{"id":36753782,"url":"https://github.com/openshift-hyperfleet/adapter-landing-zone","last_synced_at":"2026-01-20T18:05:51.001Z","repository":{"id":327974899,"uuid":"1113602147","full_name":"openshift-hyperfleet/adapter-landing-zone","owner":"openshift-hyperfleet","description":"Handles environment preparation and prerequisite setup for GCP-based cluster provisioning operations.","archived":false,"fork":false,"pushed_at":"2025-12-30T02:36:48.000Z","size":36,"stargazers_count":0,"open_issues_count":0,"forks_count":3,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-02T11:54:26.452Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/openshift-hyperfleet.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-10T07:50:37.000Z","updated_at":"2025-12-30T02:36:52.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/openshift-hyperfleet/adapter-landing-zone","commit_stats":null,"previous_names":["openshift-hyperfleet/adapter-landing-zone"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/openshift-hyperfleet/adapter-landing-zone","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openshift-hyperfleet%2Fadapter-landing-zone","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openshift-hyperfleet%2Fadapter-landing-zone/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openshift-hyperfleet%2Fadapter-landing-zone/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openshift-hyperfleet%2Fadapter-landing-zone/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/openshift-hyperfleet","download_url":"https://codeload.github.com/openshift-hyperfleet/adapter-landing-zone/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openshift-hyperfleet%2Fadapter-landing-zone/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28338983,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-12T12:22:26.515Z","status":"ssl_error","status_checked_at":"2026-01-12T12:22:10.856Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-01-12T12:47:38.919Z","updated_at":"2026-01-12T12:47:39.589Z","avatar_url":"https://github.com/openshift-hyperfleet.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# HyperFleet Landing Zone Adapter\n\nEvent-driven adapter for HyperFleet cluster provisioning. Handles environment preparation and prerequisite setup for GCP-based cluster provisioning operations. Consumes CloudEvents from message brokers (GCP Pub/Sub, RabbitMQ), processes AdapterConfig, manages Kubernetes resources, and reports status via API.\n\n## Table of Contents\n\n- [Prerequisites](#prerequisites)\n- [Local Development](#local-development)\n  - [GCP Authentication](#gcp-authentication)\n- [Helm Chart Installation](#helm-chart-installation)\n- [Configuration](#configuration)\n- [Examples](#examples)\n- [GCP Workload Identity Setup](#gcp-workload-identity-setup)\n- [Notes](#notes)\n\n## Prerequisites\n\n- Kubernetes 1.19+\n- Helm 3.0+\n- GCP Workload Identity (for Pub/Sub access)\n- `gcloud` CLI configured with appropriate permissions\n\n## Local Development\n\nRun the adapter locally for development and testing.