platform/manifests
1
0
Fork 0
Code Issues 7 Pull Requests 5 Actions Packages Projects Releases Wiki Activity

fix: fix kyverno object exapnsion esacpes

Browse Source
This commit is contained in:
Jonas Juselius
2025-06-19 18:23:58 +02:00
parent bb0c042182
commit e156888679
8 changed files with 26 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files
values/system/ekman/kyverno/sync-keyvault-secret.yaml
+1 -1
View File
@@ -18,7 +18,7 @@ spec:
namespace: sorcerer namespace: sorcerer
kind: Secret kind: Secret
name: azure-keyvault name: azure-keyvault
namespace: '{{request.object.metadata.namespace}}' namespace: '{{`{{request.object.metadata.namespace}}`}}'
synchronize: true synchronize: true
match: match:
any: any:
values/system/ekman/kyverno/sync-oceanbox-regcred.yaml
+1 -1
View File
@@ -25,7 +25,7 @@ spec:
kind: Secret kind: Secret
# name: oceanbox-regcred # name: oceanbox-regcred
name: gitlab-pull-secret name: gitlab-pull-secret
namespace: '{{request.object.metadata.name}}' namespace: '{{`{{request.object.metadata.name}}`}}'
synchronize: true synchronize: true
exclude: exclude:
any: any:
values/system/ekman/kyverno/sync-sorcerer-secrets.yaml
+4 -4
View File
@@ -10,8 +10,8 @@ spec:
generate: generate:
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
name: '{{ request.object.metadata.name }}' name: '{{`{{ request.object.metadata.name }}`}}'
namespace: '{{ request.object.metadata.namespace }}' namespace: '{{`{{ request.object.metadata.namespace }}`}}'
synchronize: true synchronize: true
clone: clone:
name: staging-sorcerer-env name: staging-sorcerer-env
@@ -34,8 +34,8 @@ spec:
generate: generate:
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
name: '{{ request.object.metadata.name }}' name: '{{`{{ request.object.metadata.name }}`}}'
namespace: '{{ request.object.metadata.namespace }}' namespace: '{{`{{ request.object.metadata.namespace }}`}}'
synchronize: true synchronize: true
clone: clone:
name: dapr-api-token name: dapr-api-token
values/system/oceanbox/kyverno/add-openfga-secret.yaml
+3 -3
View File
@@ -22,11 +22,11 @@ spec:
targets: targets:
- apiVersion: v1 - apiVersion: v1
kind: Secret kind: Secret
name: "{{ request.object.metadata.name }}" name: '{{`{{ request.object.metadata.name }}`}}'
patchStrategicMerge: patchStrategicMerge:
stringData: stringData:
postgres-password: '{{ request.object.data.password | base64_decode(@) }}' postgres-password: '{{`{{ request.object.data.password | base64_decode(@) }}`}}'
uri: 'postgres://{{ request.object.data.username | base64_decode(@) }}:{{ request.object.data.password | base64_decode(@) }}@{{ request.object.metadata.labels."cnpg.io/cluster" }}-rw/app?sslmode=disable' uri: '{{`postgres://{{ request.object.data.username | base64_decode(@) }}:{{ request.object.data.password | base64_decode(@) }}@{{ request.object.metadata.labels."cnpg.io/cluster" }}-rw/app?sslmode=disable`}}'
skipBackgroundRequests: true skipBackgroundRequests: true
validationFailureAction: Audit validationFailureAction: Audit
values/system/oceanbox/kyverno/sync-atlantis-secrets.yaml
+12 -12
View File
@@ -10,8 +10,8 @@ spec:
generate: generate:
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
name: '{{ request.object.metadata.name }}' name: '{{`{{ request.object.metadata.name }}`}}'
namespace: '{{ request.object.metadata.namespace }}' namespace: '{{`{{ request.object.metadata.namespace }}`}}'
synchronize: true synchronize: true
clone: clone:
name: prod-rabbitmq name: prod-rabbitmq
@@ -35,8 +35,8 @@ spec:
generate: generate:
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
name: '{{ request.object.metadata.name }}' name: '{{`{{ request.object.metadata.name }}`}}'
namespace: '{{ request.object.metadata.namespace }}' namespace: '{{`{{ request.object.metadata.namespace }}`}}'
