apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: cctl
  labels:
    platform.edge.ncr.com/component: clusterctl
spec:
  displayName: cctl
  resourceID: cctl-${cluster_hash}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: cctl-banners-secretadmin
  labels:
    platform.edge.ncr.com/component: clusterctl
spec:
  member: serviceAccount:cctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: ${gcp_project_id}
  role: roles/secretmanager.admin
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: cctl-gke-admin
  labels:
    platform.edge.ncr.com/component: clusterctl
spec:
  member: serviceAccount:cctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: ${gcp_project_id}
  role: roles/container.admin
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: okta-creds-cctl-secret-reader
  labels:
    platform.edge.ncr.com/component: clusterctl
spec:
  member: serviceAccount:cctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
    kind: SecretManagerSecret
    external: projects/${foreman_gcp_project_id}/secrets/id-okta-creds
  role: roles/secretmanager.secretAccessor
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: edge-bsl-prod-admin-secret-reader
  labels:
    platform.edge.ncr.com/component: clusterctl
spec:
  member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
    kind: SecretManagerSecret
    external: projects/${foreman_gcp_project_id}/secrets/edge-bsl-prod-admin
  role: roles/secretmanager.secretAccessor