feat(gcs): support Workload Identity for GCS backup storage

Add support for GKE Workload Identity Federation when authenticating
with Google Cloud Storage for backups. This eliminates the requirement
for exported service account JSON keys (credentialsSecret).

Changes:
- Add GCSCredentials struct with WorkloadIdentity field to BackupStorageGCSSpec
- Make credentialsSecret optional (omitempty) when workloadIdentity is enabled
- Update GetPBMStorageGCSConfig to skip credential secret loading when WI is enabled
- Patch PBM's newGoogleClient to fall back to Application Default Credentials (ADC)
  when no explicit credentials are provided, enabling transparent GKE WI auth

When credentials.workloadIdentity is true in the CR:
  spec.backup.storages.gcs.credentials.workloadIdentity: true

The operator skips reading credentialsSecret and PBM authenticates via
the pod's Kubernetes Service Account, which is federated to a GCP SA
through GKE Workload Identity.

This aligns with PBM 2.13.0's native WIF support and Google's security
best practice of avoiding exported service account keys, which is
required for IL4/FedRAMP environments.

Closes: #2314

Author: TineoC

go.mod

@@ -223,3 +223,5 @@ replace (
 	github.com/dgrijalva/jwt-go v3.2.0+incompatible => github.com/golang-jwt/jwt/v4 v4.2.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 => ./cmd/mongodb-healthcheck/logger/lumberjack/ // https://github.com/natefinch/lumberjack/pull/211
 )
+
+replace github.com/percona/percona-backup-mongodb => ./pbm-patched

go.sum

@@ -418,8 +418,6 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
-github.com/percona/percona-backup-mongodb v1.8.1-0.20251104101930-05ab6d7e1004 h1:Q/HeUxMI63ekZYY0TlnfF0Vp3WZ0mmx7gI9iBzehjeY=
-github.com/percona/percona-backup-mongodb v1.8.1-0.20251104101930-05ab6d7e1004/go.mod h1:NYc9wcoGLNXmOHwfsaed+Ej3nxv3dUViHOcCfQneJ84=
 github.com/philhofer/fwd v1.2.0 h1:e6DnBTl7vGY+Gz322/ASL4Gyp1FspeMvx1RNDoToZuM=
 github.com/philhofer/fwd v1.2.0/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
 github.com/pierrec/lz4 v2.6.1+incompatible h1:9UY3+iC23yxF0UfGaYrGplQ+79Rg+h/q9FV9ix19jjM=

pbm-patched/.dockerignore

@@ -0,0 +1,4 @@
+/bin/
+/dev/
+/.dev
+e2e-tests/docker/backups/pbm/

pbm-patched/.github/pr-badge.yml

@@ -0,0 +1,5 @@
+label: "JIRA"
+url: "https://jira.percona.com/browse/$issuePrefix"
+message: "$issuePrefix"
+color: "green"
+when: "$issuePrefix"

