1apiVersion: networking.k8s.io/v1
2kind: Ingress
3metadata:
4 name: argo-server
5 namespace: argo
6 annotations:
7 kubernetes.io/ingress.allow-http: "false"
8 kubernetes.io/ingress.class: 'gce'
9 kubernetes.io/ingress.global-static-ip-name: "argo-server-ip"
10 networking.gke.io/managed-certificates: argo-server-cert
11 networking.gke.io/v1beta1.FrontendConfig: "ncr-default"
12spec:
13 defaultBackend:
14 service:
15 name: argo-server
16 port:
17 number: 2746
18---
19apiVersion: networking.gke.io/v1
20kind: ManagedCertificate
21metadata:
22 name: argo-server-cert
23spec:
24 domains:
25 - argo.${domain}
26---
27apiVersion: networking.gke.io/v1beta1
28kind: FrontendConfig
29metadata:
30 name: ncr-default
31spec:
32 redirectToHttps:
33 enabled: true
34 sslPolicy: ncr-default
35---
36apiVersion: compute.cnrm.cloud.google.com/v1beta1
37kind: ComputeAddress
38metadata:
39 name: argo-server
40 annotations:
41 cnrm.cloud.google.com/project-id: ${gcp_project_id}
42 dns.edge.ncr.com/dns-project-id: ${gcp_project_id}
43 dns.edge.ncr.com/managed-zone: infra/dev-infra
44 dns.edge.ncr.com/name: argo.${domain}.
45spec:
46 location: global
47 resourceID: argo-server-ip
48---
49apiVersion: iam.cnrm.cloud.google.com/v1beta1
50kind: IAMPolicyMember
51metadata:
52 name: argo-server-foreman-workload-identity-user
53 annotations:
54 description: |
55 Binds the K8s SA used by argo-server to the GCP IAM
56 service account defined in the base.
57spec:
58 member: serviceAccount:${gcp_project_id}.svc.id.goog[argo/argo-server]
59 resourceRef:
60 name: argo-server
61 apiVersion: iam.cnrm.cloud.google.com/v1beta1
62 kind: IAMServiceAccount
63 role: roles/iam.workloadIdentityUser
64---
65apiVersion: cloud.google.com/v1
66kind: BackendConfig
67metadata:
68 name: argo-server
69spec:
70 iap:
71 enabled: true
72 oauthclientCredentials:
73 secretName: iap-oauth
74---
75apiVersion: external-secrets.io/v1beta1
76kind: ExternalSecret
77metadata:
78 name: iap-oauth-ext
79spec:
80 dataFrom:
81 - extract:
82 key: argo-iap-oauth-creds
83 refreshInterval: 1h
84 secretStoreRef:
85 name: gcp-provider
86 kind: ClusterSecretStore
87 target:
88 name: iap-oauth
89 creationPolicy: Owner
90---
91apiVersion: iam.cnrm.cloud.google.com/v1beta1
92kind: IAMPolicyMember
93metadata:
94 name: essa-iap-oauth-ext
95spec:
96 member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
97 resourceRef:
98 apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
99 kind: SecretManagerSecret
100 external: projects/${gcp_project_id}/secrets/argo-iap-oauth-creds
101 role: roles/secretmanager.secretAccessor
View as plain text