extraObjects:
  - apiVersion: external-secrets.io/v1beta1
    kind: ClusterSecretStore
    metadata:
      name: k8s-infra-prow-build
    spec:
      provider:
        gcpsm:
          projectID: k8s-infra-prow-build

  - apiVersion: v1
    kind: ConfigMap
    metadata:
      name: google-adc
      namespace: external-secrets
    data:
      adc.json: |
        {
          "type": "external_account",
          "audience": "//iam.googleapis.com/projects/773781448124/locations/global/workloadIdentityPools/prow-eks/providers/kops",
          "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
          "token_url": "https://sts.googleapis.com/v1/token",
          "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/kubernetes-external-secrets@k8s-infra-prow-build.iam.gserviceaccount.com:generateAccessToken",
          "credential_source": {
            "file": "/var/run/secrets/google-iam-token/serviceaccount/token",
            "format": {
              "type": "text"
            }
          }
        }

extraVolumes:
  - name: google-iam-token
    projected:
      defaultMode: 420
      sources:
        - serviceAccountToken:
            audience: sts.googleapis.com
            expirationSeconds: 86400
            path: token
  - name: google-adc
    configMap:
      name: google-adc

extraEnv:
  - name: GOOGLE_APPLICATION_CREDENTIALS
    value: /etc/google/adc.json

extraVolumeMounts:
  - mountPath: /var/run/secrets/google-iam-token/serviceaccount
    name: google-iam-token
    readOnly: true
  - mountPath: /etc/google
    name: google-adc
    readOnly: true