From 926f94bf8b3f1fd9cc1d017c3272f60f4eadcf0f Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Fri, 12 Sep 2025 20:55:20 +0200 Subject: [PATCH] fix: add rossby system --- values/system/rossby/argocd-manager-rbac.yaml | 44 +++++++++++++++ values/system/rossby/kube-flannel-rbac.yaml | 42 ++++++++++++++ .../rossby/kyverno/add-ingress-whitelist.yaml | 20 +++++++ .../rossby/kyverno/sync-keyvault-secret.yaml | 34 +++++++++++ .../rossby/kyverno/sync-oceanbox-regcred.yaml | 44 +++++++++++++++ .../rossby/kyverno/sync-sorcerer-secrets.yaml | 56 +++++++++++++++++++ 6 files changed, 240 insertions(+) create mode 100644 values/system/rossby/argocd-manager-rbac.yaml create mode 100644 values/system/rossby/kube-flannel-rbac.yaml create mode 100644 values/system/rossby/kyverno/add-ingress-whitelist.yaml create mode 100644 values/system/rossby/kyverno/sync-keyvault-secret.yaml create mode 100644 values/system/rossby/kyverno/sync-oceanbox-regcred.yaml create mode 100644 values/system/rossby/kyverno/sync-sorcerer-secrets.yaml diff --git a/values/system/rossby/argocd-manager-rbac.yaml b/values/system/rossby/argocd-manager-rbac.yaml new file mode 100644 index 00000000..865190c7 --- /dev/null +++ b/values/system/rossby/argocd-manager-rbac.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: argocd-manager +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +- nonResourceURLs: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: argocd-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argocd-manager +subjects: +- kind: ServiceAccount + name: argocd-manager + namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argocd-manager + namespace: kube-system +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + kubernetes.io/service-account.name: argocd-manager + name: argocd-manager-token + namespace: kube-system +type: kubernetes.io/service-account-token diff --git a/values/system/rossby/kube-flannel-rbac.yaml b/values/system/rossby/kube-flannel-rbac.yaml new file mode 100644 index 00000000..b14b53a8 --- /dev/null +++ b/values/system/rossby/kube-flannel-rbac.yaml @@ -0,0 +1,42 @@ +# Create the clusterrole and clusterrolebinding: +# $ kubectl create -f kube-flannel-rbac.yml +# Create the pod using the same namespace used by the flannel serviceaccount: +# $ kubectl create --namespace kube-system -f kube-flannel-legacy.yml +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: flannel-client +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - nodes/status + verbs: + - patch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: flannel-client +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: flannel-client +subjects: + - kind: User + name: flannel-client + apiGroup: rbac.authorization.k8s.io diff --git a/values/system/rossby/kyverno/add-ingress-whitelist.yaml b/values/system/rossby/kyverno/add-ingress-whitelist.yaml new file mode 100644 index 00000000..20c32017 --- /dev/null +++ b/values/system/rossby/kyverno/add-ingress-whitelist.yaml @@ -0,0 +1,20 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: add-ingress-whitelist +spec: + background: true + generateExisting: true + rules: + - name: set-whitelist-internal + mutate: + patchStrategicMerge: + metadata: + annotations: + nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + match: + resources: + kinds: + - Ingress + annotations: + oceanbox.io/expose: internal diff --git a/values/system/rossby/kyverno/sync-keyvault-secret.yaml b/values/system/rossby/kyverno/sync-keyvault-secret.yaml new file mode 100644 index 00000000..54ce8f69 --- /dev/null +++ b/values/system/rossby/kyverno/sync-keyvault-secret.yaml @@ -0,0 +1,34 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + policies.kyverno.io/category: Sample + policies.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault' + creationTimestamp: "2024-01-15T11:58:24Z" + name: sync-keyvault-secrets +spec: + admission: true + background: true + generateExisting: true + rules: + - generate: + apiVersion: v1 + clone: + name: azure-keyvault + namespace: sorcerer + kind: Secret + name: azure-keyvault + namespace: '{{`{{request.object.metadata.namespace}}`}}' + synchronize: true + match: + any: + - resources: + kinds: + - Secret + names: + - azure-keyvault + annotations: + kyverno/clone: "true" + name: sync-keyvault-secrets + + diff --git a/values/system/rossby/kyverno/sync-oceanbox-regcred.yaml b/values/system/rossby/kyverno/sync-oceanbox-regcred.yaml new file mode 100644 index 00000000..83469b27 --- /dev/null +++ b/values/system/rossby/kyverno/sync-oceanbox-regcred.yaml @@ -0,0 +1,44 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + annotations: + policies.kyverno.io/category: Sample + policies.kyverno.io/description: 'Secrets like registry credentials often need + to exist in multiple Namespaces so Pods there have access. Manually duplicating + those Secrets is time consuming and error prone. This policy will copy a Secret + called `regcred` which exists in the `default` Namespace to new Namespaces when + they are created. It will also push updates to the copied Secrets should the + source Secret be changed. ' + creationTimestamp: "2024-01-15T11:58:24Z" + name: sync-oceanbox-regcred +spec: + admission: true + background: true + generateExisting: true + rules: + - generate: + apiVersion: v1 + clone: + # name: oceanbox-regcred + name: gitlab-pull-secret + namespace: default + kind: Secret + # name: oceanbox-regcred + name: gitlab-pull-secret + namespace: '{{`{{request.object.metadata.name}}`}}' + synchronize: true + exclude: + any: + - resources: + kinds: + - Namespace + names: + - "vcluster-*" + match: + any: + - resources: + kinds: + - Namespace + name: sync-oceanbox-regcred + + diff --git a/values/system/rossby/kyverno/sync-sorcerer-secrets.yaml b/values/system/rossby/kyverno/sync-sorcerer-secrets.yaml new file mode 100644 index 00000000..c0831635 --- /dev/null +++ b/values/system/rossby/kyverno/sync-sorcerer-secrets.yaml @@ -0,0 +1,56 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sync-sorcerer-secrets +spec: + background: true + generateExisting: true + rules: + - name: sync-atlantis-secret + generate: + apiVersion: v1 + kind: Secret + name: '{{`{{ request.object.metadata.name }}`}}' + namespace: '{{`{{ request.object.metadata.namespace }}`}}' + synchronize: true + clone: + name: staging-sorcerer-env + namespace: staging-sorcerer + match: + any: + - resources: + kinds: + - Secret + names: + - "*-sorcerer-env" + annotations: + kyverno/clone: "true" + exclude: + any: + - resources: + annotations: + vcluster.loft.sh/controlled-by: secret/v1/GenericImport + - name: sync-dapr-api-token + generate: + apiVersion: v1 + kind: Secret + name: '{{`{{ request.object.metadata.name }}`}}' + namespace: '{{`{{ request.object.metadata.namespace }}`}}' + synchronize: true + clone: + name: dapr-api-token + namespace: staging-sorcerer + match: + any: + - resources: + kinds: + - Secret + names: + - dapr-api-token + annotations: + kyverno/clone: "true" + exclude: + any: + - resources: + annotations: + vcluster.loft.sh/controlled-by: secret/v1/GenericImport