apiVersion: kubernetes-client.io/v1 kind: ExternalSecret metadata: name: unthos-cfg-mgmt-read-ssh namespace: talaria labels: app.kubernetes.io/name: talaria platform.edge.ncr.com: 'true' platform.edge.ncr.com/component: talaria spec: data: - name: ssh key: unthos-cfg-mgmt-read-ssh backendType: gcpSecretsManager projectId: foreman-project-id # {"$kpt-set":"foreman-project-id"} --- apiVersion: v1 kind: ConfigMap metadata: name: talaria-chariot-config namespace: talaria labels: platform.edge.ncr.com/component: 'talaria' data: # NOTE: these are not currently real/accurate values or placeholders CHARIOT_ENDPOINT: https://chariot.edge.ncr.com # {"$kpt-set":"chariot-endpoint"} --- apiVersion: kubernetes-client.io/v1 kind: ExternalSecret metadata: name: edge-api-iap-oauth2-client-id namespace: talaria labels: app.kubernetes.io/name: talaria platform.edge.ncr.com: 'true' platform.edge.ncr.com/component: 'talaria' spec: data: - name: CHARIOT_AUTH_IAP_CLIENT_ID key: edge-api-iap-oauth2-client-id backendType: gcpSecretsManager projectId: foreman-project-id # {"$kpt-set":"foreman-project-id"} --- apiVersion: v1 kind: Namespace metadata: name: talaria labels: app.kubernetes.io/name: talaria istio.io/rev: asm-181-5 platform.edge.ncr.com: 'true' platform.edge.ncr.com/component: talaria workload.edge.ncr.com: platform --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: talaria-folder-secret-manager namespace: talaria labels: platform.edge.ncr.com/component: talaria annotations: cnrm.cloud.google.com/folder-id: folder-id # {"$kpt-set":"folder-id"} spec: member: serviceAccount:talaria@foreman-project-id.iam.gserviceaccount.com # {"$kpt-set":"foreman-project-id-talaria-sa-setter"} resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder external: folder-id # {"$kpt-set":"folder-id"} role: roles/secretmanager.admin --- apiVersion: v1 kind: ConfigMap metadata: name: talaria-foreman-config namespace: talaria labels: platform.edge.ncr.com/component: talaria data: GCP_BILLING_ACCOUNT: billing-account # {"$kpt-set":"billing-account"} GCP_FOLDER_ID: folder-id # {"$kpt-set":"folder-id"} GCP_PROJECT_ID: foreman-project-id # {"$kpt-set":"foreman-project-id"} PROJECT_BOOTSTRAPPING: 'true' --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccountKey metadata: name: talaria-gcp-api-creds namespace: talaria labels: platform.edge.ncr.com/component: talaria annotations: cnrm.cloud.google.com/project-id: foreman-project-id # {"$kpt-set":"foreman-project-id"} spec: keyAlgorithm: KEY_ALG_RSA_2048 privateKeyType: TYPE_GOOGLE_CREDENTIALS_FILE publicKeyType: TYPE_X509_PEM_FILE serviceAccountRef: name: talaria --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: talaria-gke-cluster-viewer namespace: talaria labels: platform.edge.ncr.com/component: talaria annotations: cnrm.cloud.google.com/folder-id: folder-id # {"$kpt-set":"folder-id"} spec: member: serviceAccount:talaria@foreman-project-id.iam.gserviceaccount.com # {"$kpt-set":"foreman-project-id-talaria-sa-setter"} resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder external: folder-id # {"$kpt-set":"folder-id"} role: roles/container.clusterViewer --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: talaria-gke-hub-admin namespace: talaria labels: platform.edge.ncr.com/component: talaria annotations: cnrm.cloud.google.com/folder-id: folder-id # {"$kpt-set":"folder-id"} spec: member: serviceAccount:talaria@foreman-project-id.iam.gserviceaccount.com # {"$kpt-set":"foreman-project-id-talaria-sa-setter"} resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder external: folder-id # {"$kpt-set":"folder-id"} role: roles/gkehub.admin --- apiVersion: apps/v1 kind: Deployment metadata: name: talaria namespace: talaria labels: app.kubernetes.io/name: talaria build.edge.ncr.com/commit: 5477ca2920e11ab6b4da631e89dcd5efb2c7613f build.edge.ncr.com/id: "969381288" build.edge.ncr.com/semver: 0.0.1-rc.969381288.5477ca2.2021-06-24 build.edge.ncr.com/timestamp: "1624568874" platform.edge.ncr.com/component: talaria spec: selector: matchLabels: app.kubernetes.io/name: talaria template: metadata: labels: app.kubernetes.io/name: talaria spec: serviceAccount: talaria containers: - name: talaria image: us-east1-docker.pkg.dev/ret-edge-pltf-preprod-infra/preprod/talaria@sha256:b2375bd75ea47833d38e55659002b1e6105f33eb29f8c7310276cc923c97e7e2 envFrom: - secretRef: # not needed for top-level deployments name: edge-api-iap-oauth2-client-id optional: true - configMapRef: # not needed for top-level deployments name: talaria-chariot-config optional: true - configMapRef: # not needed in enterprise deployments name: talaria-foreman-config optional: true - configMapRef: name: talaria-git-config env: - name: NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: GOOGLE_APPLICATION_CREDENTIALS # key.json is default key name in IAMServiceAccountKey unwrapped # secret value: /opt/secrets/talaria-gcp-api-creds/key.json resources: requests: cpu: 1000m memory: 200Mi volumeMounts: - name: unthos-cfg-mgmt-read-ssh readOnly: true mountPath: /opt/secrets/unthos-cfg-mgmt-read-ssh - name: talaria-gcp-api-creds readOnly: true mountPath: /opt/secrets/talaria-gcp-api-creds imagePullPolicy: IfNotPresent volumes: - name: unthos-cfg-mgmt-read-ssh secret: secretName: unthos-cfg-mgmt-read-ssh - name: talaria-gcp-api-creds secret: secretName: talaria-gcp-api-creds --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: name: talaria namespace: talaria labels: platform.edge.ncr.com/component: 'talaria' annotations: cnrm.cloud.google.com/project-id: foreman-project-id # {"$kpt-set":"foreman-project-id"} spec: description: Register clusters with GKE Hub & auth with Edge components over IAP displayName: Edge Talaria Bootstrap Controller --- apiVersion: v1 kind: ServiceAccount metadata: name: talaria namespace: talaria labels: app.kubernetes.io/name: talaria platform.edge.ncr.com/component: 'talaria' imagePullSecrets: - name: edge-docker-pull-secret