feat: support gcp service account key file and gcp doc (#1090)

**Description**
Added the support for GCP static service account credential file for an
easier way to show case how to access GenAI models on GCP VertexAI.

**Related Issues/PRs (if applicable)**
Fixes #1015 
Closes #609

---------

Signed-off-by: Dan Sun <[email protected]>

Author: yuzisun

api/v1alpha1/backendsecurity_policy.go

@@ -180,6 +180,7 @@ type GCPServiceAccountImpersonationConfig struct {
 }
 
 // BackendSecurityPolicyGCPCredentials contains the supported authentication mechanisms to access GCP.
+// +kubebuilder:validation:XValidation:rule="(has(self.credentialsFile) && !has(self.workloadIdentityFederationConfig)) || (has(self.workloadIdentityFederationConfig) && !has(self.credentialsFile))",message="Exactly one of GCPWorkloadIdentityFederationConfig or GCPCredentialsFile must be specified"
 type BackendSecurityPolicyGCPCredentials struct {
 	// ProjectName is the GCP project name.
 	//
@@ -192,10 +193,15 @@ type BackendSecurityPolicyGCPCredentials struct {
 	// +kubebuilder:validation:MinLength=1
 	Region string `json:"region"`
 
+	// CredentialsFile specifies the service account credentials file to use for the GCP provider.
+	//
+	// +optional
+	CredentialsFile *GCPCredentialsFile `json:"credentialsFile,omitempty"`
+
 	// WorkloadIdentityFederationConfig is the configuration for the GCP Workload Identity Federation.
 	//
-	// +kubebuilder:validation:Required
-	WorkloadIdentityFederationConfig GCPWorkloadIdentityFederationConfig `json:"workloadIdentityFederationConfig"`
+	// +optional
+	WorkloadIdentityFederationConfig *GCPWorkloadIdentityFederationConfig `json:"workloadIdentityFederationConfig,omitempty"`
 }
 
 // BackendSecurityPolicyAzureCredentials contains the supported authentication mechanisms to access Azure.
@@ -285,3 +291,11 @@ type AWSOIDCExchangeToken struct {
 	// +kubebuilder:validation:MinLength=1
 	AwsRoleArn string `json:"awsRoleArn"`
 }
+
+// GCPCredentialsFile specifies the service account key json file to authenticate with GCP provider.
+type GCPCredentialsFile struct {
+	// SecretRef is the reference to the credential file.
+	//
+	// The secret should contain the GCP service account credentials file keyed on "service_account.json".
+	SecretRef *gwapiv1.SecretObjectReference `json:"secretRef"`
+}

