apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: grafana-creds-es
spec:
  data:
  - remoteRef:
      key: grafana-creds-pass
    secretKey: GF_SECURITY_ADMIN_PASSWORD
  - remoteRef:
      key: grafana-creds-admin
    secretKey: GF_SECURITY_ADMIN_USER
  refreshInterval: 5m
  secretStoreRef:
    name: gcp-provider
    kind: ClusterSecretStore
  target:
    name: grafana-admin-credentials
    creationPolicy: Owner
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: essa-grafana-creds-admin-${cluster_hash}
spec:
  member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
    kind: SecretManagerSecret
    external: projects/${gcp_project_id}/secrets/grafana-creds-admin
  role: roles/secretmanager.secretAccessor
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: essa-grafana-creds-pass-${cluster_hash}
spec:
  member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
    kind: SecretManagerSecret
    external: projects/${gcp_project_id}/secrets/grafana-creds-pass
  role: roles/secretmanager.secretAccessor