POC for trying out ksa support as 3rd party idP

build/all/Dockerfile

@@ -70,7 +70,8 @@ USER nonroot:nonroot
 ENTRYPOINT ["/hydration-controller"]
 
 # OCI-sync image
-FROM gcr.io/distroless/static:latest as oci-sync
+#FROM gcr.io/distroless/static:latest as oci-sync
+FROM google/cloud-sdk:slim as oci-sync
 # Setting HOME ensures that whatever UID this ultimately runs as can write files.
 ENV HOME=/tmp
 WORKDIR /

pkg/reconcilermanager/controllers/reconciler_base.go

@@ -145,9 +145,9 @@ func (r *reconcilerBase) upsertServiceAccount(
 		// Update annotation when Workload Identity is enabled on a GKE cluster.
 		// In case, Workload Identity is not enabled on a cluster and spec.git.auth: gcpserviceaccount,
 		// the added annotation will be a no-op.
-		if auth == configsync.AuthGCPServiceAccount {
-			core.SetAnnotation(childSA, GCPSAAnnotationKey, email)
-		}
+		// if auth == configsync.AuthGCPServiceAccount {
+		// 	core.SetAnnotation(childSA, GCPSAAnnotationKey, email)
+		// }
 		return nil
 	})
 	if err != nil {

pkg/validate/raw/validate/source_spec_validator.go

@@ -143,12 +143,12 @@ func OciSpec(oci *v1beta1.Oci, rs client.Object) status.Error {
 	switch oci.Auth {
 	case configsync.AuthGCENode, configsync.AuthNone:
 	case configsync.AuthGCPServiceAccount:
-		if oci.GCPServiceAccountEmail == "" {
-			return MissingGCPSAEmail(rs)
-		}
-		if !validGCPServiceAccountEmail(oci.GCPServiceAccountEmail) {
-			return InvalidGCPSAEmail(rs)
-		}
+		// if oci.GCPServiceAccountEmail == "" {
+		// 	return MissingGCPSAEmail(rs)
+		// }
+		// if !validGCPServiceAccountEmail(oci.GCPServiceAccountEmail) {
+		// 	return InvalidGCPSAEmail(rs)
+		// }
 	default:
 		return InvalidOciAuthType(rs)
 	}