\n\n### Prerequisites\n\n- `hyperfleet-adapter` binary installed and in PATH\n- GCP service account key for Pub/Sub access (see [GCP Authentication](#gcp-authentication))\n- Access to a GKE cluster (for applying Kubernetes resources)\n- `podman` or `docker` for RabbitMQ (if `BROKER_TYPE=rabbitmq`)\n\n### Setup\n\n1. Copy environment template:\n\n```bash\ncp env.example .env\n```\n\n2. Edit `.env` with your configuration:\n\n```bash\n# Required for Google Pub/Sub (default)\nGCP_PROJECT_ID=\"your-gcp-project-id\"\nBROKER_TOPIC=\"hyperfleet-adapter-topic\"\nBROKER_SUBSCRIPTION_ID=\"hyperfleet-adapter-landing-zone-subscription\"\n\n# Required for all broker types\nHYPERFLEET_API_BASE_URL=\"https://localhost:8000\"\n\n# Optional (defaults provided)\nSUBSCRIBER_PARALLELISM=\"1\"\nHYPERFLEET_API_VERSION=\"v1\"\n\n# Required for RabbitMQ (if BROKER_TYPE=rabbitmq)\n# RABBITMQ_URL=\"amqp://guest:guest@localhost:5672/\"\n```\n\n3. Set up GCP authentication (see [GCP Authentication](#gcp-authentication) for detailed steps):\n\n```bash\n# Create service account key and set in .env\nexport GOOGLE_APPLICATION_CREDENTIALS=\"./sa-key.json\"\n```\n\n4. Connect to your GKE cluster (required for the adapter to apply Kubernetes resources):\n\n```bash\n# Get credentials for your GKE cluster (using variables from .env)\ngcloud container clusters get-credentials \"$GKE_CLUSTER_NAME\" \\\n  --region \"$GKE_CLUSTER_REGION\" \\\n  --project \"$GCP_PROJECT_ID\"\n\n# Verify connection\nkubectl cluster-info\n```\n\n### Run\n\n```bash\n# For Google Pub/Sub (default)\nmake run-local\n\n# For RabbitMQ\nBROKER_TYPE=rabbitmq make run-local\n\n# For RabbitMQ with Docker (override default podman)\nBROKER_TYPE=rabbitmq CONTAINER_RUNTIME=docker make run-local\n```\n\nThe script will:\n- Auto-source `.env` if it exists\n- Verify `hyperfleet-adapter` is installed\n- Validate required environment variables\n- **Auto-create Pub/Sub topic and subscription if missing** (for `googlepubsub` type)\n- **Manage RabbitMQ container** (start/create for `rabbitmq` type)\n- Generate broker config from `configs/broker-local-pubsub.yaml` or `configs/broker-local-rabbitmq.yaml`\n- Start the adapter with verbose logging\n\n### Local Environment Variables\n\n| Variable | Required | Description | Default |\n|----------|----------|-------------|---------|\n| `GCP_PROJECT_ID` | Yes* | GCP project ID | - |\n| `GKE_CLUSTER_NAME` | Yes | GKE cluster name for kubeconfig | - |\n| `GKE_CLUSTER_REGION` | Yes | GKE cluster region (or use `GKE_CLUSTER_ZONE`) | - |\n| `BROKER_TOPIC` | Yes* | Pub/Sub topic name | - |\n| `BROKER_SUBSCRIPTION_ID` | Yes* | Pub/Sub subscription ID | - |\n| `HYPERFLEET_API_BASE_URL` | Yes | HyperFleet API base URL | - |\n| `SUBSCRIBER_PARALLELISM` | No | Number of parallel workers | `1` |\n| `HYPERFLEET_API_VERSION` | No | API version | `v1` |\n| `GOOGLE_APPLICATION_CREDENTIALS` | Yes* | Path to service account key file (recommended) | - |\n| `RABBITMQ_URL` | No** | RabbitMQ connection URL (when using RabbitMQ broker) | `amqp://guest:guest@localhost:5672/` |\n| `BROKER_TYPE` | No | Broker type: `googlepubsub` or `rabbitmq` | `googlepubsub` |\n| `CONTAINER_RUNTIME` | No | Container runtime for RabbitMQ | `podman` |\n\n\\* Required when using GCP Pub/Sub broker (default)\n\\*\\* Required when using RabbitMQ broker\n\n### GCP Authentication\n\nThe adapter uses GCP Application Default Credentials (ADC). **Recommended:** Use a service account key file to avoid conflicts with other applications.