refactor: move resorces and policies to system

values/system/oceanbox/kyverno/add-openfga-secret.yaml

@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: add-openfga-secrets
+  namespace: openfga
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  mutateExistingOnPolicyUpdate: true
+  rules:
+  - name: add-db-uri
+    match:
+      any:
+      - resources:
+          kinds:
+          - Secret
+          names:
+          - prod-openfga-db-superuser
+          - staging-openfga-db-superuser
+    mutate:
+      targets:
+        - apiVersion: v1
+          kind: Secret
+          name: "{{ request.object.metadata.name }}"
+      patchStrategicMerge:
+        stringData:
+          postgres-password: '{{ request.object.data.password | base64_decode(@) }}'
+          uri: 'postgres://{{ request.object.data.username | base64_decode(@) }}:{{ request.object.data.password | base64_decode(@) }}@{{ request.object.metadata.labels."cnpg.io/cluster" }}-rw/app?sslmode=disable'
+    skipBackgroundRequests: true
+  validationFailureAction: Audit
+