From 561c620f98b49b3571f12a900c7b03d837dfdaab Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Sun, 22 Jun 2025 08:21:11 +0200
Subject: [PATCH] fix: fix kyvero whitelisting rules to use annotation, not
 label

---
 values/dapr/manifests/ingress-dashboard.yaml    |  2 +-
 .../kyverno/whitelist-internal-ingresses.yaml   | 17 +++++++----------
 2 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/values/dapr/manifests/ingress-dashboard.yaml b/values/dapr/manifests/ingress-dashboard.yaml
index fff32273..b602330f 100644
--- a/values/dapr/manifests/ingress-dashboard.yaml
+++ b/values/dapr/manifests/ingress-dashboard.yaml
@@ -5,7 +5,7 @@ metadata:
     cert-manager.io/cluster-issuer: letsencrypt-production
     nginx.ingress.kubernetes.io/backend-protocol: HTTP
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    atlantis.oceanbox.io/expose: internal
+    oceanbox.io/expose: internal
   labels:
     app.kubernetes.io/name: dapr-dashboard
   name: dapr-dashboard
diff --git a/values/system/oceanbox/kyverno/whitelist-internal-ingresses.yaml b/values/system/oceanbox/kyverno/whitelist-internal-ingresses.yaml
index 8108ff30..adfde358 100644
--- a/values/system/oceanbox/kyverno/whitelist-internal-ingresses.yaml
+++ b/values/system/oceanbox/kyverno/whitelist-internal-ingresses.yaml
@@ -9,7 +9,7 @@ metadata:
     policies.clusterConfig.kyverno.io/severity: medium
     policies.clusterConfig.kyverno.io/subject: Ingress
     policies.clusterConfig.kyverno.io/description: >-
-      Ingresses with the label "internal=true" should be whitelisted.
+      Ingresses with the annotation "oceanbox.io/expose=internal" should be whitelisted.
       If no whitelist exists, add the default values, otherwise append
       whitelist to the already existing ones
 spec:
@@ -22,9 +22,8 @@ spec:
       resources:
         kinds:
           - Ingress
-        selector:
-          matchLabels:
-            internal: "true"
+        annotations:
+          oceanbox.io/expose: internal
     mutate:
       patchStrategicMerge:
         metadata:
@@ -36,9 +35,8 @@ spec:
       resources:
         kinds:
           - Ingress
-        selector:
-          matchLabels:
-            internal: "true"
+        annotations:
+          oceanbox.io/expose: internal
     preconditions:
       any:
       - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
@@ -57,9 +55,8 @@ spec:
       resources:
         kinds:
           - Ingress
-        selector:
-          matchLabels:
-            internal: "true"
+        annotations:
+          oceanbox.io/expose: internal
     preconditions:
       any:
       - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"