1apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
2kind: PubSubSubscription
3metadata:
4 name: sub.${cluster_uuid}.dsds-ea-response
5spec:
6 enableMessageOrdering: true
7 filter: attributes.storeId="${cluster_uuid}"
8 resourceID: sub.${cluster_uuid}.dsds-ea-response
9 topicRef:
10 external: projects/${gcp_project_id}/topics/topic.dsds-ea-response
11---
12apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
13kind: PubSubSubscription
14metadata:
15 name: sub.${cluster_uuid}.dsds-ea-request
16spec:
17 enableMessageOrdering: true
18 filter: attributes.storeId="${cluster_uuid}"
19 resourceID: sub.${cluster_uuid}.dsds-ea-request
20 topicRef:
21 external: projects/${gcp_project_id}/topics/topic.dsds-ea-request
22---
23apiVersion: iam.cnrm.cloud.google.com/v1beta1
24kind: IAMServiceAccount
25metadata:
26 name: service-account.${cluster_uuid}.dsds-ea
27spec:
28 description: "Remote Agent Emergency Access Service Account. (${cluster_uuid})"
29 resourceID: dsds-ea-${cluster_hash}
30---
31apiVersion: iam.cnrm.cloud.google.com/v1beta1
32kind: IAMPartialPolicy
33metadata:
34 name: subscription-policy.${cluster_uuid}.dsds-ea-sa
35spec:
36 bindings:
37 - members:
38 - memberFrom:
39 serviceAccountRef:
40 name: service-account.${cluster_uuid}.dsds-ea
41 role: roles/pubsub.subscriber
42 resourceRef:
43 name: sub.${cluster_uuid}.dsds-ea-request
44 apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
45 kind: PubSubSubscription
46---
47apiVersion: iam.cnrm.cloud.google.com/v1beta1
48kind: IAMPartialPolicy
49metadata:
50 name: response-topic-policy.${cluster_uuid}.dsds-ea-sa
51spec:
52 bindings:
53 - members:
54 - memberFrom:
55 serviceAccountRef:
56 name: service-account.${cluster_uuid}.dsds-ea
57 role: roles/pubsub.publisher
58 resourceRef:
59 apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
60 kind: PubSubTopic
61 external: projects/${gcp_project_id}/topics/topic.dsds-ea-response
62---
63apiVersion: iam.cnrm.cloud.google.com/v1beta1
64kind: IAMPartialPolicy
65metadata:
66 name: ea-response-sub-policy.dsds-ea-sa
67spec:
68 bindings:
69 - members:
70 - member: serviceAccount:ea-pubsub-sa@${foreman_gcp_project_id}.iam.gserviceaccount.com
71 role: roles/pubsub.subscriber
72 resourceRef:
73 name: sub.${cluster_uuid}.dsds-ea-response
74 apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
75 kind: PubSubSubscription
76---
77apiVersion: iam.cnrm.cloud.google.com/v1beta1
78kind: IAMServiceAccountKey
79metadata:
80 name: remotecli-${cluster_uuid}-gcp-api-key
81spec:
82 serviceAccountRef:
83 name: service-account.${cluster_uuid}.dsds-ea
84---
85apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
86kind: SecretManagerSecret
87metadata:
88 name: remotecli-${cluster_uuid}-gcp-api-key
89spec:
90 replication:
91 automatic: true
92---
93apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
94kind: SecretManagerSecretVersion
95metadata:
96 name: secret-manager-secret-version.${cluster_uuid}.dsds-ea-sa
97spec:
98 secretRef:
99 name: remotecli-${cluster_uuid}-gcp-api-key
100 enabled: true
101 secretData:
102 valueFrom:
103 secretKeyRef:
104 name: remotecli-${cluster_uuid}-gcp-api-key
105 key: key.json
View as plain text