apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: argo-server namespace: argo annotations: kubernetes.io/ingress.allow-http: "false" kubernetes.io/ingress.class: 'gce' kubernetes.io/ingress.global-static-ip-name: "argo-server-ip" networking.gke.io/managed-certificates: argo-server-cert networking.gke.io/v1beta1.FrontendConfig: "ncr-default" spec: defaultBackend: service: name: argo-server port: number: 2746 --- apiVersion: networking.gke.io/v1 kind: ManagedCertificate metadata: name: argo-server-cert spec: domains: - argo.${domain} --- apiVersion: networking.gke.io/v1beta1 kind: FrontendConfig metadata: name: ncr-default spec: redirectToHttps: enabled: true sslPolicy: ncr-default --- apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeAddress metadata: name: argo-server annotations: cnrm.cloud.google.com/project-id: ${gcp_project_id} dns.edge.ncr.com/dns-project-id: ${gcp_project_id} dns.edge.ncr.com/managed-zone: infra/dev-infra dns.edge.ncr.com/name: argo.${domain}. spec: location: global resourceID: argo-server-ip --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: argo-server-foreman-workload-identity-user annotations: description: | Binds the K8s SA used by argo-server to the GCP IAM service account defined in the base. spec: member: serviceAccount:${gcp_project_id}.svc.id.goog[argo/argo-server] resourceRef: name: argo-server apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount role: roles/iam.workloadIdentityUser --- apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: argo-server spec: iap: enabled: true oauthclientCredentials: secretName: iap-oauth --- apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: iap-oauth-ext spec: dataFrom: - extract: key: argo-iap-oauth-creds refreshInterval: 1h secretStoreRef: name: gcp-provider kind: ClusterSecretStore target: name: iap-oauth creationPolicy: Owner --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: essa-iap-oauth-ext spec: member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1 kind: SecretManagerSecret external: projects/${gcp_project_id}/secrets/argo-iap-oauth-creds role: roles/secretmanager.secretAccessor