synchronize: true synchronize: true
clone: clone:
name: staging-rabbitmq name: staging-rabbitmq
@@ -60,8 +60,8 @@ spec:
generate: generate:
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
name: '{{ request.object.metadata.name }}' name: '{{`{{ request.object.metadata.name }}`}}'
namespace: '{{ request.object.metadata.namespace }}' namespace: '{{`{{ request.object.metadata.namespace }}`}}'
synchronize: true synchronize: true
clone: clone:
name: staging-atlantis-env name: staging-atlantis-env
@@ -84,8 +84,8 @@ spec:
generate: generate:
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
name: '{{ request.object.metadata.name }}' name: '{{`{{ request.object.metadata.name }}`}}'
namespace: '{{ request.object.metadata.namespace }}' namespace: '{{`{{ request.object.metadata.namespace }}`}}'
synchronize: true synchronize: true
clone: clone:
name: azure-keyvault name: azure-keyvault
@@ -108,8 +108,8 @@ spec:
generate: generate:
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
name: '{{ request.object.metadata.name }}' name: '{{`{{ request.object.metadata.name }}`}}'
namespace: '{{ request.object.metadata.namespace }}' namespace: '{{`{{ request.object.metadata.namespace }}`}}'
synchronize: true synchronize: true
clone: clone:
name: dapr-api-token name: dapr-api-token
@@ -133,7 +133,7 @@ spec:
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
name: prod-atlantis-db-ca name: prod-atlantis-db-ca
namespace: '{{ request.object.metadata.namespace }}' namespace: '{{`{{ request.object.metadata.namespace }}`}}'
synchronize: true synchronize: true
clone: clone:
namespace: prod-atlantis namespace: prod-atlantis
@@ -152,7 +152,7 @@ spec:
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
name: prod-atlantis-db-replication name: prod-atlantis-db-replication
namespace: '{{ request.object.metadata.namespace }}' namespace: '{{`{{ request.object.metadata.namespace }}`}}'
synchronize: true synchronize: true
clone: clone:
namespace: prod-atlantis namespace: prod-atlantis
values/system/oceanbox/kyverno/sync-keyvault-secret.yaml
+1 -1
View File
@@ -18,7 +18,7 @@ spec:
namespace: atlantis namespace: atlantis
kind: Secret kind: Secret
name: azure-keyvault name: azure-keyvault
namespace: '{{request.object.metadata.name}}' namespace: '{{`{{request.object.metadata.name}}`}}'
synchronize: true synchronize: true
match: match:
any: any:
values/system/oceanbox/kyverno/sync-regcred.yaml
+1 -1
View File
@@ -25,7 +25,7 @@ spec:
kind: Secret kind: Secret
# name: oceanbox-regcred # name: oceanbox-regcred
name: gitlab-pull-secret name: gitlab-pull-secret
namespace: '{{request.object.metadata.name}}' namespace: '{{`{{request.object.metadata.name}}`}}'
synchronize: true synchronize: true
exclude: exclude:
any: any:
values/system/oceanbox/network/atlantis/atlantis-policies.yaml
+3 -4
View File
@@ -10,17 +10,16 @@ spec:
k8s:io.kubernetes.pod.namespace: dapr-system k8s:io.kubernetes.pod.namespace: dapr-system
- toEndpoints: - toEndpoints:
- matchLabels: - matchLabels:
k8s:io.kubernetes.pod.namespace: {{ .Values.rabbitmq.namespace | default "rabbitmq" }} k8s:io.kubernetes.pod.namespace: rabbitmq
- toEndpoints: - toEndpoints:
- matchLabels: - matchLabels:
k8s:io.kubernetes.pod.namespace: {{ .Values.tracing.namespace | default "otel" }} k8s:io.kubernetes.pod.namespace: otel
- toFQDNs: - toFQDNs:
- matchName: dapr.github.io - matchName: dapr.github.io
- matchName: analytics.loft.rocks - matchName: analytics.loft.rocks
- matchPattern: '*.oceanbox.io'
# - matchName: gitlab.com # - matchName: gitlab.com
# - matchName: api.github.com # - matchName: api.github.com
- matchPattern: "*.k1.itpartner.no"
- matchPattern: '*.oceanbox.io'
# - matchPattern: '*.gitlab.com' # - matchPattern: '*.gitlab.com'
endpointSelector: endpointSelector:
matchLabels: {} matchLabels: {}