Merge pull request #1154 from cappyzawa/feat/google-pubsub-workload-identity

[RFC-0010] Add object-level workload identity support to Google Pub/Sub notifier

Author: matheuscscp

api/v1beta3/provider_types.go

@@ -116,10 +116,22 @@ type ProviderSpec struct {
 	// +optional
 	SecretRef *meta.LocalObjectReference `json:"secretRef,omitempty"`
 
-	// ServiceAccountName is the name of the service account used to
-	// authenticate with services from cloud providers. An error is thrown if a
-	// static credential is also defined inside the Secret referenced by the
-	// SecretRef.
+	// ServiceAccountName is the name of the Kubernetes ServiceAccount used to
+	// authenticate with cloud provider services through workload identity.
+	// This enables multi-tenant authentication without storing static credentials.
+	//
+	// Supported provider types: azureeventhub, azuredevops, googlepubsub
+	//
+	// When specified, the controller will:
+	// 1. Create an OIDC token for the specified ServiceAccount
+	// 2. Exchange it for cloud provider credentials via STS
+	// 3. Use the obtained credentials for API authentication
+	//
+	// When unspecified, controller-level authentication is used (single-tenant).
+	//
+	// An error is thrown if static credentials are also defined in SecretRef.
+	// This field requires the ObjectLevelWorkloadIdentity feature gate to be enabled.
+	//
 	// +optional
 	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 

config/crd/bases/notification.toolkit.fluxcd.io_providers.yaml

@@ -511,10 +511,21 @@ spec:
                 type: object
               serviceAccountName:
                 description: |-
-                  ServiceAccountName is the name of the service account used to
-                  authenticate with services from cloud providers. An error is thrown if a
-                  static credential is also defined inside the Secret referenced by the
-                  SecretRef.
+                  ServiceAccountName is the name of the Kubernetes ServiceAccount used to
+                  authenticate with cloud provider services through workload identity.
+                  This enables multi-tenant authentication without storing static credentials.
+
+                  Supported provider types: azureeventhub, azuredevops, googlepubsub
+
+                  When specified, the controller will:
+                  1. Create an OIDC token for the specified ServiceAccount
+                  2. Exchange it for cloud provider credentials via STS
+                  3. Use the obtained credentials for API authentication
+
+                  When unspecified, controller-level authentication is used (single-tenant).
+
+                  An error is thrown if static credentials are also defined in SecretRef.
+                  This field requires the ObjectLevelWorkloadIdentity feature gate to be enabled.
                 type: string
               suspend:
                 description: |-

docs/api/v1beta3/notification.md

@@ -375,10 +375,17 @@ string
 </td>
 <td>
 <em>(Optional)</em>
-<p>ServiceAccountName is the name of the service account used to
-authenticate with services from cloud providers. An error is thrown if a
-static credential is also defined inside the Secret referenced by the
-SecretRef.</p>
+<p>ServiceAccountName is the name of the Kubernetes ServiceAccount used to
+authenticate with cloud provider services through workload identity.
+This enables multi-tenant authentication without storing static credentials.</p>
+<p>Supported provider types: azureeventhub, azuredevops, googlepubsub</p>
+<p>When specified, the controller will:
+1. Create an OIDC token for the specified ServiceAccount
+2. Exchange it for cloud provider credentials via STS
+3. Use the obtained credentials for API authentication</p>
+<p>When unspecified, controller-level authentication is used (single-tenant).</p>
+<p>An error is thrown if static credentials are also defined in SecretRef.
+This field requires the ObjectLevelWorkloadIdentity feature gate to be enabled.</p>
 </td>
 </tr>
 <tr>
@@ -716,10 +723,17 @@ string
 </td>
 <td>
 <em>(Optional)</em>
-<p>ServiceAccountName is the name of the service account used to
-authenticate with services from cloud providers. An error is thrown if a
-static credential is also defined inside the Secret referenced by the
-SecretRef.</p>
+<p>ServiceAccountName is the name of the Kubernetes ServiceAccount used to
+authenticate with cloud provider services through workload identity.
+This enables multi-tenant authentication without storing static credentials.</p>
+<p>Supported provider types: azureeventhub, azuredevops, googlepubsub</p>
+<p>When specified, the controller will:
+1. Create an OIDC token for the specified ServiceAccount
+2. Exchange it for cloud provider credentials via STS
+3. Use the obtained credentials for API authentication</p>
+<p>When unspecified, controller-level authentication is used (single-tenant).</p>
+<p>An error is thrown if static credentials are also defined in SecretRef.
+This field requires the ObjectLevelWorkloadIdentity feature gate to be enabled.</p>
 </td>
 </tr>
 <tr>

