feat(chart): Add GCP Workload Identity support for service accounts

Add GCP Workload Identity annotation support to both main and inference
service accounts, following the same pattern as Azure PR #762.

Changes:
- service_account.yaml: Add iam.gke.io/gcp-service-account annotation
  using gcp.iam_service_account value
- service_account_inference.yaml: Add iam.gke.io/gcp-service-account
  annotation with fallback from gcp.inference_service_account to
  gcp.iam_service_account (allows separate SA for inference pods)

This enables proper GCP Workload Identity binding for model-engine pods
on GKE clusters.

Implements SGPINF-1123

Author: arniechops

charts/model-engine/templates/service_account.yaml

@@ -16,6 +16,11 @@ metadata:
     {{- if $.Values.azure }}
     azure.workload.identity/client-id: {{ $.Values.azure.client_id }}
     {{- end }}
+    {{- if $.Values.gcp }}
+    {{- if $.Values.gcp.iam_service_account }}
+    iam.gke.io/gcp-service-account: {{ $.Values.gcp.iam_service_account }}
+    {{- end }}
+    {{- end }}
   {{- end }}
 {{- if $.Values.azure }}
 imagePullSecrets:

charts/model-engine/templates/service_account_inference.yaml

@@ -20,6 +20,13 @@ metadata:
     azure.workload.identity/client-id: {{ $.Values.azure.client_id }}
     {{- end }}
     {{- end }}
+    {{- if $.Values.gcp }}
+    {{- if $.Values.gcp.inference_service_account }}
+    iam.gke.io/gcp-service-account: {{ $.Values.gcp.inference_service_account }}
+    {{- else if $.Values.gcp.iam_service_account }}
+    iam.gke.io/gcp-service-account: {{ $.Values.gcp.iam_service_account }}
+    {{- end }}
+    {{- end }}
   {{- end }}
 {{- if $.Values.azure }}
 imagePullSecrets: