apiVersion: external-secrets.io/v1beta1
kind: ClusterExternalSecret
metadata:
  name: "edge-helm-secret"
spec:
  externalSecretName: "edge-helm-secret"
  externalSecretSpec:
    data:
    - remoteRef:
        key: platform-helm-read
        property: helmUrl
      secretKey: helmUrl
    - remoteRef:
        key: platform-helm-read
        property: helm_repo_name
      secretKey: helm_repo_name
    - remoteRef:
        key: platform-helm-read
        property: password
      secretKey: password
    - remoteRef:
        key: platform-helm-read
        property: username
      secretKey: username
    refreshInterval: "1m0s"
    secretStoreRef:
      name: gcp-provider
      kind: ClusterSecretStore
    target:
      name: edge-helm-secret
      template:
        type: opaque
  namespaceSelector:
    matchExpressions:
    - key: workload.edge.ncr.com
      operator: In
      values:
      - "helm"
  refreshTime: "1m0s"
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: platform-helm-read-${cluster_hash}
spec:
  member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
    kind: SecretManagerSecret
    external: projects/${gcp_project_id}/secrets/platform-helm-read
  role: roles/secretmanager.secretAccessor