication setup. - Enhanced the `setupGCPAuth` function to prioritize authentication methods: SecretRef, Workload Identity, ServiceAccountRef, and Default ADC. - Added helper functions for handling service account key authentication and workload identity setup. - Improved error handling and logging for environment variable management. Signed-off-by: [Samuel Molling] <samuelmolling@gmail.com> Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 9737cfc) Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * refactor(vault): enhance GCP authentication tests with method selection scenarios - Renamed the test function to `TestGCPAuthMethodSelection` for clarity. - Introduced a table-driven test structure to cover multiple GCP authentication methods: SecretRef, Workload Identity, and Default ADC. - Each test case now includes setup logic, expected outcomes, and descriptive logging for better test traceability. - Improved error handling to ensure tests accurately reflect expected behavior in various scenarios. Signed-off-by: [Samuel Molling] <samuelmolling@gmail.com> Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 56b3c5f) Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * refactor(vault): rename Gcp to GCP in Vault authentication types - Renamed the `Gcp` authentication struct and related fields to `GCP` for consistency with naming conventions. - Updated all references across the codebase, including deep copy functions and tests. - Improved clarity in GCP authentication test cases by reflecting the new naming. Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 5e3e1cb) Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * fix(vault): improve GCP authentication handling and documentation - Added missing periods to comments for consistency and clarity in `secretstore_vault_types.go`. - Enhanced error handling in `setupDefaultGCPAuth` to validate Application Default Credentials (ADC) availability. - Updated test cases in `auth_gcp_test.go` to reflect expected behavior when ADC is not configured, ensuring meaningful error messages are provided. - Clarified comments in `auth_gcp.go` regarding the priority order of GCP authentication methods. Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 90bd9f8) Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * feat: add GCP authentication support to HashiCorp Vault - Updated go.mod to include the GCP authentication package for Vault. - Updated go.sum to reflect the new dependency. - Minor documentation fixes in YAML files to ensure proper punctuation in descriptions. Signed-off-by: [Samuel Molling] <samuelmolling@gmail.com> Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 29ce7b2) Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * test: enhance GCP auth tests to handle ADC availability - Updated test cases for GCP authentication to log outcomes based on ADC availability in the environment. - Clarified comments to indicate that both success and ADC-related failures are acceptable for certain test scenarios. Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit f3585ad) Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * test: refine GCP auth tests for ADC scenarios - Enhanced test cases to clarify expected outcomes based on ADC availability in the environment. - Updated comments and log messages to reflect the handling of both success and failure scenarios for ADC configuration. Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 186f15d) Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * fix: restore GCP authentication types after merge Re-added VaultGCPAuth field and type definition that was lost during merge conflict resolution with upstream/main. - Added GCP field to VaultAuth struct - Added VaultGCPAuth type definition with all authentication methods - Regenerated CRDs and deepcopy code Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * style: apply gofmt formatting fixes Applied automatic formatting fixes from gofmt to align code with project style standards. Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * docs: update API documentation for VaultGCPAuth Update generated API documentation to reflect the VaultGCPAuth struct naming (GCP in uppercase) and related documentation changes. Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * chore: update test snapshots for Vault GCP auth Update test snapshots to include the new VaultGCPAuth configuration with GCP Workload Identity support. Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * feat(vault): add GCP Workload Identity authentication support - Add GCP Workload Identity auth method for Vault provider - Update CRDs to support new authentication configuration - Add comprehensive tests for GCP auth implementation - Update dependencies for GCP authentication libraries Signed-off-by: Samuel Molling <samuelmolling@fireflies.ai> Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit c415097) Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * docs(api): enhance VaultGcpAuth documentation and add GCP authentication fields - Updated the API specification to include the new VaultGcpAuth authentication method. - Added optional fields for GCP authentication, including `path`, `role`, `projectID`, `location`, `secretRef`, `workloadIdentity`, and `serviceAccountRef`. - Updated references to include VaultGcpAuth in related sections. Signed-off-by: [Samuel Molling] <samuelmolling@gmail.com> Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 77f933d) Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * feat(vault): implement GCP authentication methods and add unit tests - Introduced a new test file for GCP authentication methods, covering various scenarios for setting environment variables and GCP authentication setup. - Enhanced the `setupGCPAuth` function to prioritize