Support for pushing images using GCP workload identity federation

[tmorgansl]

I've been looking through the authentication process for pushing images within a GCP project. It seems right now, when pushing images, the operator is looking explicitly for k8s secrets resources for everything other than AWS clusters (see here). This poses a security issue because the credentials in a k8s secret are long lived. The better solution here is to use an attached GCP service account via Workload Identity Federation.

I've made a sketch of a solution here:-

https://github.com/CrowdStrike/falcon-operator/compare/main...tmorgansl:sketch/workload-identity-push-images?expand=1

However, it's not ready as a PR because it is blocked by #711

[redhatrises]

IIRC the plan is to actually deprecate this feature to push. Also, I believe that Workload Identity is already supported via setting the service account annotation.

[tmorgansl]

The service account annotation doesn't work for the push because the operator isn't trying to use workload identity federation. If you check tokens.go, you see it's looking for a service account key.

Do you know when this is planned to be removed, and does it impact the functionality of the falcon admission controller? As it stands, the operator is spamming errors because it can't push these images.