k3s on premise with OIDC, secret manager, and workload identity GCP