[GEP-26] Workload Identity support

[dimityrmirchev]

How to categorize this PR?

/area security ipcei
/kind enhancement
/platform gcp
/label ipcei/workload-identity

What this PR does / why we need it:
This PR adds support for workload identity. A few of the main points of this PR:

• A mutator to configure the cloudprovider secret.
• A mutator to inject the needed configuration in the Terraformer pod.
• MCM container and pod are enhanced with needed configs in order to support this scenario.

Which issue(s) this PR fixes:
Part of gardener/gardener#9586

Special notes for your reviewer:
/cc @vpnachev

In order to develop/review this PR one would need a running Gardener Discovery Server + established trust from GCP account to Gardener's workload identity. This can be achieved using the proposed changes in the following PR: gardener/gardener#10520

The PR also depends on gardener/machine-controller-manager-provider-gcp#130 being reviewed and released.

I will keep this as draft until MCM PR is merged and documentation is added to the PR, but feel free to review/test.

Release note:

The extension now supports `Shoot`s using `WorkloadIdentity`s instead of cloud provider credentials.

[gardener-robot]

@dimityrmirchev Label ipcei/workload-identity does not exist.

[gardener-robot]

@dimityrmirchev Label ipcei/workload-identity does not exist.

[gardener-robot]

@dimityrmirchev Label ipcei/workload-identity does not exist.

[gardener-robot]

@dimityrmirchev You need rebase this pull request with latest master branch. Please check.

[vpnachev]

Some preliminary findings, I will need to take a second look (do not know if the change can be split into several PRs to ease the review).

[vpnachev]

I do not think the label is set on Workloadidentities, is it?

[dimityrmirchev]

It is https://github.com/gardener/gardener/blob/00475f59e65c994f01a452aedc472fe0c3887ef5/pkg/controllermanager/controller/credentialsbinding/reconciler.go#L101C2-L112

[vpnachev]

Ok, but that is valid only for workload identities referenced by credentials binding, otherwise it is not labeled, right?

[dimityrmirchev]

We discussed with @vpnachev and will replace the LabelSelector. Please see #855 (comment)

[vpnachev]

Suggested change

	// Validate checks whether the given new secret contains a valid GCP service account.
	// Validate checks whether the given new workloadidentity contains a valid GCP configuration.

[vpnachev]

Suggested change

	if workloadIdentity.Spec.TargetSystem.ProviderConfig == nil {
	if oldWorkloadIdentity.Spec.TargetSystem.ProviderConfig == nil {

But is this check necessary? If it was allowed providerConfig=nil, then there must be a migration path which seems to be forbidden here.

[dimityrmirchev]

You are right. We can skip the check

[vpnachev]

Suggested change

// +genclient

This is not a real API resource, hence a client is not needed.

[vpnachev]

On a second look, apart from the comments above, looks good to me.

[dimityrmirchev]

Once #866 is merged this PR can be moved to "Ready" state.

[dimityrmirchev]

This PR will also need #869 merged so we can use the GardenSecurityProviderType function introduced in g/g v1.104.0.

[dimityrmirchev]

I tested this PR after rebasing over the latest changes. The PR is ready for final review.

ping @kon-angelo

[dimityrmirchev]

After an offline talk with @vpnachev we decided to explore the possibility of using SubjectTokenSupplier which might replace the internal http server.

[dimityrmirchev]

After an offline talk with @vpnachev we decided to explore the possibility of using SubjectTokenSupplier which might replace the internal http server.

I updated the implementation to not rely on a local http server to retrieve the credentials.