apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: ldkey
  labels:
    platform.edge.ncr.com/component: bannerctl
spec:
  data:
  - remoteRef:
      key: edge-backend-launch-darkly-sdk-key
    secretKey: LD_KEY
  refreshInterval: 1m
  secretStoreRef:
    name: gcp-provider
    kind: ClusterSecretStore
  target:
    name: ldkey
    creationPolicy: Owner
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: essa-edge-backend-launch-darkly-sdk-key
spec:
  member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
    kind: SecretManagerSecret
    external: projects/${gcp_project_id}/secrets/edge-backend-launch-darkly-sdk-key
  role: roles/secretmanager.secretAccessor
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: edge-totp-secret-key
  labels:
    platform.edge.ncr.com/component: bannerctl
spec:
  data:
  - remoteRef:
      key: edge-backend-totp-secret
    secretKey: TOTP_SECRET_KEY
  refreshInterval: 1m
  secretStoreRef:
    name: gcp-provider
    kind: ClusterSecretStore
  target:
    name: edge-totp-secret-key
    creationPolicy: Owner
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: essa-edge-backend-totp-secret
spec:
  member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
    kind: SecretManagerSecret
    external: projects/${gcp_project_id}/secrets/edge-backend-totp-secret
  role: roles/secretmanager.secretAccessor
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: edge-bsl
  labels:
    platform.edge.ncr.com/component: bannerctl
spec:
  data:
  - remoteRef:
      key: edge-bsl-prod-admin
      property: secret-key
    secretKey: EDGE_BSL_SECRET_KEY
  - remoteRef:
      key: edge-bsl-prod-admin
      property: shared-key
    secretKey: EDGE_BSL_SHARED_KEY
  refreshInterval: 1m
  secretStoreRef:
    name: gcp-provider
    kind: ClusterSecretStore
  target:
    name: edge-bsl
    creationPolicy: Owner
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: essa-edge-bsl-prod-admin
spec:
  member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
    kind: SecretManagerSecret
    external: projects/${gcp_project_id}/secrets/edge-bsl-prod-admin
  role: roles/secretmanager.secretAccessor