# SecretStore for Google Cloud Secret Manager
# This configures External Secrets Operator to fetch secrets from GCP Secret Manager

apiVersion: v1
kind: ServiceAccount
metadata:
  name: external-secrets-gcp
  namespace: veza-production
  annotations:
    iam.gke.io/gcp-service-account: veza-external-secrets@PROJECT_ID.iam.gserviceaccount.com
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: gcp-store
  namespace: veza-production
spec:
  provider:
    gcpsm:
      projectId: PROJECT_ID
      auth:
        workloadIdentity:
          clusterLocation: us-central1
          clusterName: veza-cluster
          serviceAccountRef:
            name: external-secrets-gcp