\n\n```bash\n# 1. Create service account\ngcloud iam service-accounts create hyperfleet-adapter-local \\\n  --project=\"$GCP_PROJECT_ID\" \\\n  --display-name=\"HyperFleet Adapter Local Dev\"\n\n# 2. Grant Pub/Sub permissions\ngcloud projects add-iam-policy-binding \"$GCP_PROJECT_ID\" \\\n  --member=\"serviceAccount:hyperfleet-adapter-local@${GCP_PROJECT_ID}.iam.gserviceaccount.com\" \\\n  --role=\"roles/pubsub.subscriber\"\n\n# 3. Create key file\ngcloud iam service-accounts keys create ./sa-key.json \\\n  --iam-account=\"hyperfleet-adapter-local@${GCP_PROJECT_ID}.iam.gserviceaccount.com\"\n\n# 4. Add to .env\nexport GOOGLE_APPLICATION_CREDENTIALS=\"./sa-key.json\"\n```\n\n\u003e ⚠️ **Warning:** Do NOT use `gcloud auth application-default login` - it will override your default credentials and may block other applications using ADC from a different project.\n\n## Helm Chart Installation\n\n### Installing the Chart\n\n```bash\nhelm install landing-zone ./charts/\n```\n\n### Install to a Specific Namespace\n\n```bash\nhelm install landing-zone ./charts/ \\\n  --namespace hyperfleet-system \\\n  --create-namespace\n```\n\n### Uninstalling the Chart\n\n```bash\nhelm delete landing-zone\n\n# Or with namespace\nhelm delete landing-zone --namespace hyperfleet-system\n```\n\n## Configuration\n\nAll configurable parameters are in `values.yaml`. For advanced customization, modify the templates directly.\n\n### Image \u0026 Replica\n\n| Parameter | Description | Default |\n|-----------|-------------|---------|\n| `replicaCount` | Number of replicas | `1` |\n| `image.registry` | Image registry | `quay.io/openshift-hyperfleet` |\n| `image.repository` | Image repository | `hyperfleet-adapter` |\n| `image.tag` | Image tag | `latest` |\n| `image.pullPolicy` | Image pull policy | `Always` |\n| `imagePullSecrets` | Image pull secrets | `[]` |\n\n### Naming\n\n| Parameter | Description | Default |\n|-----------|-------------|---------|\n| `nameOverride` | Override chart name | `\"\"` |\n| `fullnameOverride` | Override full release name | `\"\"` |\n\n### ServiceAccount \u0026 RBAC\n\n| Parameter | Description | Default |\n|-----------|-------------|---------|\n| `serviceAccount.create` | Create ServiceAccount | `true` |\n| `serviceAccount.name` | ServiceAccount name (auto-generated if empty) | `\"\"` |\n| `serviceAccount.annotations` | ServiceAccount annotations (for Workload Identity) | `{}` |\n| `rbac.create` | Create ClusterRole and ClusterRoleBinding | `false` |\n| `rbac.namespaceAdmin` | Grant namespace admin permissions | `false` |\n\nWhen `rbac.namespaceAdmin=true`, the adapter gets full access to:\n- Namespaces (create, update, delete)\n- Core resources (configmaps, secrets, serviceaccounts, services, pods, PVCs)\n- Apps (deployments, statefulsets, daemonsets, replicasets)\n- Batch (jobs, cronjobs)\n- Networking (ingresses, networkpolicies)\n- RBAC (roles, rolebindings)\n\n### Logging\n\n| Parameter | Description | Default |\n|-----------|-------------|---------|\n| `logging.level` | Log level (`debug`, `info`, `warn`, `error`) | `info` |\n| `logging.format` | Log format (`text`, `json`) | `text` |\n| `logging.output` | Log output (`stdout`, `stderr`) | `stderr` |\n\n### Scheduling\n\n| Parameter | Description | Default |\n|-----------|-------------|---------|\n| `nodeSelector` | Node selector | `{}` |\n| `tolerations` | Tolerations | `[]` |\n| `affinity` | Affinity rules | `{}` |\n\n### Adapter Configuration\n\nThe adapter config is always created from `charts/configs/adapter-landing-zone.yaml`:\n- Mounted at `/etc/adapter/adapter.yaml`\n- Exposed via `ADAPTER_CONFIG_PATH` environment variable\n\nTo customize, edit `charts/configs/adapter-landing-zone.yaml` directly.