Read ADO PAT from GCP secret manager

[dekiel]

Description

image-builder GitHub action used in image-builder reusable workflow must have access to ADO PAT in order to authenticate in ADO API. The token value should be read from GCP secret manager. Reading a token from secret manager should be part of image-builder reusable workflow. Access to the secret manager should be authenticated using GitHub OIDC token and GCP workflow identity federation. There is an existing GitHub action provided by Google for authentication and accessing secret manager. image-builder reusable workflow must use dedicated GCP service-account with access only to the ADO PAT secret in secret-manager.

Reasons

GCP secret manager is our default storage for secrets. It proved to be stable. Central storing of secrets makes management and roatation of secrets much easier. Using GitHub OIDC provider for accessing GCP resources is our standard solution.

Acceptance Criteria

• image-builder github action uses ADO PAT read from GCP secret manager.
• ADO PAT is read from GCP secret manager as part of image-builder reusable workflow.
• image-builder reusable workflow uses GitHub OIDC provider and GCP identity federation for authentication in GCP.
• image-buidler reusable workflow uses dedicated GCP service account for accessing secret-manager.
• Dedicated GCP service account for image-builder reusable workflow has access only to the secret used by image-builder reusable workflow.

[dekiel]

Following GCP recommendations, we grant permissions directly to the Workload Identity Federation identities instead to the GCP service accounts, by using sa impersontation. This invalidates last two items from Acceptance Criteria.