1apiVersion: compute.cnrm.cloud.google.com/v1beta1
2kind: ComputeAddress
3metadata:
4 name: gridbug-ip
5 annotations:
6 dns.edge.ncr.com/dns-project-id: ${gcp_project_id}
7 dns.edge.ncr.com/managed-zone: infra/dev-infra
8 dns.edge.ncr.com/name: gridbug.${domain}.
9spec:
10 location: global
11---
12apiVersion: iam.cnrm.cloud.google.com/v1beta1
13kind: IAMServiceAccount
14metadata:
15 name: gridbug
16spec:
17 displayName: Gridbug
18 resourceID: gridbug-${cluster_hash}
19---
20apiVersion: iam.cnrm.cloud.google.com/v1beta1
21kind: IAMPolicyMember
22metadata:
23 name: gridbug-server-alloy-client
24spec:
25 member: serviceAccount:gridbug-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
26 resourceRef:
27 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
28 kind: Project
29 external: projects/${gcp_project_id}
30 role: roles/alloydb.client
31---
32apiVersion: iam.cnrm.cloud.google.com/v1beta1
33kind: IAMPolicyMember
34metadata:
35 name: gridbug-${cluster_hash}-bucket-access
36spec:
37 member: serviceAccount:gridbug-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
38 resourceRef:
39 apiVersion: storage.cnrm.cloud.google.com/v1beta1
40 kind: StorageBucket
41 external: edge-test-jobs
42 role: roles/storage.objectViewer
43---
44apiVersion: iam.cnrm.cloud.google.com/v1beta1
45kind: IAMPolicyMember
46metadata:
47 name: gridbug-${cluster_hash}-bucket-lister
48spec:
49 member: serviceAccount:gridbug-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
50 resourceRef:
51 apiVersion: storage.cnrm.cloud.google.com/v1beta1
52 kind: StorageBucket
53 external: edge-test-jobs
54 # because we are scoping this to a specific bucket, this role is safe to give
55 role: roles/storage.admin
View as plain text