docs/spec/v1beta3/providers.md

@@ -778,6 +778,75 @@ stringData:
     attr2-name: attr2-value
 ```
 
+###### Google Pub/Sub with Workload Identity Example
+
+To configure a Provider for Google Pub/Sub authenticating with Workload Identity,
+create a Kubernetes ServiceAccount with the appropriate annotations, and a
+`googlepubsub` Provider with the ServiceAccount reference. This method eliminates
+the need for JSON credentials and enables multi-tenant authentication.
+
+**Single tenant approach**
+
+This approach uses the notification-controller service account for setting up
+authentication.
+
+- In the default installation, the notification-controller service account is
+  located in the `flux-system` namespace with name `notification-controller`.
+
+- Configure workload identity with notification-controller as described in the
+  docs [here](/flux/integrations/gcp/#for-google-cloud-pubsub).
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Provider
+metadata:
+  name: googlepubsub-controller-level
+  namespace: flux-system
+spec:
+  type: googlepubsub
+  address: <GCP Project ID>
+  channel: <Pub/Sub Topic ID>
+  # No serviceAccountName specified - uses controller's identity
+```
+
+**Multi-tenant approach**
+
+For multi-tenant clusters, set `.spec.serviceAccountName` of the provider to
+the service account to be used for authentication. Ensure that the service
+account has the appropriate annotations for GCP workload identity.
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Provider
+metadata:
+  name: googlepubsub-tenant-a
+  namespace: tenant-a
+spec:
+  type: googlepubsub
+  address: <GCP Project ID>
+  channel: <Pub/Sub Topic ID>
+  serviceAccountName: tenant-a-pubsub-sa
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tenant-a-pubsub-sa
+  namespace: tenant-a
+  annotations:
+    # For GKE Workload Identity
+    iam.gke.io/gcp-service-account: tenant-a-pubsub@<GCP_PROJECT_ID>.iam.gserviceaccount.com
+    # For Workload Identity Federation (non-GKE)
+    gcp.auth.fluxcd.io/workload-identity-provider: projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/<POOL_ID>/providers/<PROVIDER_ID>
+```
+
+**Note:** Object-level authentication requires the `ObjectLevelWorkloadIdentity` feature gate to be enabled:
+
+```bash
+--feature-gates=ObjectLevelWorkloadIdentity=true
+```
+
 ##### Opsgenie
 
 When `.spec.type` is set to `opsgenie`, the controller will send a payload for
@@ -1837,9 +1906,71 @@ Managed Identity authentication can be setup using Azure Workload identity.
   uses the correct namespace and name of the service account. For more details,
   please refer to this
   [guide](https://azure.github.io/azure-workload-identity/docs/quick-start.html#6-establish-federated-identity-credential-between-the-identity-and-the-service-account-issuer--subject).
-The service account used for authentication can be single-tenant
-(controller-level) or multi-tenant(object-level). For a complete guide on how to
-set up authentication, see the integration [docs](/flux/integrations/azure/).
+The service account used for authentication can be single-tenant or
+multi-tenant. For a complete guide on how to set up authentication, see the 
+integration [docs](/flux/integrations/azure/).
+
+##### Azure DevOps with Workload Identity Example
+
+**Single tenant approach**
+
+This approach uses the notification-controller service account for setting up
+authentication.
+
+- In the default installation, the notification-controller service account is
+  located in the `flux-system` namespace with name `notification-controller`.
+
+- Configure workload identity with notification-controller as described in the
+  docs [here](/flux/installation/configuration/workload-identity/).