pbm-patched/.github/workflows/ci.yml

@@ -0,0 +1,117 @@
+name: CI
+
+on:
+  workflow_dispatch:
+    inputs:
+      pbm_branch:
+        description: "PBM branch"
+        required: false
+      tests_ver:
+        description: "Tests version"
+        required: false
+      go_ver:
+        description: "Golang version"
+        required: false
+      pr_ver:
+        description: "PR version"
+        required: false
+
+  pull_request:
+    branches:
+      - main
+      - dev
+    paths-ignore:
+      - "e2e-tests/**"
+      - "packaging/**"
+      - "version/**"
+
+  push:
+    branches:
+      - main
+      - dev
+    paths-ignore:
+      - "e2e-tests/**"
+      - "packaging/**"
+      - "version/**"
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    timeout-minutes: 180
+    strategy:
+      fail-fast: false
+      matrix:
+        psmdb: ["7.0", "8.0"]
+        shard: [0, 1, 2, 3, 4, 5, 6]
+    env:
+      PBM_BRANCH: ${{ github.event.inputs.pbm_branch || github.ref_name }}
+      GO_VER: ${{ github.event.inputs.go_ver || '1.25-bookworm' }}
+      PR_NUMBER: ${{ github.event.number|| github.event.inputs.pr_ver }}
+      MAKE_TARGET: 'build-cover'
+    steps:
+      - name: Checkout testing repo
+        uses: actions/checkout@v4
+        with:
+          repository: Percona-QA/psmdb-testing
+          ref: ${{ github.event.inputs.tests_ver || 'main'}}
+          path: psmdb-testing
+
+      - name: Setup environment with PSMDB ${{ matrix.psmdb }} for PBM PR/branch ${{ github.event.pull_request.title || env.PR_NUMBER || env.PBM_BRANCH }}
+        run: |
+          PSMDB=perconalab/percona-server-mongodb:${{ matrix.psmdb }} docker compose build easyrsa
+          PSMDB=perconalab/percona-server-mongodb:${{ matrix.psmdb }} docker compose build
+          docker compose up -d
+        working-directory: psmdb-testing/pbm-functional/pytest
+
+      - name: Run pytest shard number ${{ matrix.shard }} on PSMDB ${{ matrix.psmdb }} for PBM PR/branch ${{ github.event.pull_request.title || env.PR_NUMBER || env.PBM_BRANCH }}
+        run: |
+          docker compose run test pytest -s --junitxml=junit.xml --shard-id=${{ matrix.shard }} --num-shards=7 -m 'not jenkins and not skip'
+        working-directory: psmdb-testing/pbm-functional/pytest
+
+      - name: Fetch coverage files
+        run: |
+          docker compose run --rm golang_reports cp -r /gocoverdir/reports /test
+          sudo chmod -R 777 reports
+        working-directory: psmdb-testing/pbm-functional/pytest
+        if: success() || failure()
+
+      - name: Upload coverage reports
+        uses: actions/upload-artifact@v4
+        with:
+          name: reports-${{ matrix.shard }}-${{ matrix.psmdb }}
+          path: psmdb-testing/pbm-functional/pytest/reports/
+        if: success() || failure()
+
+      - name: Publish Test Report
+        uses: mikepenz/action-junit-report@v4
+        if: success() || failure()
+        with:
+          report_paths: "**/junit.xml"
+
+  coverage:
+    if: ${{ always() }}
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          check-latest: true
+      - name: Download all coverage reports
+        uses: actions/download-artifact@v4
+        with:
+          path: reports
+          pattern: reports-*
+          merge-multiple: true
+      - name: Merge coverage reports
+        run: |
+          go tool covdata textfmt -i=./reports -o ./coverage.txt
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v3
+        with:
+          files: ./coverage.txt
+          flags: integration
+          fail_ci_if_error: false
+          token: ${{ secrets.CODECOV_TOKEN }}

pbm-patched/.github/workflows/codecov.yml

@@ -0,0 +1,31 @@
+name: 'codecov'
+
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+    branches:
+      - main
+      - dev
+
+jobs:
+  go-test:
+    name: runner / go-test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: "1.25"
+      - name: test
+        run: go test -v ./... -covermode=atomic -coverprofile=cover.out
+
+      - name: upload coverage report
+        uses: codecov/codecov-action@v4
+        with:
+          file: cover.out
+          flags: unittests
+          fail_ci_if_error: false
+          token: ${{ secrets.CODECOV_TOKEN }}

