1apiVersion: compute.cnrm.cloud.google.com/v1beta1
2kind: ComputeAddress
3metadata:
4 name: dag
5 annotations:
6 dns.edge.ncr.com/dns-project-id: ${gcp_project_id}
7 dns.edge.ncr.com/managed-zone: infra/dev-infra
8 dns.edge.ncr.com/name: dag.${domain}.
9spec:
10 location: global
11 resourceID: dag-ip
12---
13# NOTE: permissions for reading registry are set on the platform-infra cluster
14apiVersion: iam.cnrm.cloud.google.com/v1beta1
15kind: IAMServiceAccount
16metadata:
17 name: oci-registry-explorer
18---
19apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind service account to GKE workload identity SA
20kind: IAMPolicyMember
21metadata:
22 name: oci-registry-explorer-wi
23spec:
24 member: serviceAccount:${gcp_project_id}.svc.id.goog[oci-registry-explorer/oci-registry-explorer] # [k8s-namespace/k8s-sa]
25 resourceRef:
26 name: oci-registry-explorer
27 apiVersion: iam.cnrm.cloud.google.com/v1beta1
28 kind: IAMServiceAccount
29 role: roles/iam.workloadIdentityUser
30---
31apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind service account to GKE workload identity SA
32kind: IAMPolicyMember
33metadata:
34 name: oci-registry-explorer-read
35spec:
36 member: serviceAccount:oci-registry-explorer@${gcp_project_id}.iam.gserviceaccount.com
37 resourceRef:
38 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
39 kind: Folder
40 external: ${tenants_gcp_folder_id}
41 role: roles/artifactregistry.reader
View as plain text