fix: inject secrets via env

2024-02-01 18:44:15 +01:00
parent efff8495bf
commit 83bd89b79c
5 changed files with 106 additions and 2 deletions
@@ -4,3 +4,6 @@
 - op: replace
  path: /spec/template/spec/containers/0/readinessProbe/httpGet/path
  value: /healthz
+- op: add
+  path: /spec/template/spec/containers/0/envFrom
+  value: []
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: archmeister-env
+  namespace: atlantis
+stringData:
+  OICD_CLIENT_SECRET: ieK3yak9zoh3yeewee8quahY6seiv7Ro
+  SEQ_APIKEY: bFdYPKLDvnau3fQa1vRV
+type: Opaque
@@ -0,0 +1,46 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-atlantis-secrets
+spec:
+  background: true
+  generateExistingOnPolicyUpdate: true
+  rules:
+  - name: sync-redis-secrets
+    generate:
+      apiVersion: v1
+      namespace: atlantis
+      synchronize: true
+      cloneList:
+        namespace: redis
+        kinds:
+          - Secret
+        selector:
+          matchLabels:
+            app.kubernetes.io/name: redis
+    match:
+      resources:
+        kinds:
+        - Namespace
+        names:
+        - atlantis
+  - name: sync-rabbitmq-secrets
+    generate:
+      apiVersion: v1
+      namespace: atlantis
+      synchronize: true
+      cloneList:
+        namespace: rabbitmq
+        kinds:
+          - Secret
+        selector:
+          matchLabels:
+            clone: "true"
+    match:
+      resources:
+        kinds:
+        - Namespace
+        names:
+        - atlantis
+  validationFailureAction: audit
+
@@ -25,4 +25,27 @@
  path: /spec/template/spec/containers/0/env/-
  value:
    name: DB_HOST
-    value: prod-archmeister-rw
+    value: prod-archmeister-rw
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: REDIS_USER
+    value: default
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: REDIS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: prod-redis
+        key: redis-password
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: RABBITMQ_USER
+    value: user
+- op: add
+  path: /spec/template/spec/containers/0/envFrom/-
+  value:
+    secretRef:
+      name: archmeister-env
@@ -30,4 +30,27 @@
  path: /spec/template/spec/containers/0/env/-
  value:
    name: DB_HOST
-    value: staging-archmeister-rw
+    value: staging-archmeister-rw
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: REDIS_USER
+    value: default
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: REDIS_PASSWORD
+    valueFrom:
+      secretKeyRef:
+        name: staging-redis
+        key: redis-password
+- op: add
+  path: /spec/template/spec/containers/0/env/-
+  value:
+    name: RABBITMQ_USER
+    value: user
+- op: add
+  path: /spec/template/spec/containers/0/envFrom/-
+  value:
+    secretRef:
+      name: archmeister-env