GCP Secrets Manager native support: Runner support

Proposal

This proposal is for adding a new CI keyword to configure secrets integration with GCP Secrets Manager. The CI keyword is implemented in #428401 (closed).

To GitLab Runner, the job payload will be as follows:

{
  "secrets": {
    "DATABASE_PASSWORD": {
      "gcp_secrets_manager": {
        "name": "my-project-secret",
        "version": "1",
        "server": {
          "project_number": "1234",
          "workload_identity_pool_id": "pool-id",
          "workload_identity_provider_id": "provider-id",
          "jwt": "jwt encoded GCP_SM_ID_TOKEN"
        }
      }
    }
  }
}

Based on this payload, the runner will need to perform the following tasks:

Authenticate with GCP Secret Token Service (sts) to obtain a bearer token scoped to the principal associated to the jwt claims.
Use the obtained bearer token to make an Access Secret Version request to GCP Secrets Manager. Doc
Create a job variable by the given name (e.g DATABASE_PASSWORD) with the secret payload obtained from GCP Secrets Manager.

Edited Dec 08, 2023 by Albert