platform/manifests
1
0
Fork 0
Code Issues 7 Pull Requests 5 Actions Packages Projects Releases Wiki Activity

fix: split secret sync policies to separeate files. autoconfigure rabbitmq connString

Browse Source
This commit is contained in:
Jonas Juselius
2024-02-15 16:05:18 +01:00
parent b0e876d675
commit a164f74fbd
5 changed files with 135 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files
applications/atlantis-host-resources.yaml
+1 -1
View File
@@ -1,7 +1,7 @@
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application
metadata: metadata:
name: atlantis-host-resrources name: atlantis-host-cluster-resources
namespace: argocd namespace: argocd
spec: spec:
project: atlantis project: atlantis
resources/atlantis/host-manifests/sync-archmeister-secrets.yaml
+41
View File
@@ -0,0 +1,41 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sync-prod-archmeister-replication-secrets
spec:
background: true
generateExisting: true
rules:
- name: sync-archmeister-ca
generate:
apiVersion: v1
kind: Secret
name: prod-archmeister-ca
namespace: '{{request.object.metadata.name}}'
synchronize: true
clone:
namespace: atlantis
name: prod-archmeister-ca
match:
resources:
kinds:
- Namespace
names:
- '*-vcluster'
- name: sync-archmeister-replication
generate:
apiVersion: v1
kind: Secret
name: prod-archmeister-replication
namespace: '{{request.object.metadata.name}}'
synchronize: true
clone:
namespace: atlantis
name: prod-archmeister-replication
match:
resources:
kinds:
- Namespace
names:
- '*-vcluster'
validationFailureAction: audit
resources/atlantis/host-manifests/sync-atlantis-secrets.yaml
-102
View File
@@ -1,102 +0,0 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sync-atlantis-secrets
spec:
background: true
generateExistingOnPolicyUpdate: true
rules:
- name: sync-rabbitmq-secrets
generate:
apiVersion: v1
namespace: atlantis
synchronize: true
cloneList:
namespace: rabbitmq
kinds:
- Secret
selector:
matchLabels:
clone: "true"
match:
resources:
kinds:
- Namespace
names:
- atlantis
- '*-vcluster'
- name: add-rabbitmq-connstring
mutate:
targets:
- apiVersion: v1
kind: Secret
namespace: atlantis
name: '{{request.object.metadata.name}}'
patchStrategicMerge:
data:
connString: "connString: {{base64_encode(join('amqp://user:', '{{request.object.data.rabbitmq-password}}')) }}"
# connString: "connString: aHVubnktYnVubnk="
match:
all:
- resources:
kinds:
- Secret
names:
- staging-rabbitmq
- resources:
kinds:
- Namespace
names:
- rabbitmq
- name: sync-redis-secrets
generate:
apiVersion: v1
namespace: atlantis
synchronize: true
cloneList:
namespace: redis
kinds:
- Secret
selector:
matchLabels:
app.kubernetes.io/name: redis
match:
resources:
kinds:
- Namespace
names:
- atlantis
- '*-vcluster'
- name: sync-archmeister-replication-ca
generate:
apiVersion: v1
kind: Secret
name: prod-archmeister-ca
namespace: '{{request.object.metadata.name}}'
synchronize: true
clone:
namespace: atlantis
name: prod-archmeister-ca
match:
resources:
kinds:
- Namespace
names:
- '*-vcluster'
- name: sync-archmeister-replication-replication
generate:
apiVersion: v1
kind: Secret
name: prod-archmeister-replication
namespace: '{{request.object.metadata.name}}'
synchronize: true
clone:
namespace: atlantis
name: prod-archmeister-replication
match:
resources:
kinds:
- Namespace
names:
- '*-vcluster'
validationFailureAction: audit
resources/atlantis/host-manifests/sync-rabbitmq-secrets.yaml
+48
View File
@@ -0,0 +1,48 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sync-rabbitmq-secret
spec:
background: true
generateExisting: true
rules:
- name: sync-rabbitmq-secret
generate:
apiVersion: v1
kind: Secret
name: '{{ request.object.metadata.name }}'
namespace: atlantis
synchronize: true
clone:
name: prod-rabbitmq
namespace: rabbitmq
match:
any:
- resources:
kinds:
- Secret
names:
- prod-rabbitmq
namespaces:
- rabbitmq
- name: add-rabbitmq-connstring
mutate:
patchStrategicMerge:
stringData:
connString: 'amqp://user:{{ request.object.data."rabbitmq-password" | base64_decode(@) }}@{{ request.object.metadata.labels."app.kubernetes.io/instance" }}.rabbitmq.svc'
match:
any:
- resources:
kinds:
- Secret
names:
- prod-rabbitmq
- staging-rabbitmq
exclude:
any:
- resources:
kinds:
- Namespace
names:
- rabbitmq
validationFailureAction: audit
resources/atlantis/host-manifests/sync-redis-secrets.yaml
+45
View File
@@ -0,0 +1,45 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sync-redis-secrets
spec:
background: true
generateExisting: true
rules:
- name: sync-prod-redis-secret
generate:
apiVersion: v1
kind: Secret
name: '{{ request.object.metadata.name }}'
namespace: atlantis
synchronize: true
clone:
name: prod-redis
namespace: redis
match:
any:
- resources:
kinds:
- Secret
names:
- prod-redis
namespaces:
- redis
- name: sync-staging-redis-secret
generate:
apiVersion: v1
kind: Secret
name: staging-redis
namespace: '{{ request.object.metadata.name }}'
synchronize: true
clone:
name: staging-redis
namespace: redis
match:
any:
- resources:
kinds:
- Namespace
names:
- "vcluster-009dba7e-*"
validationFailureAction: audit