1apiVersion: compute.cnrm.cloud.google.com/v1beta1
2kind: ComputeAddress
3metadata:
4 name: apk-repository
5 annotations:
6 dns.edge.ncr.com/dns-project-id: ${gcp_project_id}
7 dns.edge.ncr.com/managed-zone: infra/dev-infra
8 dns.edge.ncr.com/name: apk.${domain}.
9spec:
10 location: global
11 resourceID: apk-ip
12---
13apiVersion: iam.cnrm.cloud.google.com/v1beta1
14kind: IAMServiceAccount
15metadata:
16 name: apk-repository-sa
17spec:
18 displayName: apk-repository-sa
19 resourceID: apk-repository-sa
20---
21apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind service account to GKE workload identity SA
22kind: IAMPolicyMember
23metadata:
24 name: apk-repository-wi
25spec:
26 member: serviceAccount:${gcp_project_id}.svc.id.goog[apk-repository/apk-repository-sa] # [k8s-namespace/k8s-sa]
27 resourceRef:
28 name: apk-repository-sa
29 apiVersion: iam.cnrm.cloud.google.com/v1beta1
30 kind: IAMServiceAccount
31 role: roles/iam.workloadIdentityUser
32---
33apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind service account to GKE workload identity SA
34kind: IAMPolicyMember
35metadata:
36 name: apk-repository-sa-bucket-admin
37spec:
38 member: serviceAccount:apk-repository-sa@${gcp_project_id}.iam.gserviceaccount.com
39 resourceRef:
40 name: apk-repository-bucket
41 kind: StorageBucket
42 role: roles/storage.admin
43---
44apiVersion: storage.cnrm.cloud.google.com/v1beta1
45kind: StorageBucket
46metadata:
47 name: apk-repository-bucket
48 annotations:
49 cnrm.cloud.google.com/state-into-spec: merge
50spec:
51 bucketPolicyOnly: true
52 location: us-east1
53 resourceID: ${gcp_project_id}-apk-repository
View as plain text