Add Workload Identity federation support for GKE

[simonebruzzechesse]

Is your feature request related to a problem? Please describe.
Best practice for accessing Google APIs from workloads running in GKE cluster is to leverage Workload Identity Federation and link kubernetes service account with GCP service account with permissions to operate on Cloud products (such as pubsub).

Describe the solution you'd like
Documentation is available at the following link. While it should still be doable to grant permissions to GCP resources to k8s service account following this it would be great to support linking k8s service account via annotations as per the following snippet since there are limitations with IAM WIF principal described in this page.

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    iam.gke.io/gcp-service-account: [email protected]
  name: bindplane
  namespace: bindplane

I tried the following configuration on service-account.yml:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ include "bindplane.fullname" . }}
  namespace: {{ .Release.Namespace }}
  {{- if .Values.wif.iam_service_account }}
  annotations:
    iam.gke.io/gcp-service-account: {{ .Values.wif.iam_service_account }}
  {{- end }}
  labels:
    app.kubernetes.io/name: {{ include "bindplane.name" . }}
    app.kubernetes.io/stack: bindplane
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}

and updated values.yaml by adding the following section:

# Workload Identity
# https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#kubernetes-sa-to-iam
wif:
  iam_service_account: ""

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

[jsirianni]

Thanks for opening this issue. I have used worked-load identity in the past, the change will be straight forward. I will get this prioritized.