1apiVersion: external-secrets.io/v1beta1
2kind: ExternalSecret
3metadata:
4 name: policy-bot-oauth
5spec:
6 data:
7 - remoteRef:
8 key: policy-bot-gh-app-oauth-client-id
9 secretKey: GITHUB_OAUTH_CLIENT_ID
10 - remoteRef:
11 key: policy-bot-gh-app-oauth-client-secret
12 secretKey: GITHUB_OAUTH_CLIENT_SECRET
13 - remoteRef:
14 key: policy-bot-gh-app-sessions-key
15 secretKey: POLICYBOT_SESSIONS_KEY
16 refreshInterval: 1m
17 secretStoreRef:
18 name: gcp-provider
19 kind: ClusterSecretStore
20 target:
21 name: policy-bot-oauth
22 creationPolicy: Owner
23---
24apiVersion: iam.cnrm.cloud.google.com/v1beta1
25kind: IAMPolicyMember
26metadata:
27 name: essa-policy-bot-gh-app-oauth-client-id
28spec:
29 member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
30 resourceRef:
31 apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
32 kind: SecretManagerSecret
33 external: projects/${gcp_project_id}/secrets/policy-bot-gh-app-oauth-client-id
34 role: roles/secretmanager.secretAccessor
35---
36apiVersion: iam.cnrm.cloud.google.com/v1beta1
37kind: IAMPolicyMember
38metadata:
39 name: essa-policy-bot-gh-app-oauth-client-secret
40spec:
41 member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
42 resourceRef:
43 apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
44 kind: SecretManagerSecret
45 external: projects/${gcp_project_id}/secrets/policy-bot-gh-app-oauth-client-secret
46 role: roles/secretmanager.secretAccessor
47---
48apiVersion: iam.cnrm.cloud.google.com/v1beta1
49kind: IAMPolicyMember
50metadata:
51 name: essa-policy-bot-gh-app-sessions-key
52spec:
53 member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
54 resourceRef:
55 apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
56 kind: SecretManagerSecret
57 external: projects/${gcp_project_id}/secrets/policy-bot-gh-app-sessions-key
58 role: roles/secretmanager.secretAccessor
View as plain text