wip: Match chart to k8s state

values/kyverno/manifests/kyverno.yaml

@@ -10,13 +10,18 @@ spec:
     server: 'https://kubernetes.default.svc'
   sources:
   - repoURL: {{ .Values.clusterConfig.manifests }}
-    targetRevision: HEAD
-    path: helmfiles/kyverno
+    # targetRevision: HEAD
+    targetRevision: mrtz/helmify
+    path: helmfile.d
     plugin:
-      name: helmfile
+      name: helmfile-cmp
       env:
       - name: CLUSTER_NAME
         value: {{ .Values.clusterConfig.cluster }}
+      - name: HELMFILE_ENVIRONMENT
+        value: default
+      - name: HELMFILE_FILE_PATH
+        value: kyverno.yaml.gotmpl
   project: sys
   syncPolicy:
     managedNamespaceMetadata:
@@ -25,7 +30,7 @@ spec:
     syncOptions:
       - CreateNamespace=true
       - ApplyOutOfSyncOnly=true
-      # - ServerSideApply=true
+      - ServerSideApply=true
     {{- if .Values.kyverno.autosync }}
     automated:
       prune: true

values/kyverno/manifests/policies/sync-gitlab.yaml

@@ -16,6 +16,7 @@ metadata:
 spec:
   rules:
   - name: sync-image-pull-secret
+    skipBackgroundRequests: true
     match:
       resources:
         kinds:

values/kyverno/manifests/policies/sync-regcred.yaml

@@ -17,6 +17,7 @@ metadata:
 spec:
   rules:
   - name: sync-image-pull-secret
+    skipBackgroundRequests: true
     match:
       resources:
         kinds:

values/kyverno/manifests/policies/sync-s3-secret.yaml

@@ -29,5 +29,6 @@ spec:
         - "loki"
         - "tempo"
     name: sync-s3-secret
+    skipBackgroundRequests: true
   validationFailureAction: audit
 {{- end }}

values/kyverno/manifests/policies/whitelist-internal-ingresses.yaml

@@ -17,6 +17,7 @@ spec:
   #precondition: has whitelist annotation or 
   rules:
   - name: ensure-nginx-whitelist-exists
+    skipBackgroundRequests: true
     match:
       resources:
         kinds:
@@ -30,6 +31,7 @@ spec:
           annotations:
             +(nginx.ingress.kubernetes.io/whitelist-source-range): ""
   - name: append-existing-whitelist
+    skipBackgroundRequests: true
     match:
       resources:
         kinds:
@@ -46,10 +48,11 @@ spec:
       patchStrategicMerge:
         metadata:
           annotations:
-            {{- with .Values.cluster_config.ingress_whitelist_ips }}
+            {{- with .Values.clusterConfig.ingress_whitelist_ips }}
             nginx.ingress.kubernetes.io/whitelist-source-range: "{{`{{ @ }}`}},{{ join "," . }}"
             {{- end }}
   - name: add-nginx-whitelist
+    skipBackgroundRequests: true
     match:
       resources:
         kinds:
@@ -66,7 +69,7 @@ spec:
       patchStrategicMerge:
         metadata:
           annotations:
-            {{- with .Values.cluster_config.ingress_whitelist_ips }}
+            {{- with .Values.clusterConfig.ingress_whitelist_ips }}
             nginx.ingress.kubernetes.io/whitelist-source-range: "{{ join "," . }}"
             {{- end }}
 {{- end }}

values/kyverno/values.yaml.gotmpl

@@ -1,6 +1,6 @@
 kyverno:
   enabled: true
-  autosync: false
+  autosync: true
   metrics: false
   resources:
     cleanupController: