feat: add hel1 cluster

values/system/hel1/kyverno/add-openfga-secret.yaml

@@ -0,0 +1,33 @@
+{{- if .Values.clusterConfig.kyverno.enabled }}
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: add-openfga-secrets
+  namespace: openfga
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  mutateExistingOnPolicyUpdate: true
+  rules:
+  - name: add-db-uri
+    match:
+      any:
+      - resources:
+          kinds:
+          - Secret
+          names:
+          - prod-openfga-db-superuser
+          - staging-openfga-db-superuser
+    mutate:
+      targets:
+        - apiVersion: v1
+          kind: Secret
+          name: '{{`{{ request.object.metadata.name }}`}}'
+      patchStrategicMerge:
+        stringData:
+          postgres-password: '{{`{{ request.object.data.password | base64_decode(@) }}`}}'
+          uri: '{{`postgres://{{ request.object.data.username | base64_decode(@) }}:{{ request.object.data.password | base64_decode(@) }}@{{ request.object.metadata.labels."cnpg.io/cluster" }}-rw/app?sslmode=disable`}}'
+    skipBackgroundRequests: true
+  validationFailureAction: Audit
+{{- end }}

values/system/hel1/kyverno/sync-atlantis-secrets.yaml

@@ -0,0 +1,177 @@
+{{- if .Values.clusterConfig.kyverno.enabled }}
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-atlantis-secrets
+spec:
+  background: true
+  generateExisting: false
+  rules:
+  - name: sync-prod-rabbitmq-secret
+    skipBackgroundRequests: true
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{`{{ request.object.metadata.name }}`}}'
+      namespace: '{{`{{ request.object.metadata.namespace }}`}}'
+      synchronize: true
+      clone:
+        name: prod-rabbitmq
+        namespace: rabbitmq
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - "*-rabbitmq"
+         annotations:
+           kyverno/clone: "true"
+           kyverno/env: "prod"
+    exclude:
+      any:
+      - resources:
+          annotations:
+            vcluster.loft.sh/controlled-by: secret/v1/GenericImport
+  - name: sync-dev-rabbitmq-secret
+    skipBackgroundRequests: true
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{`{{ request.object.metadata.name }}`}}'
+      namespace: '{{`{{ request.object.metadata.namespace }}`}}'
+      synchronize: true
+      clone:
+        name: staging-rabbitmq
+        namespace: rabbitmq
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - "*-rabbitmq"
+         annotations:
+           kyverno/clone: "true"
+           kyverno/env: "staging"
+    exclude:
+      any:
+      - resources:
+          annotations:
+            vcluster.loft.sh/controlled-by: secret/v1/GenericImport
+  - name: sync-atlantis-secret
+    skipBackgroundRequests: true
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{`{{ request.object.metadata.name }}`}}'
+      namespace: '{{`{{ request.object.metadata.namespace }}`}}'
+      synchronize: true
+      clone:
+        name: staging-atlantis-env
+        namespace: staging-atlantis
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - "*-atlantis-env"
+         annotations:
+           kyverno/clone: "true"
+    exclude:
+      any:
+      - resources:
+          annotations:
+            vcluster.loft.sh/controlled-by: secret/v1/GenericImport
+  - name: sync-azure-keyvault-secret
+    skipBackgroundRequests: true
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{`{{ request.object.metadata.name }}`}}'
+      namespace: '{{`{{ request.object.metadata.namespace }}`}}'
+      synchronize: true
+      clone:
+        name: azure-keyvault
+        namespace: prod-atlantis
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - azure-keyvault
+         annotations:
+           kyverno/clone: "true"
+    exclude:
+      any:
+      - resources:
+          annotations:
+            vcluster.loft.sh/controlled-by: secret/v1/GenericImport
+  - name: sync-dapr-api-token
+    skipBackgroundRequests: true
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{`{{ request.object.metadata.name }}`}}'
+      namespace: '{{`{{ request.object.metadata.namespace }}`}}'
+      synchronize: true
+      clone:
+        name: dapr-api-token
+        namespace: prod-atlantis
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - dapr-api-token
+         annotations:
+           kyverno/clone: "true"
+    exclude:
+      any:
+      - resources:
+          annotations:
+            vcluster.loft.sh/controlled-by: secret/v1/GenericImport
+  - name: sync-atlantis-db-ca
+    skipBackgroundRequests: true
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: prod-atlantis-db-ca
+      namespace: '{{`{{ request.object.metadata.namespace }}`}}'
+      synchronize: true
+      clone:
+        namespace: prod-atlantis
+        name: prod-atlantis-db-ca
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - prod-atlantis-db-ca
+         annotations:
+           kyverno/clone: "true"
+  - name: sync-atlantis-db-replication
+    skipBackgroundRequests: true
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: prod-atlantis-db-replication
+      namespace: '{{`{{ request.object.metadata.namespace }}`}}'
+      synchronize: true
+      clone:
+        namespace: prod-atlantis
+        name: prod-atlantis-db-replication
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - prod-atlantis-db-replication
+         annotations:
+           kyverno/clone: "true"
+{{- end }}

