feat(webhook): support executable-sourced credentials in sidecar injection

[yangspirit]

This change adds support for Executable-Sourced Credentials (AIP-4117) in the GCS Fuse sidecar injector webhook.

• In mutatingwebhook.go, dynamically construct credentialVolumeMounts based on whether the credential configuration uses an executable or a file.
• Avoid mounting the projected token volume when an executable is specified, as the sidecar will obtain the token by running the command.
• Inject the GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES=1 environment variable to enable the Google Auth Library to use the executable.
• Add unit tests in oidc_test.go to verify the correct injection of environment variables and volume mounts for executable credentials.
  This unblocks integrations that rely on custom binaries to fetch tokens
• Adds generic support for additional volume mounts via annotation, unblocking executable-sourced credentials flow which requires mounting a binary and certificates into the distroless sidecar.

[google-oss-prow]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[google-oss-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: yangspirit

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Code Review

This pull request introduces support for executable-sourced credentials in the workload identity configuration. It modifies the mutating webhook to conditionally mount token volumes or set the GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES environment variable based on the credential source. Feedback suggests adding validation to ensure either a file or an executable is provided to prevent invalid volume paths and refactoring the mountPath calculation for improved clarity.

[gemini-code-assist]

Since File is now marked as omitempty in the CredentialConfig struct, it can be an empty string. If both Executable and File are missing or empty, the code will proceed to use an empty path in filepath.Base (line 440), which results in . and may lead to an invalid or unintended volume projection path. Adding validation ensures the configuration is correct before usage.

	if credConfig.CredentialSource.Executable == nil {
		if credConfig.CredentialSource.File == "" {
			return "", nil, fmt.Errorf("workload identity credential configuration must have either 'file' or 'executable' set")
		}
		pod.Spec.Volumes = append(pod.Spec.Volumes, corev1.Volume{

[gemini-code-assist]

The mountPath variable is only used when Executable is nil. Moving its calculation inside the if block improves code clarity and avoids unnecessary processing when an executable-sourced credential is used. Additionally, consider using a constant for the environment variable name GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES to avoid magic strings.

		credentialVolumeMounts := []corev1.VolumeMount{
			{Name: SidecarContainerWICredentialConfigMapVolumeName, MountPath: SidecarContainerWICredentialConfigMapVolumeMountPath},
		}
		var envVars []corev1.EnvVar
		if credentialConfig.CredentialSource.Executable == nil {
			mountPath := filepath.Dir(credentialConfig.CredentialSource.File)
			credentialVolumeMounts = append(credentialVolumeMounts, corev1.VolumeMount{Name: SidecarContainerWITokenVolumeName, MountPath: mountPath})
		} else {
			envVars = append(envVars, corev1.EnvVar{Name: "GOOGLE_EXTERNAL_ACCOUNT_ALLOW_EXECUTABLES", Value: "1"})
		}