apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: policy-bot-oauth spec: data: - remoteRef: key: policy-bot-gh-app-oauth-client-id secretKey: GITHUB_OAUTH_CLIENT_ID - remoteRef: key: policy-bot-gh-app-oauth-client-secret secretKey: GITHUB_OAUTH_CLIENT_SECRET - remoteRef: key: policy-bot-gh-app-sessions-key secretKey: POLICYBOT_SESSIONS_KEY refreshInterval: 1m secretStoreRef: name: gcp-provider kind: ClusterSecretStore target: name: policy-bot-oauth creationPolicy: Owner --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: essa-policy-bot-gh-app-oauth-client-id spec: member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1 kind: SecretManagerSecret external: projects/${gcp_project_id}/secrets/policy-bot-gh-app-oauth-client-id role: roles/secretmanager.secretAccessor --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: essa-policy-bot-gh-app-oauth-client-secret spec: member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1 kind: SecretManagerSecret external: projects/${gcp_project_id}/secrets/policy-bot-gh-app-oauth-client-secret role: roles/secretmanager.secretAccessor --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: essa-policy-bot-gh-app-sessions-key spec: member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1 kind: SecretManagerSecret external: projects/${gcp_project_id}/secrets/policy-bot-gh-app-sessions-key role: roles/secretmanager.secretAccessor