fix: split secret sync policies to separeate files. autoconfigure rabbitmq connString

applications/atlantis-host-resources.yaml

@@ -1,7 +1,7 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: atlantis-host-resrources
+  name: atlantis-host-cluster-resources
   namespace: argocd
 spec:
   project: atlantis

resources/atlantis/host-manifests/sync-archmeister-secrets.yaml

@@ -0,0 +1,41 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-prod-archmeister-replication-secrets
+spec:
+  background: true
+  generateExisting: true
+  rules:
+  - name: sync-archmeister-ca
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: prod-archmeister-ca
+      namespace: '{{request.object.metadata.name}}'
+      synchronize: true
+      clone:
+        namespace: atlantis
+        name: prod-archmeister-ca
+    match:
+      resources:
+        kinds:
+        - Namespace
+        names:
+        - '*-vcluster'
+  - name: sync-archmeister-replication
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: prod-archmeister-replication
+      namespace: '{{request.object.metadata.name}}'
+      synchronize: true
+      clone:
+        namespace: atlantis
+        name: prod-archmeister-replication
+    match:
+      resources:
+        kinds:
+        - Namespace
+        names:
+        - '*-vcluster'
+  validationFailureAction: audit

resources/atlantis/host-manifests/sync-atlantis-secrets.yaml

@@ -1,102 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: sync-atlantis-secrets
-spec:
-  background: true
-  generateExistingOnPolicyUpdate: true
-  rules:
-  - name: sync-rabbitmq-secrets
-    generate:
-      apiVersion: v1
-      namespace: atlantis
-      synchronize: true
-      cloneList:
-        namespace: rabbitmq
-        kinds:
-          - Secret
-        selector:
-          matchLabels:
-            clone: "true"
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-        - atlantis
-        - '*-vcluster'
-  - name: add-rabbitmq-connstring
-    mutate:
-      targets:
-      - apiVersion: v1
-        kind: Secret
-        namespace: atlantis
-        name: '{{request.object.metadata.name}}'
-      patchStrategicMerge:
-        data:
-          connString: "connString: {{base64_encode(join('amqp://user:', '{{request.object.data.rabbitmq-password}}')) }}"
-          # connString: "connString: aHVubnktYnVubnk="
-    match:
-      all:
-      - resources:
-          kinds:
-          - Secret
-          names:
-          - staging-rabbitmq
-      - resources:
-          kinds:
-          - Namespace
-          names:
-          - rabbitmq
-  - name: sync-redis-secrets
-    generate:
-      apiVersion: v1
-      namespace: atlantis
-      synchronize: true
-      cloneList:
-        namespace: redis
-        kinds:
-          - Secret
-        selector:
-          matchLabels:
-            app.kubernetes.io/name: redis
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-        - atlantis
-        - '*-vcluster'
-  - name: sync-archmeister-replication-ca
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: prod-archmeister-ca
-      namespace: '{{request.object.metadata.name}}'
-      synchronize: true
-      clone:
-        namespace: atlantis
-        name: prod-archmeister-ca
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-        - '*-vcluster'
-  - name: sync-archmeister-replication-replication
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: prod-archmeister-replication
-      namespace: '{{request.object.metadata.name}}'
-      synchronize: true
-      clone:
-        namespace: atlantis
-        name: prod-archmeister-replication
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-        - '*-vcluster'
-  validationFailureAction: audit

resources/atlantis/host-manifests/sync-rabbitmq-secrets.yaml

@@ -0,0 +1,48 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-rabbitmq-secret
+spec:
+  background: true
+  generateExisting: true
+  rules:
+  - name: sync-rabbitmq-secret
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: atlantis
+      synchronize: true
+      clone:
+        name: prod-rabbitmq
+        namespace: rabbitmq
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - prod-rabbitmq
+         namespaces:
+         - rabbitmq
+  - name: add-rabbitmq-connstring
+    mutate:
+      patchStrategicMerge:
+        stringData:
+          connString: 'amqp://user:{{ request.object.data."rabbitmq-password" | base64_decode(@) }}@{{ request.object.metadata.labels."app.kubernetes.io/instance" }}.rabbitmq.svc'
+    match:
+     any:
+       - resources:
+           kinds:
+           - Secret
+           names:
+           - prod-rabbitmq
+           - staging-rabbitmq
+    exclude:
+     any:
+       - resources:
+           kinds:
+           - Namespace
+           names:
+           - rabbitmq
+  validationFailureAction: audit

resources/atlantis/host-manifests/sync-redis-secrets.yaml

@@ -0,0 +1,45 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-redis-secrets
+spec:
+  background: true
+  generateExisting: true
+  rules:
+  - name: sync-prod-redis-secret
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{ request.object.metadata.name }}'
+      namespace: atlantis
+      synchronize: true
+      clone:
+        name: prod-redis
+        namespace: redis
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - prod-redis
+         namespaces:
+         - redis
+  - name: sync-staging-redis-secret
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: staging-redis
+      namespace: '{{ request.object.metadata.name }}'
+      synchronize: true
+      clone:
+        name: staging-redis
+        namespace: redis
+    match:
+     any:
+     - resources:
+         kinds:
+         - Namespace
+         names:
+         - "vcluster-009dba7e-*"
+  validationFailureAction: audit