\n\n### Broker Configuration\n\nThe broker configuration generates a `broker.yaml` file that is mounted as a ConfigMap.\n\n#### General Settings\n\n| Parameter | Description | Default |\n|-----------|-------------|---------|\n| `broker.type` | Broker type: `googlepubsub` or `rabbitmq` (**required**) | `\"\"` |\n| `broker.subscriber.parallelism` | Number of parallel workers | `1` |\n| `broker.yaml` | Raw YAML override (advanced use) | `\"\"` |\n\n#### Google Pub/Sub (when `broker.type=googlepubsub`)\n\n| Parameter | Description | Default |\n|-----------|-------------|---------|\n| `broker.googlepubsub.projectId` | GCP project ID (**required**) | `\"\"` |\n| `broker.googlepubsub.topic` | Pub/Sub topic name (**required**) | `\"\"` |\n| `broker.googlepubsub.subscription` | Pub/Sub subscription ID (**required**) | `\"\"` |\n| `broker.googlepubsub.deadLetterTopic` | Dead letter topic name (optional) | `\"\"` |\n\nOther Pub/Sub settings (ack deadline, retention, goroutines, etc.) are configured with sensible defaults in the broker config template.\n\n#### RabbitMQ (when `broker.type=rabbitmq`)\n\n| Parameter | Description | Default |\n|-----------|-------------|---------|\n| `broker.rabbitmq.url` | RabbitMQ connection URL (**required**) | `\"\"` |\n\n\u003e **Note:** The `broker.rabbitmq.url` must be provided via `--set` or values file. Do not commit credentials to version control.\n\u003e Format: `amqp://username:password@hostname:port/vhost`\n\nOther RabbitMQ settings (exchange type, prefetch count, etc.) are configured with sensible defaults in the broker config template.\n\nWhen `broker.type` is set:\n- Generates `broker.yaml` from structured values\n- Creates ConfigMap with `broker.yaml` key\n- Mounts at `/etc/broker/broker.yaml`\n- Sets `BROKER_CONFIG_FILE=/etc/broker/broker.yaml`\n\n### HyperFleet API\n\n| Parameter | Description | Default |\n|-----------|-------------|---------|\n| `hyperfleetApi.baseUrl` | HyperFleet API base URL | `\"\"` |\n| `hyperfleetApi.version` | API version | `v1` |\n\n### Environment Variables\n\n| Parameter | Description | Default |\n|-----------|-------------|---------|\n| `env` | Additional environment variables | `[]` |\n\nExample:\n```yaml\nenv:\n  - name: MY_VAR\n    value: \"my-value\"\n  - name: MY_SECRET\n    valueFrom:\n      secretKeyRef:\n        name: my-secret\n        key: key\n```\n\n## Examples\n\n### Basic Installation with Google Pub/Sub\n\n```bash\nhelm install landing-zone ./charts/ \\\n  --set broker.type=googlepubsub \\\n  --set broker.googlepubsub.projectId=my-gcp-project \\\n  --set broker.googlepubsub.topic=my-topic \\\n  --set broker.googlepubsub.subscription=my-subscription\n```\n\n### With HyperFleet API Configuration\n\n```bash\nhelm install landing-zone ./charts/ \\\n  --set hyperfleetApi.baseUrl=https://api.hyperfleet.example.com \\\n  --set broker.type=googlepubsub \\\n  --set broker.googlepubsub.projectId=my-gcp-project \\\n  --set broker.googlepubsub.topic=my-topic \\\n  --set broker.googlepubsub.subscription=my-subscription\n```\n\n### With RabbitMQ\n\n```bash\nhelm install landing-zone ./charts/ \\\n  --set broker.type=rabbitmq \\\n  --set broker.rabbitmq.url=\"amqp://user:password@rabbitmq.svc:5672/\"\n```\n\n\u003e **Security:** For production, store credentials in a Kubernetes Secret and reference via `env`.