LOG-7348: Add CLO logic for GCP Workload Identity Federation

[Clee2691]

Description

This PR supersedes #3243.

The GCP output has been updated to align with our other cloud offerings by introducing a type for either serviceAccount (static) or workloadIdentity (short lived token) credentials.

The token source for WIF can either be from the CLF's service account or from a secret.

This PR also introduces validation of the credentials file.

/cc @vparfonov
/assign @jcantrill

Links

• JIRA: https://redhat.atlassian.net/browse/LOG-7348
• Vector update: https://redhat.atlassian.net/browse/LOG-9171
• Epic: https://redhat.atlassian.net/browse/LOG-3577

[openshift-ci-robot]

@Clee2691: This pull request references LOG-7348 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.8.0" version, but no target version was set.

Details

In response to this:

Description

This PR supersedes #3243.

Original Description:

Simple CLO changes to allow googeCloud WIF authentication. WIF functionality will also require an update to the vector client. The CLO changes are backwards compatible with existing vector auth functionality.

I've included a design document to highlight the API decision. There are no changes to the googleCloud authentication API. Service account tokens are always projected for GCP outputs to support WIF. This does not present any performance or security issues and greatly simplifies the implementation.

Users provide an authentication secret reference pointing to a credentials file:

type: "service_account" (current static authentication)
OR
type: "external_account" (Workload Identity Federation)

Vector detects the type of file and handles the appropriate authentication flow.

/cc @vparfonov
/assign @jcantrill

Links

• JIRA: https://redhat.atlassian.net/browse/LOG-7348
• Vector update: https://redhat.atlassian.net/browse/LOG-9171
• Epic: https://redhat.atlassian.net/browse/LOG-3577

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jcantrill]

/approve

[jcantrill]

/label tide/merge-method-squash

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Clee2691, jcantrill

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jcantrill]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jcantrill]

/hold

[openshift-ci]

@Clee2691: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.