...
1apiVersion: iam.cnrm.cloud.google.com/v1beta1
2kind: IAMServiceAccount
3metadata:
4 name: cctl
5 labels:
6 platform.edge.ncr.com/component: clusterctl
7spec:
8 displayName: cctl
9 resourceID: cctl-${cluster_hash}
10---
11apiVersion: iam.cnrm.cloud.google.com/v1beta1
12kind: IAMPolicyMember
13metadata:
14 name: cctl-banners-secretadmin
15 labels:
16 platform.edge.ncr.com/component: clusterctl
17spec:
18 member: serviceAccount:cctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
19 resourceRef:
20 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
21 kind: Project
22 external: ${gcp_project_id}
23 role: roles/secretmanager.admin
24---
25apiVersion: iam.cnrm.cloud.google.com/v1beta1
26kind: IAMPolicyMember
27metadata:
28 name: cctl-gke-admin
29 labels:
30 platform.edge.ncr.com/component: clusterctl
31spec:
32 member: serviceAccount:cctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
33 resourceRef:
34 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
35 kind: Project
36 external: ${gcp_project_id}
37 role: roles/container.admin
38---
39apiVersion: iam.cnrm.cloud.google.com/v1beta1
40kind: IAMPolicyMember
41metadata:
42 name: okta-creds-cctl-secret-reader
43 labels:
44 platform.edge.ncr.com/component: clusterctl
45spec:
46 member: serviceAccount:cctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
47 resourceRef:
48 apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
49 kind: SecretManagerSecret
50 external: projects/${foreman_gcp_project_id}/secrets/id-okta-creds
51 role: roles/secretmanager.secretAccessor
52---
53apiVersion: iam.cnrm.cloud.google.com/v1beta1
54kind: IAMPolicyMember
55metadata:
56 name: edge-bsl-prod-admin-secret-reader
57 labels:
58 platform.edge.ncr.com/component: clusterctl
59spec:
60 member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
61 resourceRef:
62 apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
63 kind: SecretManagerSecret
64 external: projects/${foreman_gcp_project_id}/secrets/edge-bsl-prod-admin
65 role: roles/secretmanager.secretAccessor
View as plain text