apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeAddress
metadata:
  name: dag
  annotations:
    dns.edge.ncr.com/dns-project-id: ${gcp_project_id}
    dns.edge.ncr.com/managed-zone: infra/dev-infra
    dns.edge.ncr.com/name: dag.${domain}.
spec:
  location: global
  resourceID: dag-ip
---
# NOTE: permissions for reading registry are set on the platform-infra cluster
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: oci-registry-explorer
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind service account to GKE workload identity SA
kind: IAMPolicyMember
metadata:
  name: oci-registry-explorer-wi
spec:
  member: serviceAccount:${gcp_project_id}.svc.id.goog[oci-registry-explorer/oci-registry-explorer] # [k8s-namespace/k8s-sa]
  resourceRef:
    name: oci-registry-explorer
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
  role: roles/iam.workloadIdentityUser
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind service account to GKE workload identity SA
kind: IAMPolicyMember
metadata:
  name: oci-registry-explorer-read
spec:
  member: serviceAccount:oci-registry-explorer@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Folder
    external: ${tenants_gcp_folder_id}
  role: roles/artifactregistry.reader