apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argo-server
  namespace: argo
  annotations:
    kubernetes.io/ingress.allow-http: "false"
    kubernetes.io/ingress.class: 'gce'
    kubernetes.io/ingress.global-static-ip-name: "argo-server-ip"
    networking.gke.io/managed-certificates: argo-server-cert
    networking.gke.io/v1beta1.FrontendConfig: "ncr-default"
spec:
  defaultBackend:
    service:
      name: argo-server
      port:
        number: 2746
---
apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
  name: argo-server-cert
spec:
  domains:
  - argo.${domain}
---
apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
  name: ncr-default
spec:
  redirectToHttps:
    enabled: true
  sslPolicy: ncr-default
---
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeAddress
metadata:
  name: argo-server
  annotations:
    cnrm.cloud.google.com/project-id: ${gcp_project_id}
    dns.edge.ncr.com/dns-project-id: ${gcp_project_id}
    dns.edge.ncr.com/managed-zone: infra/dev-infra
    dns.edge.ncr.com/name: argo.${domain}.
spec:
  location: global
  resourceID: argo-server-ip
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: argo-server-foreman-workload-identity-user
  annotations:
    description: |
      Binds the K8s SA used by argo-server to the GCP IAM
      service account defined in the base.
spec:
  member: serviceAccount:${gcp_project_id}.svc.id.goog[argo/argo-server]
  resourceRef:
    name: argo-server
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
  role: roles/iam.workloadIdentityUser
---
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: argo-server
spec:
  iap:
    enabled: true
    oauthclientCredentials:
      secretName: iap-oauth
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: iap-oauth-ext
spec:
  dataFrom:
  - extract:
      key: argo-iap-oauth-creds
  refreshInterval: 1h
  secretStoreRef:
    name: gcp-provider
    kind: ClusterSecretStore
  target:
    name: iap-oauth
    creationPolicy: Owner
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: essa-iap-oauth-ext
spec:
  member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
    kind: SecretManagerSecret
    external: projects/${gcp_project_id}/secrets/argo-iap-oauth-creds
  role: roles/secretmanager.secretAccessor