GCP Secret Manager native support: Rails support

Proposal

This proposal is for adding a new CI keyword to configure secrets integration with GCP Secret Manager. The proposed keyword is as follows: secrets:gcp_secret_manager.

job_name:
  id_tokens:
    GCP_SM_ID_TOKEN:
      aud: https://iam.googleapis.com/projects/$GCP_PROJECT_NUMBER/locations/global/workloadIdentityPools/$GCP_WORKLOAD_FEDERATION_POOL_ID/providers/$GCP_WORKLOAD_FEDERATION_PROVIDER_ID # or a custom audience as configured in GCP Workload Identity Pool Provider.
  secrets:
    DATABASE_PASSWORD:
      gcp_secret_manager:
        name: my-project-secret  # This is the name of the secret defined in GCP Secret Manager
        version: 1               # optional: default to `latest`.
      token: GCP_SM_ID_TOKEN

In addition, the following CI variables need to be set by the user:

• GCP Project Number GCP_PROJECT_NUMBER
• GCP Workload Identity Federation Pool ID GCP_WORKLOAD_IDENTITY_FEDERATION_POOL_ID
• GCP Workload Identity Federation Provider ID GCP_WORKLOAD_IDENTITY_FEDERATION_PROVIDER_ID

The configuration and variables above will be used to build the job payload that includes the following:

{
  "secrets": {
    "DATABASE_PASSWORD": {
      "gcp_secret_manager": {
        "name": "my-project-secret",
        "version": "1",
        "server": {
          "project_number": "1234",
          "workload_identity_federation_pool_id": "pool-id",
          "workload_identity_federation_provider_id": "provider-id",
          "jwt": "$GCP_SM_ID_TOKEN"
        }
      }
    }
  }
}

Given that shared JWT CI_JOB_JWT and CI_JOB_JWT_V2 are deprecated and will be removed, id token must be specified through token. This means that the CI config needs to validate token as a required attribute when using gcp_secret_manager.