From a164f74fbd417d3cea7f499682de7248fa637796 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Thu, 15 Feb 2024 16:05:18 +0100 Subject: [PATCH] fix: split secret sync policies to separeate files. autoconfigure rabbitmq connString --- applications/atlantis-host-resources.yaml | 2 +- .../sync-archmeister-secrets.yaml | 41 +++++++ .../host-manifests/sync-atlantis-secrets.yaml | 102 ------------------ .../host-manifests/sync-rabbitmq-secrets.yaml | 48 +++++++++ .../host-manifests/sync-redis-secrets.yaml | 45 ++++++++ 5 files changed, 135 insertions(+), 103 deletions(-) create mode 100644 resources/atlantis/host-manifests/sync-archmeister-secrets.yaml delete mode 100644 resources/atlantis/host-manifests/sync-atlantis-secrets.yaml create mode 100644 resources/atlantis/host-manifests/sync-rabbitmq-secrets.yaml create mode 100644 resources/atlantis/host-manifests/sync-redis-secrets.yaml diff --git a/applications/atlantis-host-resources.yaml b/applications/atlantis-host-resources.yaml index 96552881..12911a50 100644 --- a/applications/atlantis-host-resources.yaml +++ b/applications/atlantis-host-resources.yaml @@ -1,7 +1,7 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: atlantis-host-resrources + name: atlantis-host-cluster-resources namespace: argocd spec: project: atlantis diff --git a/resources/atlantis/host-manifests/sync-archmeister-secrets.yaml b/resources/atlantis/host-manifests/sync-archmeister-secrets.yaml new file mode 100644 index 00000000..9bcb9626 --- /dev/null +++ b/resources/atlantis/host-manifests/sync-archmeister-secrets.yaml @@ -0,0 +1,41 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sync-prod-archmeister-replication-secrets +spec: + background: true + generateExisting: true + rules: + - name: sync-archmeister-ca + generate: + apiVersion: v1 + kind: Secret + name: prod-archmeister-ca + namespace: '{{request.object.metadata.name}}' + synchronize: true + clone: + namespace: atlantis + name: prod-archmeister-ca + match: + resources: + kinds: + - Namespace + names: + - '*-vcluster' + - name: sync-archmeister-replication + generate: + apiVersion: v1 + kind: Secret + name: prod-archmeister-replication + namespace: '{{request.object.metadata.name}}' + synchronize: true + clone: + namespace: atlantis + name: prod-archmeister-replication + match: + resources: + kinds: + - Namespace + names: + - '*-vcluster' + validationFailureAction: audit diff --git a/resources/atlantis/host-manifests/sync-atlantis-secrets.yaml b/resources/atlantis/host-manifests/sync-atlantis-secrets.yaml deleted file mode 100644 index 05167d24..00000000 --- a/resources/atlantis/host-manifests/sync-atlantis-secrets.yaml +++ /dev/null @@ -1,102 +0,0 @@ -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: sync-atlantis-secrets -spec: - background: true - generateExistingOnPolicyUpdate: true - rules: - - name: sync-rabbitmq-secrets - generate: - apiVersion: v1 - namespace: atlantis - synchronize: true - cloneList: - namespace: rabbitmq - kinds: - - Secret - selector: - matchLabels: - clone: "true" - match: - resources: - kinds: - - Namespace - names: - - atlantis - - '*-vcluster' - - name: add-rabbitmq-connstring - mutate: - targets: - - apiVersion: v1 - kind: Secret - namespace: atlantis - name: '{{request.object.metadata.name}}' - patchStrategicMerge: - data: - connString: "connString: {{base64_encode(join('amqp://user:', '{{request.object.data.rabbitmq-password}}')) }}" - # connString: "connString: aHVubnktYnVubnk=" - match: - all: - - resources: - kinds: - - Secret - names: - - staging-rabbitmq - - resources: - kinds: - - Namespace - names: - - rabbitmq - - name: sync-redis-secrets - generate: - apiVersion: v1 - namespace: atlantis - synchronize: true - cloneList: - namespace: redis - kinds: - - Secret - selector: - matchLabels: - app.kubernetes.io/name: redis - match: - resources: - kinds: - - Namespace - names: - - atlantis - - '*-vcluster' - - name: sync-archmeister-replication-ca - generate: - apiVersion: v1 - kind: Secret - name: prod-archmeister-ca - namespace: '{{request.object.metadata.name}}' - synchronize: true - clone: - namespace: atlantis - name: prod-archmeister-ca - match: - resources: - kinds: - - Namespace - names: - - '*-vcluster' - - name: sync-archmeister-replication-replication - generate: - apiVersion: v1 - kind: Secret - name: prod-archmeister-replication - namespace: '{{request.object.metadata.name}}' - synchronize: true - clone: - namespace: atlantis - name: prod-archmeister-replication - match: - resources: - kinds: - - Namespace - names: - - '*-vcluster' - validationFailureAction: audit diff --git a/resources/atlantis/host-manifests/sync-rabbitmq-secrets.yaml b/resources/atlantis/host-manifests/sync-rabbitmq-secrets.yaml new file mode 100644 index 00000000..946ecf97 --- /dev/null +++ b/resources/atlantis/host-manifests/sync-rabbitmq-secrets.yaml @@ -0,0 +1,48 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sync-rabbitmq-secret +spec: + background: true + generateExisting: true + rules: + - name: sync-rabbitmq-secret + generate: + apiVersion: v1 + kind: Secret + name: '{{ request.object.metadata.name }}' + namespace: atlantis + synchronize: true + clone: + name: prod-rabbitmq + namespace: rabbitmq + match: + any: + - resources: + kinds: + - Secret + names: + - prod-rabbitmq + namespaces: + - rabbitmq + - name: add-rabbitmq-connstring + mutate: + patchStrategicMerge: + stringData: + connString: 'amqp://user:{{ request.object.data."rabbitmq-password" | base64_decode(@) }}@{{ request.object.metadata.labels."app.kubernetes.io/instance" }}.rabbitmq.svc' + match: + any: + - resources: + kinds: + - Secret + names: + - prod-rabbitmq + - staging-rabbitmq + exclude: + any: + - resources: + kinds: + - Namespace + names: + - rabbitmq + validationFailureAction: audit diff --git a/resources/atlantis/host-manifests/sync-redis-secrets.yaml b/resources/atlantis/host-manifests/sync-redis-secrets.yaml new file mode 100644 index 00000000..b8428fc2 --- /dev/null +++ b/resources/atlantis/host-manifests/sync-redis-secrets.yaml @@ -0,0 +1,45 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: sync-redis-secrets +spec: + background: true + generateExisting: true + rules: + - name: sync-prod-redis-secret + generate: + apiVersion: v1 + kind: Secret + name: '{{ request.object.metadata.name }}' + namespace: atlantis + synchronize: true + clone: + name: prod-redis + namespace: redis + match: + any: + - resources: + kinds: + - Secret + names: + - prod-redis + namespaces: + - redis + - name: sync-staging-redis-secret + generate: + apiVersion: v1 + kind: Secret + name: staging-redis + namespace: '{{ request.object.metadata.name }}' + synchronize: true + clone: + name: staging-redis + namespace: redis + match: + any: + - resources: + kinds: + - Namespace + names: + - "vcluster-009dba7e-*" + validationFailureAction: audit