apiVersion: backend.edge.ncr.com/v1alpha2
kind: DatabaseUser
metadata:
  name: bannerctl-${cluster_hash}
spec:
  type: CLOUD_IAM_SERVICE_ACCOUNT
  serviceAccount:
    emailRef: bannerctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
    iamUsername: bannerctl-${cluster_hash}@${gcp_project_id}.iam
  force: true
  grants:
  - schema: public
    tableGrant:
    - permissions:
      - permission: SELECT
      - permission: UPDATE
      table: banners
    - permissions:
      - permission: DELETE
      - permission: INSERT
      - permission: SELECT
      table: labels
    - permissions:
      - permission: INSERT
      - permission: SELECT
      - permission: UPDATE
      table: channels
    - permissions:
      - permission: DELETE
      - permission: INSERT
      - permission: SELECT
      - permission: UPDATE
      table: channels_key_versions
    - permissions:
      - permission: INSERT
      - permission: SELECT
      table: ca_pools
    - permissions:
      - permission: INSERT
      - permission: SELECT
      - permission: UPDATE
      table: ca_certificates
    - permissions:
      - permission: SELECT
      table: helm_workloads_channels
    - permissions:
      - permission: SELECT
      table: helm_workloads
  instanceRef:
    name: ${edge_sql_db_name}-migrated
    projectID: ${gcp_project_id}
  prune: true