authentication methods: SecretRef, Workload Identity, ServiceAccountRef, and Default ADC. - Added helper functions for handling service account key authentication and workload identity setup. - Improved error handling and logging for environment variable management. Signed-off-by: [Samuel Molling] <samuelmolling@gmail.com> Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 9737cfc) Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * refactor(vault): enhance GCP authentication tests with method selection scenarios - Renamed the test function to `TestGCPAuthMethodSelection` for clarity. - Introduced a table-driven test structure to cover multiple GCP authentication methods: SecretRef, Workload Identity, and Default ADC. - Each test case now includes setup logic, expected outcomes, and descriptive logging for better test traceability. - Improved error handling to ensure tests accurately reflect expected behavior in various scenarios. Signed-off-by: [Samuel Molling] <samuelmolling@gmail.com> Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 56b3c5f) Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * refactor(vault): rename Gcp to GCP in Vault authentication types - Renamed the `Gcp` authentication struct and related fields to `GCP` for consistency with naming conventions. - Updated all references across the codebase, including deep copy functions and tests. - Improved clarity in GCP authentication test cases by reflecting the new naming. Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 5e3e1cb) Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * fix(vault): improve GCP authentication handling and documentation - Added missing periods to comments for consistency and clarity in `secretstore_vault_types.go`. - Enhanced error handling in `setupDefaultGCPAuth` to validate Application Default Credentials (ADC) availability. - Updated test cases in `auth_gcp_test.go` to reflect expected behavior when ADC is not configured, ensuring meaningful error messages are provided. - Clarified comments in `auth_gcp.go` regarding the priority order of GCP authentication methods. Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 90bd9f8) Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * feat: add GCP authentication support to HashiCorp Vault - Updated go.mod to include the GCP authentication package for Vault. - Updated go.sum to reflect the new dependency. - Minor documentation fixes in YAML files to ensure proper punctuation in descriptions. Signed-off-by: [Samuel Molling] <samuelmolling@gmail.com> Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 29ce7b2) Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * test: enhance GCP auth tests to handle ADC availability - Updated test cases for GCP authentication to log outcomes based on ADC availability in the environment. - Clarified comments to indicate that both success and ADC-related failures are acceptable for certain test scenarios. Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit f3585ad) Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * test: refine GCP auth tests for ADC scenarios - Enhanced test cases to clarify expected outcomes based on ADC availability in the environment. - Updated comments and log messages to reflect the handling of both success and failure scenarios for ADC configuration. Signed-off-by: Samuel Molling <samuelmolling@gmail.com> (cherry picked from commit 186f15d) Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * fix: restore GCP authentication types after merge Re-added VaultGCPAuth field and type definition that was lost during merge conflict resolution with upstream/main. - Added GCP field to VaultAuth struct - Added VaultGCPAuth type definition with all authentication methods - Regenerated CRDs and deepcopy code Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * style: apply gofmt formatting fixes Applied automatic formatting fixes from gofmt to align code with project style standards. Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * docs: update API documentation for VaultGCPAuth Update generated API documentation to reflect the VaultGCPAuth struct naming (GCP in uppercase) and related documentation changes. Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * chore: update test snapshots for Vault GCP auth Update test snapshots to include the new VaultGCPAuth configuration with GCP Workload Identity support. Signed-off-by: Samuel Molling <samuelmolling@gmail.com> * fix: correct error handling in GCP auth token method Signed-off-by: Samuel Molling <samuelmolling@gmail.com> --------- Signed-off-by: Samuel Molling <samuelmolling@fireflies.ai> Signed-off-by: Samuel Molling <samuelmolling@gmail.com> Signed-off-by: [Samuel Molling] <samuelmolling@gmail.com> Co-authored-by: Gergely Brautigam <skarlso777@gmail.com> Signed-off-by: Alvin Wong <alvin.wong@forgerock.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem Statement
The Vault provider in External Secrets Operator currently lacks support for Google Cloud Platform (GCP) authentication methods. Users running on GCP need to authenticate with Vault using GCP Workload Identity, service account keys, or GCE instance metadata, but these authentication methods are not available.
Related Issue
Fixes #5325
Proposed Changes
This PR adds comprehensive GCP authentication support to the Vault provider by implementing:
VaultGcpAuthstruct with support forworkloadIdentity,secretRef,serviceAccountRef,projectID,path, androleconfigurationThe implementation reuses existing GCP Secret Manager token source logic for consistency and leverages Vault's native GCP authentication capabilities.
Format
Please ensure that your PR follows the following format for the title:
Where
scopeis optionally one of:Checklist
git commit --signoffmake testmake reviewable