apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeAddress
metadata:
  name: apk-repository
  annotations:
    dns.edge.ncr.com/dns-project-id: ${gcp_project_id}
    dns.edge.ncr.com/managed-zone: infra/dev-infra
    dns.edge.ncr.com/name: apk.${domain}.
spec:
  location: global
  resourceID: apk-ip
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: apk-repository-sa
spec:
  displayName: apk-repository-sa
  resourceID: apk-repository-sa
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind service account to GKE workload identity SA
kind: IAMPolicyMember
metadata:
  name: apk-repository-wi
spec:
  member: serviceAccount:${gcp_project_id}.svc.id.goog[apk-repository/apk-repository-sa] # [k8s-namespace/k8s-sa]
  resourceRef:
    name: apk-repository-sa
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
  role: roles/iam.workloadIdentityUser
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind service account to GKE workload identity SA
kind: IAMPolicyMember
metadata:
  name: apk-repository-sa-bucket-admin
spec:
  member: serviceAccount:apk-repository-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    name: apk-repository-bucket
    kind: StorageBucket
  role: roles/storage.admin
---
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: apk-repository-bucket
  annotations:
    cnrm.cloud.google.com/state-into-spec: merge
spec:
  bucketPolicyOnly: true
  location: us-east1
  resourceID: ${gcp_project_id}-apk-repository