api/v1alpha1/zz_generated.deepcopy.go

@@ -18,6 +18,19 @@ spec:
     group: gateway.envoyproxy.io
 ---
 apiVersion: aigateway.envoyproxy.io/v1alpha1
+kind: AIServiceBackend
+metadata:
+  name: envoy-ai-gateway-basic-gcp-anthropic
+  namespace: default
+spec:
+  schema:
+    name: GCPAnthropic
+  backendRef:
+    name: envoy-ai-gateway-basic-gcp-us-east5
+    kind: Backend
+    group: gateway.envoyproxy.io
+---
+apiVersion: aigateway.envoyproxy.io/v1alpha1
 kind: BackendSecurityPolicy
 metadata:
   name: envoy-ai-gateway-basic-gcp-credentials
@@ -27,24 +40,16 @@ spec:
     - group: aigateway.envoyproxy.io
       kind: AIServiceBackend
       name: envoy-ai-gateway-basic-gcp
+    - group: aigateway.envoyproxy.io
+      kind: AIServiceBackend
+      name: envoy-ai-gateway-basic-gcp-anthropic
   type: GCPCredentials
   gcpCredentials:
     projectName: GCP_PROJECT_NAME  # Replace with your GCP project name
     region: GCP_REGION  # Replace with your GCP region
-    workloadIdentityFederationConfig:
-      projectID: GCP_PROJECT_ID  # Replace with your GCP project ID
-      workloadIdentityPoolName: GCP_WORKLOAD_IDENTITY_POOL  # Replace with your workload identity pool name
-      workloadIdentityProviderName: GCP_IDENTITY_PROVIDER_NAME  # Replace with the identity provider configured with GCP
-      serviceAccountImpersonation:
-        serviceAccountName: SERVICE_ACCOUNT_NAME  # Replace with the service account name to impersonate
-      oidcExchangeToken:
-        oidc:
-          provider:
-            issuer: GCP_OIDC_PROVIDER_ISSUER  # Replace with your OIDC provider issuer
-          clientID: GCP_OIDC_CLIENT_ID  # Replace with your OIDC client ID
-          clientSecret:
-            name: envoy-ai-gateway-basic-gcp-client-secret
-            namespace: default
+    credentialsFile:
+      secretRef:
+        name: envoy-ai-gateway-basic-gcp-service-account-key-file
 ---
 apiVersion: gateway.envoyproxy.io/v1alpha1
 kind: Backend
@@ -57,6 +62,17 @@ spec:
         hostname: us-central1-aiplatform.googleapis.com
         port: 443
 ---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: Backend
+metadata:
+  name: envoy-ai-gateway-basic-gcp-us-east5
+  namespace: default
+spec:
+  endpoints:
+    - fqdn:
+        hostname: us-east5-aiplatform.googleapis.com
+        port: 443
+---
 apiVersion: gateway.networking.k8s.io/v1alpha3
 kind: BackendTLSPolicy
 metadata:
@@ -71,10 +87,62 @@ spec:
     wellKnownCACertificates: "System"
     hostname: us-central1-aiplatform.googleapis.com
 ---
+apiVersion: gateway.networking.k8s.io/v1alpha3
+kind: BackendTLSPolicy
+metadata:
+  name: envoy-ai-gateway-basic-gcp-us-east5-tls
+  namespace: default
+spec:
+  targetRefs:
+    - group: 'gateway.envoyproxy.io'
+      kind: Backend
+      name: envoy-ai-gateway-basic-gcp-us-east5
+  validation:
+    wellKnownCACertificates: "System"
+    hostname: us-east5-aiplatform.googleapis.com
+---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: envoy-ai-gateway-basic-gcp-client-secret
+  name: envoy-ai-gateway-basic-gcp-service-account-key-file
   namespace: default
 stringData:
-  client-secret: "GCP_OIDC_CLIENT_SECRET"  # Replace with your OIDC client secret
+  service_account.json: "{}"  # Replace with your service account json key file
+---
+apiVersion: aigateway.envoyproxy.io/v1alpha1
+kind: AIGatewayRoute
+metadata:
+  name: envoy-ai-gateway-basic-gcp
+  namespace: default
+spec:
+  parentRefs:
+    - name: envoy-ai-gateway-basic
+      kind: Gateway
+      group: gateway.networking.k8s.io
+  rules:
+    - matches:
+        - headers:
+            - type: Exact
+              name: x-ai-eg-model
+              value: gemini-2.5-flash
+      backendRefs:
+        - name: envoy-ai-gateway-basic-gcp
+---
+apiVersion: aigateway.envoyproxy.io/v1alpha1
+kind: AIGatewayRoute
+metadata:
+  name: envoy-ai-gateway-basic-gcp-anthropic
+  namespace: default
+spec:
+  parentRefs:
+    - name: envoy-ai-gateway-basic
+      kind: Gateway
+      group: gateway.networking.k8s.io
+  rules:
+    - matches:
+        - headers:
+            - type: Exact
+              name: x-ai-eg-model
+              value: claude-3-7-sonnet@20250219
+      backendRefs:
+        - name: envoy-ai-gateway-basic-gcp-anthropic

examples/basic/gcp_vertex.yaml

@@ -163,20 +163,46 @@ func (c *BackendSecurityPolicyController) rotateCredential(ctx context.Context,
 		if err = validateGCPCredentialsParams(bsp.Spec.GCPCredentials); err != nil {
 			return ctrl.Result{}, fmt.Errorf("invalid GCP credentials configuration: %w", err)
 		}
-
-		// For GCP, OIDC is currently the only supported authentication method.
-		// If additional methods are added, validate that OIDC is used before calling getBackendSecurityPolicyAuthOIDC.
 		oidc := getBackendSecurityPolicyAuthOIDC(bsp.Spec)
+		if oidc != nil {
+			// Create the OIDC token provider that will be used to get tokens from the OIDC provider.
+			var oidcProvider tokenprovider.TokenProvider
+			oidcProvider, err = tokenprovider.NewOidcTokenProvider(ctx, c.client, oidc)
+			if err != nil {
+				return ctrl.Result{}, fmt.Errorf("failed to initialize OIDC provider: %w", err)
+			}
+			rotator, err = rotators.NewGCPOIDCTokenRotator(c.client, c.logger, *bsp, preRotationWindow, oidcProvider)
+			if err != nil {
+				return ctrl.Result{}, err
+			}
+		} else if credentialFile := bsp.Spec.GCPCredentials.CredentialsFile; credentialFile != nil {
+			secretNamespace := bsp.Namespace
+			if credentialFile.SecretRef.Namespace != nil {
+				secretNamespace = string(*credentialFile.SecretRef.Namespace)
+			}
+			secretName := string(credentialFile.SecretRef.Name)
+			var secret *corev1.Secret
+			secret, err = rotators.LookupSecret(ctx, c.client, secretNamespace, secretName)
+			if err != nil {
+				c.logger.Error(err, "failed to lookup gcp service account key secret", "namespace", secretNamespace, "name", secretName)
+				return ctrl.Result{}, err
+			}
+			serviceAccountKeyJSON, exists := secret.Data[rotators.GCPServiceAccountJSON]
+			if !exists {
+				return ctrl.Result{}, fmt.Errorf("missing gcp service account key %s", rotators.GCPServiceAccountJSON)
+			}
+			var tokenProvider tokenprovider.TokenProvider
+			tokenProvider, err = tokenprovider.NewGCPTokenProvider(ctx, serviceAccountKeyJSON)
+			if err != nil {
+				return ctrl.Result{}, err
+			}
 