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Provider
+metadata:
+  name: azuredevops-controller-level
+  namespace: flux-system
+spec:
+  type: azuredevops
+  address: https://dev.azure.com/<organization>/<project>/_git/<repository>
+  # No serviceAccountName specified - uses controller's identity
+```
+
+**Multi-tenant approach**
+
+For multi-tenant clusters, set `.spec.serviceAccountName` of the provider to
+the service account to be used for authentication. Ensure that the service
+account has the
+[annotations](https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview?tabs=dotnet#service-account-annotations)
+for the client-id and tenant-id of the managed identity.
+
+```yaml
+---
+apiVersion: notification.toolkit.fluxcd.io/v1beta3
+kind: Provider
+metadata:
+  name: azuredevops-tenant-a
+  namespace: tenant-a
+spec:
+  type: azuredevops
+  address: https://dev.azure.com/<organization>/<project>/_git/<repository>
+  serviceAccountName: tenant-a-devops-sa
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tenant-a-devops-sa
+  namespace: tenant-a
+  annotations:
+    azure.workload.identity/client-id: <client-id-of-managed-identity>
+    azure.workload.identity/tenant-id: <tenant-id>
+```
+
+**Note:** Object-level authentication requires the `ObjectLevelWorkloadIdentity` feature gate to be enabled:
+
+```bash
+--feature-gates=ObjectLevelWorkloadIdentity=true
+```
 
 #### PAT
 

internal/notifier/factory.go

@@ -263,7 +263,7 @@ func googleChatNotifierFunc(opts notifierOptions) (Interface, error) {
 }
 
 func googlePubSubNotifierFunc(opts notifierOptions) (Interface, error) {
-	return NewGooglePubSub(opts.URL, opts.Channel, opts.Token, opts.Headers)
+	return NewGooglePubSub(&opts)
 }
 
 func webexNotifierFunc(opts notifierOptions) (Interface, error) {

internal/notifier/google_helpers.go

@@ -0,0 +1,76 @@
+/*
+Copyright 2025 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package notifier
+
+import (
+	"context"
+	"fmt"
+	"net/url"
+
+	"google.golang.org/api/option"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/fluxcd/pkg/auth"
+	"github.com/fluxcd/pkg/auth/gcp"
+	"github.com/fluxcd/pkg/cache"
+
+	"github.com/fluxcd/notification-controller/api/v1beta3"
+)
+
+// buildGCPClientOptions builds client options for GCP services.
+// Authentication precedence: JSON credentials take priority over workload identity.
+func buildGCPClientOptions(ctx context.Context, opts notifierOptions) ([]option.ClientOption, error) {
+	var clientOpts []option.ClientOption
+
+	if opts.Token != "" {
+		clientOpts = append(clientOpts, option.WithCredentialsJSON([]byte(opts.Token)))
+	} else {
+		var authOpts []auth.Option
+		authOpts = append(authOpts, auth.WithClient(opts.TokenClient))
+
+		if opts.TokenCache != nil {
+			involvedObject := cache.InvolvedObject{
+				Kind:      v1beta3.ProviderKind,
+				Name:      opts.ProviderName,
+				Namespace: opts.ProviderNamespace,
+				Operation: OperationPost,
+			}
+			authOpts = append(authOpts, auth.WithCache(*opts.TokenCache, involvedObject))
+		}
+
+		if opts.ServiceAccountName != "" {
+			serviceAccountKey := client.ObjectKey{
+				Name:      opts.ServiceAccountName,
+				Namespace: opts.ProviderNamespace,
+			}
+			authOpts = append(authOpts, auth.WithServiceAccount(serviceAccountKey, opts.TokenClient))
+		}
+
+		if opts.ProxyURL != "" {
+			proxyURL, err := url.Parse(opts.ProxyURL)
+			if err != nil {
+				return nil, fmt.Errorf("error parsing proxy URL: %w", err)
+			}
+			authOpts = append(authOpts, auth.WithProxyURL(*proxyURL))
+		}
+
+		tokenSource := gcp.NewTokenSource(ctx, authOpts...)
+		clientOpts = append(clientOpts, option.WithTokenSource(tokenSource))
+	}
+
+	return clientOpts, nil
+}