also make optional for v1beta1 and add note to docs

apis/externalsecrets/v1beta1/secretstore_gcpsm_types.go

@@ -35,7 +35,7 @@ type GCPWorkloadIdentity struct {
 	ServiceAccountRef esmeta.ServiceAccountSelector `json:"serviceAccountRef"`
 	ClusterLocation   string                        `json:"clusterLocation"`
 	ClusterName       string                        `json:"clusterName"`
-	ClusterProjectID  string                        `json:"clusterProjectID"`
+	ClusterProjectID  string                        `json:"clusterProjectID,omitempty"`
 }
 
 // GCPSMProvider Configures a store to sync secrets using the GCP Secret Manager provider.

config/crds/bases/external-secrets.io_clustersecretstores.yaml

@@ -1769,7 +1769,6 @@ spec:
                             required:
                             - clusterLocation
                             - clusterName
-                            - clusterProjectID
                             - serviceAccountRef
                             type: object
                         type: object

config/crds/bases/external-secrets.io_secretstores.yaml

@@ -1772,7 +1772,6 @@ spec:
                             required:
                             - clusterLocation
                             - clusterName
-                            - clusterProjectID
                             - serviceAccountRef
                             type: object
                         type: object

deploy/crds/bundle.yaml

@@ -1314,7 +1314,6 @@ spec:
                               required:
                                 - clusterLocation
                                 - clusterName
-                                - clusterProjectID
                                 - serviceAccountRef
                               type: object
                           type: object
@@ -3759,7 +3758,6 @@ spec:
                               required:
                                 - clusterLocation
                                 - clusterName
-                                - clusterProjectID
                                 - serviceAccountRef
                               type: object
                           type: object

docs/snippets/gcpsm-wi-secret-store.yaml

@@ -12,6 +12,8 @@ spec:
           clusterLocation: europe-central2
           # name of the GKE cluster
           clusterName: example-workload-identity
+          # projectID of the cluster (if omitted defaults to spec.provider.gcpsm.projectID)
+          clusterProjectID: my-cluster-project
           # reference the sa from above
           serviceAccountRef:
             name: team-a

pkg/provider/gcp/secretmanager/secretsmanager_workload_identity_test.go

@@ -44,6 +44,7 @@ type workloadIdentityTest struct {
 	genAccessToken func(context.Context, *credentialspb.GenerateAccessTokenRequest, ...gax.CallOption) (*credentialspb.GenerateAccessTokenResponse, error)
 	genIDBindToken func(ctx context.Context, client *http.Client, k8sToken, idPool, idProvider string) (*oauth2.Token, error)
 	genSAToken     func(c context.Context, s1, s2, s3 string) (*authv1.TokenRequest, error)
+	genClusterID   func(context.Context, *esv1beta1.SecretStore) (*oauth2.Token, error)
 	store          esv1beta1.GenericStore
 	kubeObjects    []client.Object
 }
@@ -268,6 +269,11 @@ func defaultTestCase(name string) *workloadIdentityTest {
 				},
 			}, nil
 		},
+		genClusterID: func(context.Context, *esv1beta1.SecretStore) (*oauth2.Token, error) {
+			return &oauth2.Token{
+				AccessToken: defaultGenAccessToken,
+			}, nil
+		},
 		kubeObjects: []client.Object{
 			&v1.ServiceAccount{
 				ObjectMeta: metav1.ObjectMeta{