-		// Create the OIDC token provider that will be used to get tokens from the OIDC provider.
-		var oidcProvider tokenprovider.TokenProvider
-		oidcProvider, err = tokenprovider.NewOidcTokenProvider(ctx, c.client, oidc)
-		if err != nil {
-			return ctrl.Result{}, fmt.Errorf("failed to initialize OIDC provider: %w", err)
-		}
-		rotator, err = rotators.NewGCPOIDCTokenRotator(c.client, c.logger, *bsp, preRotationWindow, oidcProvider)
-		if err != nil {
-			return ctrl.Result{}, err
+			rotator, err = rotators.NewGCPTokenRotator(c.client, c.kube, c.logger, bsp.Namespace, bsp.Name, preRotationWindow, tokenProvider)
+			if err != nil {
+				return ctrl.Result{}, err
+			}
+		} else {
+			return ctrl.Result{}, fmt.Errorf("one of service account key json file or oidc must be defined, namespace %s name %s", bsp.Namespace, bsp.Name)
 		}
 
 	default:
@@ -258,7 +284,7 @@ func getBackendSecurityPolicyAuthOIDC(spec aigv1a1.BackendSecurityPolicySpec) *e
 		}
 		return nil
 	case aigv1a1.BackendSecurityPolicyTypeGCPCredentials:
-		if spec.GCPCredentials != nil {
+		if spec.GCPCredentials != nil && spec.GCPCredentials.WorkloadIdentityFederationConfig != nil {
 			return &spec.GCPCredentials.WorkloadIdentityFederationConfig.OIDCExchangeToken.OIDC
 		}
 	}
@@ -339,16 +365,17 @@ func validateGCPCredentialsParams(gcpCreds *aigv1a1.BackendSecurityPolicyGCPCred
 	}
 
 	wifConfig := gcpCreds.WorkloadIdentityFederationConfig
-	if wifConfig.ProjectID == "" {
-		return fmt.Errorf("invalid GCP Workload Identity Federation configuration: projectID cannot be empty")
-	}
-	if wifConfig.WorkloadIdentityPoolName == "" {
-		return fmt.Errorf("invalid GCP Workload Identity Federation configuration: workloadIdentityPoolName cannot be empty")
-	}
-	if wifConfig.WorkloadIdentityProviderName == "" {
-		return fmt.Errorf("invalid GCP Workload Identity Federation configuration: workloadIdentityProvider.name cannot be empty")
+	if wifConfig != nil {
+		if wifConfig.ProjectID == "" {
+			return fmt.Errorf("invalid GCP Workload Identity Federation configuration: projectID cannot be empty")
+		}
+		if wifConfig.WorkloadIdentityPoolName == "" {
+			return fmt.Errorf("invalid GCP Workload Identity Federation configuration: workloadIdentityPoolName cannot be empty")
+		}
+		if wifConfig.WorkloadIdentityProviderName == "" {
+			return fmt.Errorf("invalid GCP Workload Identity Federation configuration: workloadIdentityProvider.name cannot be empty")
+		}
 	}
-
 	return nil
 }
 
@@ -365,6 +392,9 @@ func getBSPGeneratedSecretName(bsp *aigv1a1.BackendSecurityPolicy) string {
 			return ""
 		}
 	case aigv1a1.BackendSecurityPolicyTypeGCPCredentials:
+		if bsp.Spec.GCPCredentials.WorkloadIdentityFederationConfig == nil {
+			return ""
+		}
 	case aigv1a1.BackendSecurityPolicyTypeAPIKey:
 		return "" // APIKey does not require rotation.
 	default: