extraObjects:
  - apiVersion: external-secrets.io/v1beta1
    kind: ClusterSecretStore
    metadata:
      name: k8s-infra-prow-build
    spec:
      provider:
        gcpsm:
          projectID: k8s-infra-prow-build
  - apiVersion: external-secrets.io/v1beta1
    kind: ClusterSecretStore
    metadata:
      name: secretstore-ibm-k8s
    spec:
      provider:
        ibm:
          serviceUrl: "https://0664d47c-fe42-423f-930d-69570443cd15.eu-de.secrets-manager.appdomain.cloud"
          auth:
            secretRef:
              secretApiKeySecretRef:
                name: ibm-sm-apikey
                key: API_KEY
                namespace: external-secrets
  - apiVersion: external-secrets.io/v1beta1
    kind: ExternalSecret
    metadata:
      name: ibm-sm-apikey
    spec:
      data:
        - remoteRef:
            key: ibm-sm-apikey
          secretKey: API_KEY
      secretStoreRef:
        kind: ClusterSecretStore
        name: k8s-infra-prow-build
  - apiVersion: v1
    kind: ConfigMap
    metadata:
      name: google-adc
    data:
      adc.json: |
        {
          "universe_domain": "googleapis.com",
          "type": "external_account",
          "audience": "//iam.googleapis.com/projects/16065310909/locations/global/workloadIdentityPools/ibm-clusters/providers/s390x",
          "subject_token_type": "urn:ietf:params:oauth:token-type:jwt",
          "token_url": "https://sts.googleapis.com/v1/token",
          "credential_source": {
            "file": "/var/run/secrets/google-iam-token/serviceaccount/token",
            "format": {
              "type": "text"
            }
          }
        }
  - apiVersion: external-secrets.io/v1beta1
    kind: ExternalSecret
    metadata:
      name: secret-rotator-api-key
    spec:
      refreshInterval: 60m
      secretStoreRef:
        name: secretstore-ibm-k8s
        kind: ClusterSecretStore
      target:
        name: secret-rotator-api-key
        creationPolicy: Owner
      data:
        - secretKey: api-key
          remoteRef:
            key: iam_credentials/a2f576a8-e609-105f-e586-20b6706f2215
  - apiVersion: batch/v1
    kind: CronJob
    metadata:
      name: ibmcloud-secret-rotator
      labels:
        app: ibmcloud-secret-rotator
    spec:
      schedule: "0 */2 * * *"
      jobTemplate:
        spec:
          template:
            spec:
              containers:
              - name: rotator-container
                image: public.ecr.aws/docker/library/golang:1.24
                imagePullPolicy: Always
                command:
                - /bin/bash
                args:
                - -c
                - |
                  set -o errexit
                  set -o nounset
                  set -o pipefail

                  go install sigs.k8s.io/provider-ibmcloud-test-infra/secret-manager@71ef4d8
                  secret-manager rotate --instance-id 0664d47c-fe42-423f-930d-69570443cd1 --labels rotate:true --confirm
                env:
                - name: IBMCLOUD_ENV_FILE
                  value: "/home/.ibmcloud/api-key"
                volumeMounts:
                - name: credentials
                  mountPath: /home/.ibmcloud
              restartPolicy: OnFailure
              volumes:
              - name: credentials
                secret:
                  secretName: secret-rotator-api-key

extraVolumes:
  - name: google-iam-token
    projected:
      defaultMode: 420
      sources:
        - serviceAccountToken:
            audience: sts.googleapis.com
            expirationSeconds: 86400
            path: token
  - name: google-adc
    configMap:
      name: google-adc

extraEnv:
  - name: GOOGLE_APPLICATION_CREDENTIALS
    value: /etc/google/adc.json

extraVolumeMounts:
  - mountPath: /var/run/secrets/google-iam-token/serviceaccount
    name: google-iam-token
    readOnly: true
  - mountPath: /etc/google
    name: google-adc
    readOnly: true