PBM support for Workload Identity Federation

[jcechace]

CHANGE DESCRIPTION

Problem:
PBM recently introduced support support for GCP Workload Identity Federation.
https://perconadev.atlassian.net/browse/PBM-1660

However, this needs to be enabled via storage.gcs.workloadIdentity=true. Currently there is no means of doing this in the operator. This (draft) PR is a demonstration what could be done to allow this.

CHECKLIST

Jira

• Is the Jira ticket created and referenced properly?
• Does the Jira ticket have the proper statuses for documentation (Needs Doc) and QA (Needs QA)?
• Does the Jira ticket link to the proper milestone (Fix Version field)?

Tests

• Is an E2E test/test case added for the new feature/change?
• Are unit tests added where appropriate?
• Are OpenShift compare files changed for E2E tests (compare/*-oc.yml)?

Config/Logging/Testability

• Are all needed new/changed options added to default YAML files?
• Are all needed new/changed options added to the Helm Chart?
• Did we add proper logging messages for operator actions?
• Did we ensure compatibility with the previous version or cluster upgrade process?
• Does the change support oldest and newest supported MongoDB version?
• Does the change support oldest and newest supported Kubernetes version?

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[jcechace]

This is more of a demo (in order to bring this to your attention) than a proper PR.
Feel free to close it / cherry pick or instruct me how to proceed (e.g. the first 2 commits should likely be dropped once the operator updates to current PBM dev).

[JNKPercona]

Test Name	Result	Time
arbiter	passed	00:11:24
balancer	passed	00:19:34
cross-site-sharded	passed	00:19:06
custom-replset-name	passed	00:10:35
custom-tls	passed	00:14:47
custom-users-roles	passed	00:10:26
custom-users-roles-sharded	passed	00:12:04
data-at-rest-encryption	passed	00:12:28
data-sharded	passed	00:23:54
demand-backup	passed	00:16:10
demand-backup-eks-credentials-irsa	passed	00:00:09
demand-backup-fs	passed	00:24:01
demand-backup-if-unhealthy	passed	00:11:30
demand-backup-incremental-aws	failure	00:07:50
demand-backup-incremental-azure	failure	00:08:37
demand-backup-incremental-gcp-native	failure	00:08:15
demand-backup-incremental-gcp-s3	failure	00:08:07
demand-backup-incremental-minio	failure	00:07:42
demand-backup-incremental-sharded-aws	failure	00:13:29
demand-backup-incremental-sharded-azure	failure	00:13:10
demand-backup-incremental-sharded-gcp-native	failure	00:13:35
demand-backup-incremental-sharded-gcp-s3	failure	00:13:37
demand-backup-incremental-sharded-minio	failure	00:13:15
demand-backup-physical-parallel	passed	00:08:29
demand-backup-physical-aws	failure	00:09:18
demand-backup-physical-azure	failure	00:09:16
demand-backup-physical-gcp-s3	failure	00:09:09
demand-backup-physical-gcp-native	failure	00:09:19
demand-backup-physical-minio	failure	00:09:48
demand-backup-physical-minio-native	failure	00:09:57
demand-backup-physical-minio-native-tls	failure	00:16:43
demand-backup-physical-sharded-parallel	passed	00:12:03
demand-backup-physical-sharded-aws	failure	00:13:49
demand-backup-physical-sharded-azure	failure	00:13:35
demand-backup-physical-sharded-gcp-native	failure	00:13:55
demand-backup-physical-sharded-minio	failure	00:13:36
demand-backup-physical-sharded-minio-native	failure	00:13:55
demand-backup-sharded	passed	00:26:29
disabled-auth	passed	00:16:20
expose-sharded	passed	00:34:48
finalizer	passed	00:11:07
ignore-labels-annotations	passed	00:08:23
init-deploy	passed	00:13:34
ldap	passed	00:09:37
ldap-tls	passed	00:13:25
limits	passed	00:06:47
liveness	passed	00:09:07
mongod-major-upgrade	passed	00:13:10
mongod-major-upgrade-sharded	passed	00:22:16
monitoring-2-0	passed	00:25:17
monitoring-pmm3	passed	00:27:44
multi-cluster-service	passed	00:13:30
multi-storage	failure	00:10:56
non-voting-and-hidden	failure	00:13:40
one-pod	passed	00:07:51
operator-self-healing-chaos	failure	01:26:26
pitr	passed	00:32:20
pitr-physical	failure	00:32:17
pitr-sharded	passed	00:21:14
pitr-to-new-cluster	failure	00:23:56
pitr-physical-backup-source	failure	00:30:41
preinit-updates	passed	00:05:36
pvc-auto-resize	passed	00:13:38
pvc-resize	passed	00:16:46
recover-no-primary	failure	00:11:57
replset-overrides	failure	00:10:17
replset-remapping	failure	00:12:34
replset-remapping-sharded	passed	00:18:28
rs-shard-migration	passed	00:17:17
scaling	passed	00:12:00
scheduled-backup	failure	00:13:02
security-context	passed	00:08:36
self-healing-chaos	passed	00:16:27
service-per-pod	passed	00:21:11
serviceless-external-nodes	passed	00:08:07
smart-update	passed	00:08:44
split-horizon	passed	00:14:45
stable-resource-version	passed	00:05:01
storage	passed	00:07:54
tls-issue-cert-manager	passed	00:32:37
unsafe-psa	passed	00:09:00
upgrade	passed	00:10:21
upgrade-consistency	passed	00:10:01
upgrade-consistency-sharded-tls	passed	01:00:10
upgrade-sharded	failure	00:04:44
upgrade-partial-backup	failure	00:12:30
users	passed	00:18:20
users-vault	passed	00:16:41
version-service	passed	00:25:58

Summary	Value
Tests Run	89/89
Job Duration	04:13:07
Total Test Time	23:11:02

commit: 998d7e5
image: perconalab/percona-server-mongodb-operator:PR-2246-998d7e5e

[egegunes]

@jcechace I suggest marking this PR as ready for review, otherwise no one will see it.

[jcechace]

@egegunes apology for the delay. It's definitively not ready for review though :) Should I still switch it? It was just a heads up of what we have changed on PBM side

[egegunes]

ok, i thought this is ready for review. i created https://perconadev.atlassian.net/browse/K8SPSMDB-1630 to take a look at this and finish.