apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: gridbug
  annotations:
    kubernetes.io/ingress.allow-http: "false"
    kubernetes.io/ingress.class: 'gce'
    kubernetes.io/ingress.global-static-ip-name: "gridbug-ip"
    networking.gke.io/managed-certificates: gridbug-cert
    networking.gke.io/v1beta1.FrontendConfig: "ncr-default"
spec:
  defaultBackend:
    service:
      name: gridbug
      port:
        number: 8080
---
apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
  name: ncr-default
spec:
  redirectToHttps:
    enabled: true
  sslPolicy: ncr-default
---
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: gridbug
spec:
  iap:
    enabled: true
    oauthclientCredentials:
      secretName: iap-oauth
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: iap-oauth-ext
spec:
  dataFrom:
  - extract:
      key: gridbug-iap-oauth-creds
  refreshInterval: 1h
  secretStoreRef:
    name: gcp-provider
    kind: ClusterSecretStore
  target:
    name: iap-oauth
    creationPolicy: Owner
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: essa-gridbug-iap-oauth-creds
spec:
  member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
    kind: SecretManagerSecret
    external: projects/${gcp_project_id}/secrets/gridbug-iap-oauth-creds
  role: roles/secretmanager.secretAccessor