feat: enable Workload Identity Federation with Kubernetes and add docs

[joekiller]

Presently the provider is limited to only work with GKE or Fleet Workload Identity pool providers. This PR ensures that the gcp provider may retrieve secrets on a cluster utilizing GOOGLE_APPLICATION_CREDENTIALS pointing to an audience pool provider backed by Workload Identity Federation with Kubernetes.

Fixes: #206

[joekiller]

@dargudear-google thank you for your attention regarding this enhancement. Please let me know if there is anything else I could do to help this along. Below is a bit more of an explanation of the change to help guide any review.

This change really comes down to letting the fleetWorkloadIdentity method return the full f.Audience value when splitting the f.Audience property fails to split; which when successful yields the idPool and idProvider values.

secrets-store-csi-driver-provider-gcp/auth/auth.go

Lines 276 to 284 in 4390d2d

	split := strings.SplitN(f.Audience, ":", 3)
	if split == nil || len(split) < 3 {
	// If the audience is not in the expected format, return the audience as the audience since this is likely a federated pool.
	return "", "", f.Audience, nil
	}
	idPool := split[1]
	idProvider := split[2]
	return idPool, idProvider, "", nil

fleetWorkloadIdentity now yields three strings instead of two. If the idPool and idProvider values were found, the first two strings are returned. Otherwise the third contains the full audience value. The audience string intended for tradeIDBindToken is then constructed with the idPool and idProvider strings or just uses the full audience value as is:

secrets-store-csi-driver-provider-gcp/auth/auth.go

Lines 120 to 133 in 4390d2d

	var audience string
	idPool, idProvider, err := c.gkeWorkloadIdentity(ctx, cfg)
	if err != nil {
	idPool, idProvider, audience, err = c.fleetWorkloadIdentity(ctx, cfg)
	if err != nil {
	return nil, err
	}
	}
	if audience == "" {
	audience = fmt.Sprintf("identitynamespace:%s:%s", idPool, idProvider)
	klog.V(5).InfoS("workload id configured", "pool", idPool, "provider", idProvider)
	} else {
	klog.V(5).InfoS("workload federation pool audience", audience)
	}

The audience string identitynamespace:%s:%s, which was previously very tightly coupled with fleet identity values and embedded directly in tradeIDBindToken, is now formed when idPool and idProvider are present, or it'll just use the audience value as is.

This allows the provider to meet the expectation set forth by AIP-4117, External Account Credentials (Workload Identity Federation), which elaborates on how one should be determining the subject token in file sourced credentials and follows the conventions set forth by IAM Documentation regarding Configure Workload Identity Federation with Kubernetes. This also retains all the functionality established to meet the conventions laid out in the GKE Enterprise Fleet Management docs regarding how to Use fleet Workload Identity Federation in application.

[joekiller]

Is there anything I can help with? I understand the e2e won't run without creds for a PR.

If there were two needs that could "magically" get addressed to help ship this, please let me know and I can work on them.

[dargudear-google]

Apologies for the delay due to release.
Merged the PR and e2e post that is also successful.
https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp/actions/runs/11175382119