platform/manifests
1
1
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

fix: fix kyverno object exapnsion esacpes

Browse Source
This commit is contained in:
Jonas Juselius
2025-06-19 18:23:58 +02:00
parent bb0c042182
commit e156888679
8 changed files with 26 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files
values/system/ekman/kyverno/sync-keyvault-secret.yaml
+1 -1
View File
@@ -18,7 +18,7 @@ spec:
namespace: sorcerer
kind: Secret
name: azure-keyvault
namespace: '{{request.object.metadata.namespace}}'
namespace: '{{`{{request.object.metadata.namespace}}`}}'
synchronize: true
match:
any:
values/system/ekman/kyverno/sync-oceanbox-regcred.yaml
+1 -1
View File
@@ -25,7 +25,7 @@ spec:
kind: Secret
# name: oceanbox-regcred
name: gitlab-pull-secret
namespace: '{{request.object.metadata.name}}'
namespace: '{{`{{request.object.metadata.name}}`}}'
synchronize: true
exclude:
any:
values/system/ekman/kyverno/sync-sorcerer-secrets.yaml
+4 -4
View File
@@ -10,8 +10,8 @@ spec:
generate:
apiVersion: v1
kind: Secret
name: '{{ request.object.metadata.name }}'
namespace: '{{ request.object.metadata.namespace }}'
name: '{{`{{ request.object.metadata.name }}`}}'
namespace: '{{`{{ request.object.metadata.namespace }}`}}'
synchronize: true
clone:
name: staging-sorcerer-env
@@ -34,8 +34,8 @@ spec:
generate:
apiVersion: v1
kind: Secret
name: '{{ request.object.metadata.name }}'
namespace: '{{ request.object.metadata.namespace }}'
name: '{{`{{ request.object.metadata.name }}`}}'
namespace: '{{`{{ request.object.metadata.namespace }}`}}'
synchronize: true
clone:
name: dapr-api-token
values/system/oceanbox/kyverno/add-openfga-secret.yaml
+3 -3
View File
@@ -22,11 +22,11 @@ spec:
targets:
- apiVersion: v1
kind: Secret
name: "{{ request.object.metadata.name }}"
name: '{{`{{ request.object.metadata.name }}`}}'
patchStrategicMerge:
stringData:
postgres-password: '{{ request.object.data.password | base64_decode(@) }}'
uri: 'postgres://{{ request.object.data.username | base64_decode(@) }}:{{ request.object.data.password | base64_decode(@) }}@{{ request.object.metadata.labels."cnpg.io/cluster" }}-rw/app?sslmode=disable'
postgres-password: '{{`{{ request.object.data.password | base64_decode(@) }}`}}'
uri: '{{`postgres://{{ request.object.data.username | base64_decode(@) }}:{{ request.object.data.password | base64_decode(@) }}@{{ request.object.metadata.labels."cnpg.io/cluster" }}-rw/app?sslmode=disable`}}'
skipBackgroundRequests: true
validationFailureAction: Audit
values/system/oceanbox/kyverno/sync-atlantis-secrets.yaml
+12 -12
View File
@@ -10,8 +10,8 @@ spec:
generate:
apiVersion: v1
kind: Secret
name: '{{ request.object.metadata.name }}'
namespace: '{{ request.object.metadata.namespace }}'
name: '{{`{{ request.object.metadata.name }}`}}'
namespace: '{{`{{ request.object.metadata.namespace }}`}}'
synchronize: true
clone:
name: prod-rabbitmq
@@ -35,8 +35,8 @@ spec:
generate:
apiVersion: v1
kind: Secret
name: '{{ request.object.metadata.name }}'
namespace: '{{ request.object.metadata.namespace }}'
name: '{{`{{ request.object.metadata.name }}`}}'
namespace: '{{`{{ request.object.metadata.namespace }}`}}'
synchronize: true
clone:
name: staging-rabbitmq
@@ -60,8 +60,8 @@ spec:
generate:
apiVersion: v1
kind: Secret
name: '{{ request.object.metadata.name }}'
namespace: '{{ request.object.metadata.namespace }}'
name: '{{`{{ request.object.metadata.name }}`}}'
namespace: '{{`{{ request.object.metadata.namespace }}`}}'
synchronize: true
clone:
name: staging-atlantis-env
@@ -84,8 +84,8 @@ spec:
generate:
apiVersion: v1
kind: Secret
name: '{{ request.object.metadata.name }}'
namespace: '{{ request.object.metadata.namespace }}'
name: '{{`{{ request.object.metadata.name }}`}}'
namespace: '{{`{{ request.object.metadata.namespace }}`}}'
synchronize: true
clone:
name: azure-keyvault
@@ -108,8 +108,8 @@ spec:
generate:
apiVersion: v1
kind: Secret
name: '{{ request.object.metadata.name }}'
namespace: '{{ request.object.metadata.namespace }}'
name: '{{`{{ request.object.metadata.name }}`}}'
namespace: '{{`{{ request.object.metadata.namespace }}`}}'
synchronize: true
clone:
name: dapr-api-token
@@ -133,7 +133,7 @@ spec:
apiVersion: v1
kind: Secret
name: prod-atlantis-db-ca
namespace: '{{ request.object.metadata.namespace }}'
namespace: '{{`{{ request.object.metadata.namespace }}`}}'
synchronize: true
clone:
namespace: prod-atlantis
@@ -152,7 +152,7 @@ spec:
apiVersion: v1
kind: Secret
name: prod-atlantis-db-replication
namespace: '{{ request.object.metadata.namespace }}'
namespace: '{{`{{ request.object.metadata.namespace }}`}}'
synchronize: true
clone:
namespace: prod-atlantis
values/system/oceanbox/kyverno/sync-keyvault-secret.yaml
+1 -1
View File
@@ -18,7 +18,7 @@ spec:
namespace: atlantis
kind: Secret
name: azure-keyvault
namespace: '{{request.object.metadata.name}}'
namespace: '{{`{{request.object.metadata.name}}`}}'
synchronize: true
match:
any:
values/system/oceanbox/kyverno/sync-regcred.yaml
+1 -1
View File
@@ -25,7 +25,7 @@ spec:
kind: Secret
# name: oceanbox-regcred
name: gitlab-pull-secret
namespace: '{{request.object.metadata.name}}'
namespace: '{{`{{request.object.metadata.name}}`}}'
synchronize: true
exclude:
any:
values/system/oceanbox/network/atlantis/atlantis-policies.yaml
+3 -4
View File
@@ -10,17 +10,16 @@ spec:
k8s:io.kubernetes.pod.namespace: dapr-system
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: {{ .Values.rabbitmq.namespace | default "rabbitmq" }}
k8s:io.kubernetes.pod.namespace: rabbitmq
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: {{ .Values.tracing.namespace | default "otel" }}
k8s:io.kubernetes.pod.namespace: otel
- toFQDNs:
- matchName: dapr.github.io
- matchName: analytics.loft.rocks
- matchPattern: '*.oceanbox.io'
# - matchName: gitlab.com
# - matchName: api.github.com
- matchPattern: "*.k1.itpartner.no"
- matchPattern: '*.oceanbox.io'
# - matchPattern: '*.gitlab.com'
endpointSelector:
matchLabels: {}