fix: add rossby system

2025-09-12 20:55:20 +02:00
parent 6473fcca9d
commit 926f94bf8b
6 changed files with 240 additions and 0 deletions
@@ -0,0 +1,44 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: argocd-manager
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- nonResourceURLs:
+  - '*'
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argocd-manager
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argocd-manager
+subjects:
+- kind: ServiceAccount
+  name: argocd-manager
+  namespace: kube-system
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argocd-manager
+  namespace: kube-system
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: argocd-manager
+  name: argocd-manager-token
+  namespace: kube-system
+type: kubernetes.io/service-account-token
@@ -0,0 +1,42 @@
+# Create the clusterrole and clusterrolebinding:
+# $ kubectl create -f kube-flannel-rbac.yml
+# Create the pod using the same namespace used by the flannel serviceaccount:
+# $ kubectl create --namespace kube-system -f kube-flannel-legacy.yml
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: flannel-client
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes/status
+    verbs:
+      - patch
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: flannel-client
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: flannel-client
+subjects:
+  - kind: User
+    name: flannel-client
+    apiGroup: rbac.authorization.k8s.io
@@ -0,0 +1,20 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-ingress-whitelist
+spec:
+  background: true
+  generateExisting: true
+  rules:
+  - name: set-whitelist-internal
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+    match:
+      resources:
+        kinds:
+        - Ingress
+        annotations:
+          oceanbox.io/expose: internal
@@ -0,0 +1,34 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault'
+  creationTimestamp: "2024-01-15T11:58:24Z"
+  name: sync-keyvault-secrets
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        name: azure-keyvault
+        namespace: sorcerer
+      kind: Secret
+      name: azure-keyvault
+      namespace: '{{`{{request.object.metadata.namespace}}`}}'
+      synchronize: true
+    match:
+      any:
+      - resources:
+          kinds:
+          - Secret
+          names:
+          - azure-keyvault
+          annotations:
+            kyverno/clone: "true"
+    name: sync-keyvault-secrets
+
+
@@ -0,0 +1,44 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.kyverno.io/category: Sample
+    policies.kyverno.io/description: 'Secrets like registry credentials often need
+      to exist in multiple Namespaces so Pods there have access. Manually duplicating
+      those Secrets is time consuming and error prone. This policy will copy a Secret
+      called `regcred` which exists in the `default` Namespace to new Namespaces when
+      they are created. It will also push updates to the copied Secrets should the
+      source Secret be changed.            '
+  creationTimestamp: "2024-01-15T11:58:24Z"
+  name: sync-oceanbox-regcred
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        # name: oceanbox-regcred
+        name: gitlab-pull-secret
+        namespace: default
+      kind: Secret
+      # name: oceanbox-regcred
+      name: gitlab-pull-secret
+      namespace: '{{`{{request.object.metadata.name}}`}}'
+      synchronize: true
+    exclude:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          names:
+          - "vcluster-*"
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    name: sync-oceanbox-regcred
+
+
@@ -0,0 +1,56 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-sorcerer-secrets
+spec:
+  background: true
+  generateExisting: true
+  rules:
+  - name: sync-atlantis-secret
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{`{{ request.object.metadata.name }}`}}'
+      namespace: '{{`{{ request.object.metadata.namespace }}`}}'
+      synchronize: true
+      clone:
+        name: staging-sorcerer-env
+        namespace: staging-sorcerer
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - "*-sorcerer-env"
+         annotations:
+           kyverno/clone: "true"
+    exclude:
+      any:
+      - resources:
+          annotations:
+            vcluster.loft.sh/controlled-by: secret/v1/GenericImport
+  - name: sync-dapr-api-token
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{`{{ request.object.metadata.name }}`}}'
+      namespace: '{{`{{ request.object.metadata.namespace }}`}}'
+      synchronize: true
+      clone:
+        name: dapr-api-token
+        namespace: staging-sorcerer
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - dapr-api-token
+         annotations:
+           kyverno/clone: "true"
+    exclude:
+      any:
+      - resources:
+          annotations:
+            vcluster.loft.sh/controlled-by: secret/v1/GenericImport