From e1317584cee45d36ce216607329c9d608d95b6ac Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Tue, 31 Dec 2024 15:17:08 +0100
Subject: [PATCH] feat: add policy to fixup openfga connection uri

---
 .../oceanbox/kyverno/add-openfga-secret.yaml  | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 policies/oceanbox/kyverno/add-openfga-secret.yaml

diff --git a/policies/oceanbox/kyverno/add-openfga-secret.yaml b/policies/oceanbox/kyverno/add-openfga-secret.yaml
new file mode 100644
index 00000000..2f1d58a4
--- /dev/null
+++ b/policies/oceanbox/kyverno/add-openfga-secret.yaml
@@ -0,0 +1,32 @@
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: add-openfga-secrets
+  namespace: openfga
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  mutateExistingOnPolicyUpdate: true
+  rules:
+  - name: add-db-uri
+    match:
+      any:
+      - resources:
+          kinds:
+          - Secret
+          names:
+          - prod-openfga-superuser
+          - staging-openfga-superuser
+    mutate:
+      targets:
+        - apiVersion: v1
+          kind: Secret
+          name: "{{ request.object.metadata.name }}"
+      patchStrategicMerge:
+        stringData:
+          postgres-password: '{{ request.object.data."password" | base64_decode(@) }}'
+          uri: postgres://postgres:{{ request.object.data."password" | base64_decode(@) }}@{{ request.object.metadata.labels."cnpg.io/cluster" }}
+    skipBackgroundRequests: true
+  validationFailureAction: Audit
+