\n\n### With GCP Workload Identity and RBAC\n\nFirst, grant Pub/Sub permissions to the KSA (before deploying):\n\n```bash\n# Get project number\ngcloud projects describe my-gcp-project --format=\"value(projectNumber)\"\n\n# Grant permissions using direct principal binding (no GSA needed)\ngcloud projects add-iam-policy-binding my-gcp-project \\\n  --role=\"roles/pubsub.subscriber\" \\\n  --member=\"principal://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/my-gcp-project.svc.id.goog/subject/ns/hyperfleet-system/sa/landing-zone\"\n```\n\nThen deploy:\n\n```bash\nhelm install landing-zone ./charts/ \\\n  --namespace hyperfleet-system \\\n  --create-namespace \\\n  --set image.registry=us-central1-docker.pkg.dev/my-project/my-repo \\\n  --set image.repository=hyperfleet-adapter \\\n  --set image.tag=v0.1.0 \\\n  --set broker.type=googlepubsub \\\n  --set broker.googlepubsub.projectId=my-gcp-project \\\n  --set broker.googlepubsub.topic=my-topic \\\n  --set broker.googlepubsub.subscription=my-subscription \\\n  --set hyperfleetApi.baseUrl=https://api.hyperfleet.example.com \\\n  --set rbac.create=true \\\n  --set rbac.namespaceAdmin=true\n```\n\n### With Custom Logging\n\n```bash\nhelm install landing-zone ./charts/ \\\n  --set logging.level=debug \\\n  --set logging.format=json \\\n  --set logging.output=stdout \\\n  --set broker.type=googlepubsub \\\n  --set broker.googlepubsub.projectId=my-gcp-project \\\n  --set broker.googlepubsub.topic=my-topic \\\n  --set broker.googlepubsub.subscription=my-subscription\n```\n\n### Using Existing ServiceAccount\n\n```bash\nhelm install landing-zone ./charts/ \\\n  --set serviceAccount.create=false \\\n  --set serviceAccount.name=my-existing-sa\n```\n\n### With Values File\n\n\u003cdetails\u003e\n\u003csummary\u003eExample \u003ccode\u003emy-values.yaml\u003c/code\u003e\u003c/summary\u003e\n\n```yaml\nreplicaCount: 2\n\nimage:\n  registry: us-central1-docker.pkg.dev/my-project/my-repo\n  repository: hyperfleet-adapter\n  tag: v0.1.0\n\nserviceAccount:\n  create: true\n  annotations:\n    iam.gke.io/gcp-service-account: adapter@my-project.iam.gserviceaccount.com\n\nrbac:\n  create: true\n  namespaceAdmin: true\n\nlogging:\n  level: debug\n  format: json\n  output: stderr\n\nhyperfleetApi:\n  baseUrl: https://api.hyperfleet.example.com\n  version: v1\n\nbroker:\n  type: googlepubsub\n  googlepubsub:\n    projectId: my-gcp-project\n    topic: hyperfleet-events\n    subscription: hyperfleet-adapter-subscription\n  subscriber:\n    parallelism: 10\n```\n\n\u003c/details\u003e\n\nInstall with values file:\n\n```bash\nhelm install landing-zone ./charts/ -f my-values.yaml\n```\n\n## Deployment Environment Variables\n\nThe deployment sets these environment variables automatically:\n\n| Variable | Value | Condition |\n|----------|-------|-----------|\n| `HYPERFLEET_API_BASE_URL` | From `hyperfleetApi.baseUrl` | When set |\n| `HYPERFLEET_API_VERSION` | From `hyperfleetApi.version` | Always (default: v1) |\n| `ADAPTER_CONFIG_PATH` | `/etc/adapter/adapter.yaml` | Always |\n| `BROKER_CONFIG_FILE` | `/etc/broker/broker.yaml` | When `broker.type` is set |\n| `BROKER_SUBSCRIPTION_ID` | From `broker.googlepubsub.subscription` | When `broker.type=googlepubsub` |\n| `BROKER_TOPIC` | From `broker.googlepubsub.topic` | When `broker.type=googlepubsub` |\n| `GCP_PROJECT_ID` | From `broker.googlepubsub.projectId` | When `broker.type=googlepubsub` |\n\n## GCP Workload Identity Setup\n\nGrant GCP Pub/Sub permissions to the Kubernetes Service Account using **Workload Identity Federation**.