pbm-patched/.github/workflows/reviewdog.yml

@@ -0,0 +1,90 @@
+name: reviewdog
+on: [pull_request]
+jobs:
+  shellcheck:
+    name: runner / shellcheck
+    runs-on: ubuntu-latest
+    if: ${{ github.event.pull_request.changed_files < 301 }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: spellcheck
+        uses: reviewdog/action-shellcheck@v1
+        with:
+          reporter: github-pr-review
+          exclude: |
+            */.git/*
+            ./.cache/*
+            ./vendor/*
+            ./packaging/scripts/*
+
+  misspell:
+    name: runner / misspell
+    runs-on: ubuntu-latest
+    if: ${{ github.event.pull_request.changed_files < 301 }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: misspell
+        uses: reviewdog/action-misspell@v1
+        with:
+          reporter: github-pr-review
+          locale: "US"
+          exclude: |
+            */.git/*
+            ./.cache/*
+            ./vendor/*
+
+  alex:
+    name: runner / alex
+    runs-on: ubuntu-latest
+    if: ${{ github.event.pull_request.changed_files < 301 }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: alex
+        uses: reviewdog/action-alex@v1
+        with:
+          reporter: github-pr-review
+
+  golangci-lint:
+    name: runner / golangci-lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: "1.25"
+      - name: golangci-lint
+        uses: reviewdog/action-golangci-lint@v2
+        with:
+          reporter: github-pr-review
+          level: error
+
+  gofmt:
+    name: runner / gofmt
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: "1.25"
+      - run: go install golang.org/x/tools/cmd/goimports@latest
+      - run: go install mvdan.cc/gofumpt@latest
+      - run: goimports -w -local "github.com/percona" $(find . -not -path "*/vendor/*" -name "*.go")
+      - run: gofumpt -w -extra $(find . -not -path "*/vendor/*" -name "*.go")
+      - uses: reviewdog/action-suggester@v1.22.0
+        with:
+          tool_name: gofmt
+
+  shfmt:
+    name: runner / shfmt
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v4
+        with:
+          go-version: "1.25"
+      - run: go install mvdan.cc/sh/v3/cmd/shfmt@latest
+      - run: shfmt -f . | grep -v 'vendor' | xargs shfmt -w -s
+      - name: suggester / shfmt
+        uses: reviewdog/action-suggester@v1.22.0
+        with:
+          tool_name: shfmt

pbm-patched/.github/workflows/trivy.yml

@@ -0,0 +1,30 @@
+name: Scan
+on:
+  push:
+    branches: ["main", "dev"]
+  pull_request:
+    branches: ["main", "dev"]
+jobs:
+  scan:
+    name: Trivy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Download latest trivy
+        run: |
+          mkdir -p ${{ github.workspace }}/trivy
+          LATEST_TRIVY_VERSION=$(curl --retry 5 --retry-connrefused --retry-delay 5 --fail -s https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r .tag_name)
+          TRIVY_VERSION_STRIPPED=$(echo "$LATEST_TRIVY_VERSION" | sed 's/^v//')
+          wget --tries=5 --retry-connrefused --waitretry=5 -O ${{ github.workspace }}/trivy/trivy.tar.gz \
+              https://github.com/aquasecurity/trivy/releases/download/$LATEST_TRIVY_VERSION/trivy_${TRIVY_VERSION_STRIPPED}_Linux-64bit.tar.gz && break || sleep 5
+          tar -xzf ${{ github.workspace }}/trivy/trivy.tar.gz -C ${{ github.workspace }}/trivy
+
+      - name: Generate SBOM
+        run: ${{ github.workspace }}/trivy/trivy fs --format cyclonedx --output ${{ github.workspace }}/sbom.json ${{ github.workspace }}
+
+      - name: Run trivy scan on SBOM
+        run: ${{ github.workspace }}/trivy/trivy sbom ${{ github.workspace }}/sbom.json --severity HIGH,CRITICAL --ignore-unfixed --exit-code=1

pbm-patched/.gitignore

@@ -0,0 +1,13 @@
+.env
+.vscode/*
+!.vscode/settings.json
+!.vscode/extensions.json
+.idea/
+/bin/
+/.dev
+e2e-tests/docker/keyFile
+e2e-tests/docker/backups/pbm
+e2e-tests/docker/pbm.conf.yaml
+e2e-tests/docker/conf/aws.yaml
+e2e-tests/docker/conf/gcs.yaml
+e2e-tests/docker/conf/azure.yaml

pbm-patched/.golangci.yml

@@ -0,0 +1,41 @@
+version: "2"
+linters:
+  enable:
+    - errname
+    - predeclared
+    - staticcheck
+    - misspell
+    - nilerr
+    - nilnil
+    - lll
+    - gochecknoinits
+    - nonamedreturns
+  disable:
+    - contextcheck
+    - exhaustive
+    - gosec
+    - wrapcheck
+  settings:
+    govet:
+      disable:
+        - composites
+    misspell:
+      locale: US
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$