apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeAddress metadata: name: apk-repository annotations: dns.edge.ncr.com/dns-project-id: ${gcp_project_id} dns.edge.ncr.com/managed-zone: infra/dev-infra dns.edge.ncr.com/name: apk.${domain}. spec: location: global resourceID: apk-ip --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: name: apk-repository-sa spec: displayName: apk-repository-sa resourceID: apk-repository-sa --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind service account to GKE workload identity SA kind: IAMPolicyMember metadata: name: apk-repository-wi spec: member: serviceAccount:${gcp_project_id}.svc.id.goog[apk-repository/apk-repository-sa] # [k8s-namespace/k8s-sa] resourceRef: name: apk-repository-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount role: roles/iam.workloadIdentityUser --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind service account to GKE workload identity SA kind: IAMPolicyMember metadata: name: apk-repository-sa-bucket-admin spec: member: serviceAccount:apk-repository-sa@${gcp_project_id}.iam.gserviceaccount.com resourceRef: name: apk-repository-bucket kind: StorageBucket role: roles/storage.admin --- apiVersion: storage.cnrm.cloud.google.com/v1beta1 kind: StorageBucket metadata: name: apk-repository-bucket annotations: cnrm.cloud.google.com/state-into-spec: merge spec: bucketPolicyOnly: true location: us-east1 resourceID: ${gcp_project_id}-apk-repository