---
apiVersion: v1
kind: ConfigMap
metadata:
  name: credentials-sync
data:
  GCR_REGISTRY: gcr.io  # set the registry
  KUBE_SECRET: gcr-credentials  # does not yet exist -- will be created in the same Namespace

# Bind to the GCP service-account
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: credentials-sync
  namespace: flux-system
  annotations:
    iam.gke.io/gcp-service-account: <name>@<project-id>.iam.gserviceaccount.com # set the GCP service-account

# Set the reconcile period
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
  name: credentials-sync
  namespace: flux-system
spec:
  schedule: 0,30 * * * *  # 30m interval -- GCR tokens expire every hour; refresh faster than that