apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: gridbug annotations: kubernetes.io/ingress.allow-http: "false" kubernetes.io/ingress.class: 'gce' kubernetes.io/ingress.global-static-ip-name: "gridbug-ip" networking.gke.io/managed-certificates: gridbug-cert networking.gke.io/v1beta1.FrontendConfig: "ncr-default" spec: defaultBackend: service: name: gridbug port: number: 8080 --- apiVersion: networking.gke.io/v1beta1 kind: FrontendConfig metadata: name: ncr-default spec: redirectToHttps: enabled: true sslPolicy: ncr-default --- apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: gridbug spec: iap: enabled: true oauthclientCredentials: secretName: iap-oauth --- apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: iap-oauth-ext spec: dataFrom: - extract: key: gridbug-iap-oauth-creds refreshInterval: 1h secretStoreRef: name: gcp-provider kind: ClusterSecretStore target: name: iap-oauth creationPolicy: Owner --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: essa-gridbug-iap-oauth-creds spec: member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1 kind: SecretManagerSecret external: projects/${gcp_project_id}/secrets/gridbug-iap-oauth-creds role: roles/secretmanager.secretAccessor