platform/manifests
1
0
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

refactor: move resorces and policies to system

Browse Source
This commit is contained in:
Jonas Juselius
2025-06-19 16:55:23 +02:00
parent 7cd6cc352b
commit cea7ff8537
47 changed files with 0 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files
values/system/oceanbox/kyverno/add-ingress-whitelist.yaml
+20
View File
@@ -0,0 +1,20 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: add-ingress-whitelist
spec:
background: true
generateExisting: true
rules:
- name: set-whitelist-internal
mutate:
patchStrategicMerge:
metadata:
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
match:
resources:
kinds:
- Ingress
annotations:
atlantis.oceanbox.io/expose: internal
values/system/oceanbox/kyverno/add-openfga-secret.yaml
+32
View File
@@ -0,0 +1,32 @@
apiVersion: kyverno.io/v1
kind: Policy
metadata:
name: add-openfga-secrets
namespace: openfga
spec:
admission: true
background: true
generateExisting: true
mutateExistingOnPolicyUpdate: true
rules:
- name: add-db-uri
match:
any:
- resources:
kinds:
- Secret
names:
- prod-openfga-db-superuser
- staging-openfga-db-superuser
mutate:
targets:
- apiVersion: v1
kind: Secret
name: "{{ request.object.metadata.name }}"
patchStrategicMerge:
stringData:
postgres-password: '{{ request.object.data.password | base64_decode(@) }}'
uri: 'postgres://{{ request.object.data.username | base64_decode(@) }}:{{ request.object.data.password | base64_decode(@) }}@{{ request.object.metadata.labels."cnpg.io/cluster" }}-rw/app?sslmode=disable'
skipBackgroundRequests: true
validationFailureAction: Audit
values/system/oceanbox/kyverno/remove-argocd-tracking-id.yaml
+31
View File
@@ -0,0 +1,31 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: remove-argocd-tracking-id
spec:
background: true
generateExisting: true
rules:
- name: remove-argocd-tracking-ids
mutate:
patchesJson6902: |-
- path: /metadata/annotations/argocd.argoproj.io~1tracking-id
op: remove
match:
any:
- resources:
kinds:
- Secret
names:
- prod-rabbitmq
- staging-rabbitmq
- prod-redis
- staging-redis
exclude:
any:
- resources:
kinds:
- Namespace
names:
- rabbitmq
- redis
values/system/oceanbox/kyverno/sync-atlantis-secrets.yaml
+168
View File
@@ -0,0 +1,168 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: sync-atlantis-secrets
spec:
background: true
generateExisting: false
rules:
- name: sync-prod-rabbitmq-secret
generate:
apiVersion: v1
kind: Secret
name: '{{ request.object.metadata.name }}'
namespace: '{{ request.object.metadata.namespace }}'
synchronize: true
clone:
name: prod-rabbitmq
namespace: rabbitmq
match:
any:
- resources:
kinds:
- Secret
names:
- "*-rabbitmq"
annotations:
kyverno/clone: "true"
kyverno/env: "prod"
exclude:
any:
- resources:
annotations:
vcluster.loft.sh/controlled-by: secret/v1/GenericImport
- name: sync-dev-rabbitmq-secret
generate:
apiVersion: v1
kind: Secret
name: '{{ request.object.metadata.name }}'
namespace: '{{ request.object.metadata.namespace }}'
synchronize: true
clone:
name: staging-rabbitmq
namespace: rabbitmq
match:
any:
- resources:
kinds:
- Secret
names:
- "*-rabbitmq"
annotations:
kyverno/clone: "true"
kyverno/env: "staging"
exclude:
any:
- resources:
annotations:
vcluster.loft.sh/controlled-by: secret/v1/GenericImport
- name: sync-atlantis-secret
generate:
apiVersion: v1
kind: Secret
name: '{{ request.object.metadata.name }}'
namespace: '{{ request.object.metadata.namespace }}'
synchronize: true
clone:
name: staging-atlantis-env
