fix: move policies here and there

values/kyverno/manifests/policies/sync-gitlab.yaml

@@ -1,32 +0,0 @@
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: sync-gitlab-secret
-  annotations:
-    policies.kyverno.io/title: Sync Secrets
-    policies.kyverno.io/category: Sample
-    policies.kyverno.io/subject: Secret
-    policies.kyverno.io/description: >-
-      Secrets like registry credentials often need to exist in multiple
-      Namespaces so Pods there have access. Manually duplicating those Secrets
-      is time consuming and error prone. This policy will copy a
-      Secret called `regcred` which exists in the `default` Namespace to
-      new Namespaces when they are created. It will also push updates to
-      the copied Secrets should the source Secret be changed.
-spec:
-  rules:
-  - name: sync-image-pull-secret
-    skipBackgroundRequests: true
-    match:
-      resources:
-        kinds:
-        - Namespace
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: regcred
-      namespace: "{{`{{request.object.metadata.name}}`}}"
-      synchronize: true
-      clone:
-        namespace: default
-        name: gitlab-pull-secret

values/kyverno/manifests/policies/sync-regcred.yaml

@@ -1,34 +0,0 @@
-{{- if .Values.kyverno.enabled }}
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: sync-regcred-secret
-  annotations:
-    policies.kyverno.io/title: Sync Secrets
-    policies.kyverno.io/category: Sample
-    policies.kyverno.io/subject: Secret
-    policies.kyverno.io/description: >-
-      Secrets like registry credentials often need to exist in multiple
-      Namespaces so Pods there have access. Manually duplicating those Secrets
-      is time consuming and error prone. This policy will copy a
-      Secret called `regcred` which exists in the `default` Namespace to
-      new Namespaces when they are created. It will also push updates to
-      the copied Secrets should the source Secret be changed.            
-spec:
-  rules:
-  - name: sync-image-pull-secret
-    skipBackgroundRequests: true
-    match:
-      resources:
-        kinds:
-        - Namespace
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: regcred
-      namespace: "{{`{{request.object.metadata.name}}`}}"
-      synchronize: true
-      clone:
-        namespace: default
-        name: regcred
-{{- end }}

values/kyverno/manifests/policies/sync-s3-secret.yaml

@@ -1,34 +0,0 @@
-{{- if .Values.kyverno.enabled }}
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  annotations:
-    policies.kyverno.io/description: 'This policy will sync the s3 secret in kube-system namespace across namespaces'
-    policies.kyverno.io/subject: Secret
-    policies.kyverno.io/title: Sync s3 Secrets
-  name: sync-s3-credentials
-spec:
-  generateExistingOnPolicyUpdate: true
-  background: true
-  rules:
-  - generate:
-      apiVersion: v1
-      clone:
-        name: s3-credentials
-        namespace: kube-system
-      kind: Secret
-      name: s3-credentials
-      namespace: '{{`{{request.object.metadata.name}}`}}'
-      synchronize: true
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-        - "velero"
-        - "loki"
-        - "tempo"
-    name: sync-s3-secret
-    skipBackgroundRequests: true
-  validationFailureAction: audit
-{{- end }}

values/kyverno/manifests/policies/whitelist-internal-ingresses.yaml

@@ -1,76 +0,0 @@
-{{- if .Values.kyverno.enabled }}
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: whitelist-internal-ingresses
-  annotations:
-    policies.kyverno.io/title: Concatenate Ingresss
-    policies.kyverno.io/category: Other
-    policies.kyverno.io/severity: medium
-    policies.kyverno.io/subject: Ingress
-    policies.kyverno.io/description: >-
-      Ingresses with the label "internal=true" should be whitelisted. 
-      If no whitelist exists, add the default values, otherwise append 
-      whitelist to the already existing ones
-spec:
-  mutateExistingOnPolicyUpdate: false
-  #precondition: has whitelist annotation or 
-  rules:
-  - name: ensure-nginx-whitelist-exists
-    skipBackgroundRequests: true
-    match:
-      resources:
-        kinds:
-          - Ingress
-        selector:
-          matchLabels:
-            internal: "true"
-    mutate:
-      patchStrategicMerge:
-        metadata:
-          annotations:
-            +(nginx.ingress.kubernetes.io/whitelist-source-range): ""
-  - name: append-existing-whitelist
-    skipBackgroundRequests: true
-    match:
-      resources:
-        kinds:
-          - Ingress
-        selector:
-          matchLabels:
-            internal: "true"
-    preconditions:
-      any:
-      - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
-        operator: NotEquals
-        value: ""
-    mutate:
-      patchStrategicMerge:
-        metadata:
-          annotations:
-            {{- with .Values.clusterConfig.ingress_whitelist_ips }}
-            nginx.ingress.kubernetes.io/whitelist-source-range: "{{`{{ @ }}`}},{{ join "," . }}"
-            {{- end }}
-  - name: add-nginx-whitelist
-    skipBackgroundRequests: true
-    match:
-      resources:
-        kinds:
-          - Ingress
-        selector:
-          matchLabels:
-            internal: "true"
-    preconditions:
-      any:
-      - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
-        operator: Equals
-        value: ""
-    mutate:
-      patchStrategicMerge:
-        metadata:
-          annotations:
-            {{- with .Values.clusterConfig.ingress_whitelist_ips }}
-            nginx.ingress.kubernetes.io/whitelist-source-range: "{{ join "," . }}"
-            {{- end }}
-{{- end }}
-