-
Feature Request
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
-
1. Proposed title of this feature request
Secret Store CSI Driver - GCP Provider - Pod ADC authentication with per namespace WIF
2. What is the nature and description of the request?
Currently there are three primary methods for authenticating using the GCP Provider. Pod ADC uses the identity of the Pod that the Secret(s) will be mounted on, Provider ADC uses the identity of the provider pod (not preferred for multi-tenancy), and nodePublishSecretRef which utilizes long lived GCP SA keys to use a preferred identity of a GCP SA. The customer would like to be able to use the Pod ADC authentication mechanism to enable teams to leverage their own WIF binding which would allow short lived tokens for each application team. Currently, the `fleetWorkloadIdentity` function is looking for an audience value in a specific format and we believe that this could be changed to permit any audience value. Further investigation is needed in this area.
3. Why does the customer need this? (List the business requirements here)
This is currently blocking the customer's utilization of the Secret Store CSI Driver to permit our customers a seemless, selfserviced, and WIF enabled method of injecting secrets into their namespace.
4. List any affected packages or components.
Secret Store CSI Driver