namespace: staging-atlantis
match:
any:
- resources:
kinds:
- Secret
names:
- "*-atlantis-env"
annotations:
kyverno/clone: "true"
exclude:
any:
- resources:
annotations:
vcluster.loft.sh/controlled-by: secret/v1/GenericImport
- name: sync-azure-keyvault-secret
generate:
apiVersion: v1
kind: Secret
name: '{{ request.object.metadata.name }}'
namespace: '{{ request.object.metadata.namespace }}'
synchronize: true
clone:
name: azure-keyvault
namespace: prod-atlantis
match:
any:
- resources:
kinds:
- Secret
names:
- azure-keyvault
annotations:
kyverno/clone: "true"
exclude:
any:
- resources:
annotations:
vcluster.loft.sh/controlled-by: secret/v1/GenericImport
- name: sync-dapr-api-token
generate:
apiVersion: v1
kind: Secret
name: '{{ request.object.metadata.name }}'
namespace: '{{ request.object.metadata.namespace }}'
synchronize: true
clone:
name: dapr-api-token
namespace: prod-atlantis
match:
any:
- resources:
kinds:
- Secret
names:
- dapr-api-token
annotations:
kyverno/clone: "true"
exclude:
any:
- resources:
annotations:
vcluster.loft.sh/controlled-by: secret/v1/GenericImport
- name: sync-atlantis-db-ca
generate:
apiVersion: v1
kind: Secret
name: prod-atlantis-db-ca
namespace: '{{ request.object.metadata.namespace }}'
synchronize: true
clone:
namespace: prod-atlantis
name: prod-atlantis-db-ca
match:
any:
- resources:
kinds:
- Secret
names:
- prod-atlantis-db-ca
annotations:
kyverno/clone: "true"
- name: sync-atlantis-db-replication
generate:
apiVersion: v1
kind: Secret
name: prod-atlantis-db-replication
namespace: '{{ request.object.metadata.namespace }}'
synchronize: true
clone:
namespace: prod-atlantis
name: prod-atlantis-db-replication
match:
any:
- resources:
kinds:
- Secret
names:
- prod-atlantis-db-replication
annotations:
kyverno/clone: "true"
values/system/oceanbox/kyverno/sync-keyvault-secret.yaml
+32
View File
@@ -0,0 +1,32 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Sample
policies.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault'
creationTimestamp: "2024-01-15T11:58:24Z"
name: sync-keyvault-secrets
spec:
admission: true
background: true
generateExisting: true
rules:
- generate:
apiVersion: v1
clone:
name: azure-keyvault
namespace: atlantis
kind: Secret
name: azure-keyvault
namespace: '{{request.object.metadata.name}}'
synchronize: true
match:
any:
- resources:
kinds:
- Namespace
names:
- "*-atlantis"
name: sync-keyvault-secrets
values/system/oceanbox/kyverno/sync-regcred.yaml
+42
View File
@@ -0,0 +1,42 @@
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
annotations:
policies.kyverno.io/category: Sample
policies.kyverno.io/description: 'Secrets like registry credentials often need
to exist in multiple Namespaces so Pods there have access. Manually duplicating
those Secrets is time consuming and error prone. This policy will copy a Secret
called `regcred` which exists in the `default` Namespace to new Namespaces when
they are created. It will also push updates to the copied Secrets should the
source Secret be changed. '
creationTimestamp: "2024-01-15T11:58:24Z"
name: sync-regcred
spec:
admission: true
background: true
generateExisting: true
rules:
- generate:
apiVersion: v1
clone:
# name: oceanbox-regcred
name: gitlab-pull-secret
namespace: default
kind: Secret
# name: oceanbox-regcred
name: gitlab-pull-secret
namespace: '{{request.object.metadata.name}}'
synchronize: true
exclude:
any:
- resources:
annotations:
vcluster.loft.sh/controlled-by: secret/v1/GenericImport
match:
any:
- resources:
kinds:
- Namespace
name: sync-oceanbox-regcred