fix: add kyverno policies for dapr api tokens

policies/ekman/kyverno/add-ingress-whitelist.yaml

@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-ingress-whitelist
+spec:
+  background: true
+  generateExisting: true
+  rules:
+  - name: set-whitelist-internal
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    match:
+      resources:
+        kinds:
+        - Ingress
+        annotations:
+          atlantis.oceanbox.io/expose: internal

policies/ekman/kyverno/sync-sorcerer-secrets.yaml

@@ -30,3 +30,27 @@ spec:
       - resources:
           annotations:
             vcluster.loft.sh/controlled-by: secret/v1/GenericImport
+  - name: sync-dapr-api-token
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        name: dapr-api-token
+        namespace: staging-sorcerer
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - dapr-api-token
+         annotations:
+           kyverno/clone: "true"
+    exclude:
+      any:
+      - resources:
+          annotations:
+            vcluster.loft.sh/controlled-by: secret/v1/GenericImport

policies/oceanbox/kyverno/sync-atlantis-secrets.yaml

@@ -78,3 +78,27 @@ spec:
       - resources:
           annotations:
             vcluster.loft.sh/controlled-by: secret/v1/GenericImport
+  - name: sync-dapr-api-token
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: '{{ request.object.metadata.namespace }}'
+      synchronize: true
+      clone:
+        name: dapr-api-token
+        namespace: staging-atlantis
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - dapr-api-token
+         annotations:
+           kyverno/clone: "true"
+    exclude:
+      any:
+      - resources:
+          annotations:
+            vcluster.loft.sh/controlled-by: secret/v1/GenericImport

policies/oceanbox/network/clusterpolicy-allow-ekman-egress.yaml

@@ -8,8 +8,12 @@ spec:
   - toCIDR:
     - 10.255.241.99/32
     - 10.255.241.100/32
+    - 185.125.160.88/32
+    - 185.125.160.89/32
     toPorts:
     - ports:
+      - port: "443"
+        protocol: TCP
       - port: "4443"
         protocol: TCP
       - port: "30443"