1apiVersion: iam.cnrm.cloud.google.com/v1beta1
2kind: IAMPartialPolicy
3metadata:
4 name: flux-source-controller-storage-access
5 namespace: flux-system
6 annotations:
7 cnrm.cloud.google.com/project-id: ${gcp_project_id}
8 description: |
9 Grants storage permissions for reading from GCS to Flux source controller
10 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
11 pallet.edge.ncr.com/name: fluxcd-operators
12 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
13 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
14 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
15 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
16 labels:
17 cluster_hash: ${cluster_hash}
18 cluster_uuid: ${cluster_uuid}
19spec:
20 bindings:
21 - members:
22 - member: serviceAccount:flux-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
23 role: projects/${gcp_project_id}/roles/fluxread
24 resourceRef:
25 apiVersion: storage.cnrm.cloud.google.com/v1beta1
26 kind: StorageBucket
27 external: ${gcp_project_id}
28---
29apiVersion: iam.cnrm.cloud.google.com/v1beta1
30kind: IAMPolicyMember
31metadata:
32 name: flux-source-controller-workload-id
33 namespace: flux-system
34 annotations:
35 cnrm.cloud.google.com/project-id: ${gcp_project_id}
36 description: |
37 Binds the K8s SA used by the Flux sourcecontroller to the GCP IAM
38 service account defined in the base.
39 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
40 pallet.edge.ncr.com/name: fluxcd-operators
41 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
42 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
43 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
44 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
45 labels:
46 cluster_hash: ${cluster_hash}
47 cluster_uuid: ${cluster_uuid}
48spec:
49 member: serviceAccount:${gcp_project_id}.svc.id.goog[flux-system/source-controller]
50 resourceRef:
51 name: flux-source-controller
52 apiVersion: iam.cnrm.cloud.google.com/v1beta1
53 kind: IAMServiceAccount
54 role: roles/iam.workloadIdentityUser
55---
56apiVersion: iam.cnrm.cloud.google.com/v1beta1
57kind: IAMServiceAccount
58metadata:
59 name: flux-source-controller
60 namespace: flux-system
61 annotations:
62 cnrm.cloud.google.com/project-id: ${gcp_project_id}
63 description: Used by Flux source controller
64 pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
65 pallet.edge.ncr.com/name: fluxcd-operators
66 pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
67 pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
68 pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-infra'
69 pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
70 labels:
71 cluster_hash: ${cluster_hash}
72 cluster_uuid: ${cluster_uuid}
73spec:
74 resourceID: flux-${cluster_hash}
View as plain text