\n\n### Step 1: Get Project Number\n\n```bash\ngcloud projects describe MY_PROJECT --format=\"value(projectNumber)\"\n```\n\n### Step 2: Grant Pub/Sub Permissions to KSA (Direct Principal Binding)\n\nRun this **before** deploying so the pod works immediately:\n\n```bash\n# Grant subscriber permission\ngcloud projects add-iam-policy-binding MY_PROJECT \\\n  --role=\"roles/pubsub.subscriber\" \\\n  --member=\"principal://iam.googleapis.com/projects/MY_PROJECT_NUMBER/locations/global/workloadIdentityPools/MY_PROJECT.svc.id.goog/subject/ns/MY_NAMESPACE/sa/landing-zone\" \\\n  --condition=None\n\n# Grant viewer permission (required to read subscription metadata)\ngcloud projects add-iam-policy-binding MY_PROJECT \\\n  --role=\"roles/pubsub.viewer\" \\\n  --member=\"principal://iam.googleapis.com/projects/MY_PROJECT_NUMBER/locations/global/workloadIdentityPools/MY_PROJECT.svc.id.goog/subject/ns/MY_NAMESPACE/sa/landing-zone\" \\\n  --condition=None\n```\n\n\u003e **Note:** This uses direct principal binding - no Google Service Account (GSA) required. The binding works even before the KSA exists.\n\n### Step 3: Wait for IAM Propagation\n\nIAM changes can take 1-2 minutes to propagate. Wait until permissions are active:\n\n```bash\n# Wait until permissions are propagated\necho \"Waiting for IAM propagation...\"\nwhile ! gcloud pubsub subscriptions describe MY_SUBSCRIPTION \\\n  --project=MY_PROJECT \u0026\u003e/dev/null; do\n  echo \"  Waiting for permissions to propagate...\"\n  sleep 10\ndone\necho \"Permissions propagated!\"\n```\n\n### Step 4: Deploy\n\n```bash\nhelm install landing-zone ./charts/ \\\n  --namespace MY_NAMESPACE \\\n  --create-namespace \\\n  --set broker.type=googlepubsub \\\n  --set broker.googlepubsub.projectId=MY_PROJECT \\\n  --set broker.googlepubsub.topic=MY_TOPIC \\\n  --set broker.googlepubsub.subscription=MY_SUBSCRIPTION \\\n  --set rbac.create=true \\\n  --set rbac.namespaceAdmin=true\n```\n\n\u003e **Note:** Replace the following placeholders:\n\u003e - `MY_PROJECT` - Your GCP project ID\n\u003e - `MY_PROJECT_NUMBER` - Your GCP project number (from Step 1)\n\u003e - `MY_NAMESPACE` - Kubernetes namespace (e.g., `hyperfleet-system`)\n\u003e - `MY_TOPIC` - Pub/Sub topic name\n\u003e - `MY_SUBSCRIPTION` - Pub/Sub subscription name\n\u003e - `landing-zone` - The Helm release name (KSA name)\n\n### Step 5: Verify Workload Identity\n\n```bash\n# Test authentication from pod\nkubectl run -it --rm debug \\\n  --image=google/cloud-sdk:slim \\\n  --serviceaccount=landing-zone \\\n  --namespace=MY_NAMESPACE \\\n  -- gcloud auth list\n```\n\n## Notes\n\n- The adapter runs as non-root user (UID 65532) with read-only filesystem\n- Health probes are disabled by default (adapter is a message consumer, not HTTP server)\n- Uses `distroless` base image for minimal attack surface\n- Config checksum annotation triggers pod restart on ConfigMap changes\n- Default resource limits: 500m CPU, 512Mi memory\n- Default resource requests: 100m CPU, 128Mi memory\n\n## License\n\nSee [LICENSE](LICENSE) for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenshift-hyperfleet%2Fadapter-landing-zone","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopenshift-hyperfleet%2Fadapter-landing-zone","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenshift-hyperfleet%2Fadapter-landing-zone/lists"}