apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind SA to clusterViewer
kind: IAMPolicyMember
metadata:
  name: prometheus-sa-k8s-metadata-writer
  namespace: prometheus
  annotations:
    pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
    pallet.edge.ncr.com/name: prometheus
    pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
    pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
    pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-o11y'
    pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
  labels:
    cluster_hash: ${cluster_hash}
    cluster_uuid: ${cluster_uuid}
spec:
  member: serviceAccount:o11y-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: "projects/${gcp_project_id}"
  role: roles/stackdriver.resourceMetadata.writer
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind SA to clusterViewer
kind: IAMPolicyMember
metadata:
  name: prometheus-sa-k8s-metric-writer
  namespace: prometheus
  annotations:
    pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
    pallet.edge.ncr.com/name: prometheus
    pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
    pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
    pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-o11y'
    pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
  labels:
    cluster_hash: ${cluster_hash}
    cluster_uuid: ${cluster_uuid}
spec:
  member: serviceAccount:o11y-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: "projects/${gcp_project_id}"
  role: roles/monitoring.metricWriter
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind SA to clusterViewer
kind: IAMPolicyMember
metadata:
  name: prometheus-sa-k8s-monitoring-viewer
  namespace: prometheus
  annotations:
    pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
    pallet.edge.ncr.com/name: prometheus
    pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
    pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
    pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-o11y'
    pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
  labels:
    cluster_hash: ${cluster_hash}
    cluster_uuid: ${cluster_uuid}
spec:
  member: serviceAccount:o11y-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: "projects/${gcp_project_id}"
  role: roles/monitoring.viewer
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind service account to GKE workload identity SA
kind: IAMPolicyMember
metadata:
  name: prometheus-sa-workload-id
  namespace: prometheus
  annotations:
    pallet.edge.ncr.com/created: "2023-02-16T21:26:39Z"
    pallet.edge.ncr.com/name: prometheus
    pallet.edge.ncr.com/revision: 696897a3df910b6e84a88c9336907a17b18159c1
    pallet.edge.ncr.com/source: https://github.com/ncrvoyix-swt-retail/edge-infra/tree/696897a3df910b6e84a88c9336907a17b18159c1
    pallet.edge.ncr.com/team: '@ncrvoyix-swt-retail/edge-o11y'
    pallet.edge.ncr.com/version: 7.7.7-rc.1676582799+commit.696897a
  labels:
    cluster_hash: ${cluster_hash}
    cluster_uuid: ${cluster_uuid}
spec:
  member: serviceAccount:${gcp_project_id}.svc.id.goog[prometheus/prometheus]
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    external: "projects/${gcp_project_id}/serviceAccounts/o11y-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com"
  role: roles/iam.workloadIdentityUser