feat: add policy to fixup openfga connection uri

2024-12-31 15:17:08 +01:00
parent ff3407f80c
commit e1317584ce
1 changed files with 32 additions and 0 deletions
@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: add-openfga-secrets
+  namespace: openfga
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  mutateExistingOnPolicyUpdate: true
+  rules:
+  - name: add-db-uri
+    match:
+      any:
+      - resources:
+          kinds:
+          - Secret
+          names:
+          - prod-openfga-superuser
+          - staging-openfga-superuser
+    mutate:
+      targets:
+        - apiVersion: v1
+          kind: Secret
+          name: "{{ request.object.metadata.name }}"
+      patchStrategicMerge:
+        stringData:
+          postgres-password: '{{ request.object.data."password" | base64_decode(@) }}'
+          uri: postgres://postgres:{{ request.object.data."password" | base64_decode(@) }}@{{ request.object.metadata.labels."cnpg.io/cluster" }}
+    skipBackgroundRequests: true
+  validationFailureAction: Audit
+