values/system/hel1/kyverno/sync-keyvault-secret.yaml

@@ -0,0 +1,33 @@
+{{- if .Values.clusterConfig.kyverno.enabled }}
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    policies.clusterConfig.kyverno.io/category: Sample
+    policies.clusterConfig.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault'
+  creationTimestamp: "2024-01-15T11:58:24Z"
+  name: sync-keyvault-secrets
+spec:
+  admission: true
+  background: true
+  generateExisting: true
+  rules:
+  - generate:
+      apiVersion: v1
+      clone:
+        name: azure-keyvault
+        namespace: atlantis
+      kind: Secret
+      name: azure-keyvault
+      namespace: '{{`{{request.object.metadata.name}}`}}'
+      synchronize: true
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+          names:
+          - "*-atlantis"
+    name: sync-keyvault-secrets
+    skipBackgroundRequests: true
+{{- end }}

values/system/hel1/kyverno/sync-regcred.yaml

@@ -0,0 +1,34 @@
+{{- if .Values.clusterConfig.kyverno.enabled }}
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-regcred-secret
+  annotations:
+    policies.clusterConfig.kyverno.io/title: Sync Secrets
+    policies.clusterConfig.kyverno.io/category: Sample
+    policies.clusterConfig.kyverno.io/subject: Secret
+    policies.clusterConfig.kyverno.io/description: >-
+      Secrets like registry credentials often need to exist in multiple
+      Namespaces so Pods there have access. Manually duplicating those Secrets
+      is time consuming and error prone. This policy will copy a
+      Secret called `regcred` which exists in the `default` Namespace to
+      new Namespaces when they are created. It will also push updates to
+      the copied Secrets should the source Secret be changed.            
+spec:
+  rules:
+  - name: sync-image-pull-secret
+    skipBackgroundRequests: true
+    match:
+      resources:
+        kinds:
+        - Namespace
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: regcred
+      namespace: "{{`{{request.object.metadata.name}}`}}"
+      synchronize: true
+      clone:
+        namespace: default
+        name: regcred
+{{- end }}

values/system/hel1/kyverno/sync-s3-secret.yaml

@@ -0,0 +1,34 @@
+# {{- if .Values.clusterConfig.kyverno.enabled }}
+# apiVersion: kyverno.io/v1
+# kind: ClusterPolicy
+# metadata:
+#   annotations:
+#     policies.clusterConfig.kyverno.io/description: 'This policy will sync the s3 secret in kube-system namespace across namespaces'
+#     policies.clusterConfig.kyverno.io/subject: Secret
+#     policies.clusterConfig.kyverno.io/title: Sync s3 Secrets
+#   name: sync-s3-credentials
+# spec:
+#   generateExistingOnPolicyUpdate: true
+#   background: true
+#   rules:
+#   - generate:
+#       apiVersion: v1
+#       clone:
+#         name: s3-credentials
+#         namespace: kube-system
+#       kind: Secret
+#       name: s3-credentials
+#       namespace: '{{`{{request.object.metadata.name}}`}}'
+#       synchronize: true
+#     match:
+#       resources:
+#         kinds:
+#         - Namespace
+#         names:
+#         - "velero"
+#         - "loki"
+#         - "tempo"
+#     name: sync-s3-secret
+#     skipBackgroundRequests: true
+#   validationFailureAction: audit
+# {{- end }}

values/system/hel1/kyverno/sync-slurm-token.yaml

@@ -0,0 +1,35 @@
+{{- if .Values.clusterConfig.kyverno.enabled }}
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: sync-slurm-token
+spec:
+  background: true
+  generateExisting: false
+  rules:
+  - name: sync-slurmrestd-token
+    skipBackgroundRequests: true
+    generate:
+      apiVersion: v1
+      kind: Secret
+      name: '{{`{{ request.object.metadata.name }}`}}'
+      namespace: '{{`{{ request.object.metadata.namespace }}`}}'
+      synchronize: true
+      clone:
+        name: slurm-access-token
+        namespace: prod-atlantis
+    match:
+     any:
+     - resources:
+         kinds:
+         - Secret
+         names:
+         - slurm-access-token
+         annotations:
+           kyverno/clone: "true"
+    exclude:
+      any:
+      - resources:
+          annotations:
+            vcluster.loft.sh/controlled-by: secret/v1/GenericImport
+{{- end }}

values/system/hel1/kyverno/whitelist-internal-ingresses.yaml

@@ -0,0 +1,73 @@
+{{- if .Values.clusterConfig.kyverno.enabled }}
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: whitelist-internal-ingresses
+  annotations:
+    policies.clusterConfig.kyverno.io/title: Concatenate Ingresss
+    policies.clusterConfig.kyverno.io/category: Other
+    policies.clusterConfig.kyverno.io/severity: medium
+    policies.clusterConfig.kyverno.io/subject: Ingress
+    policies.clusterConfig.kyverno.io/description: >-
+      Ingresses with the annotation "oceanbox.io/expose=internal" should be whitelisted.
+      If no whitelist exists, add the default values, otherwise append
+      whitelist to the already existing ones
+spec:
+  mutateExistingOnPolicyUpdate: false
+  #precondition: has whitelist annotation or
+  rules:
+  - name: ensure-nginx-whitelist-exists
+    skipBackgroundRequests: true
+    match:
+      resources:
+        kinds:
+          - Ingress
+        annotations:
+          oceanbox.io/expose: internal
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            +(nginx.ingress.kubernetes.io/whitelist-source-range): ""
+  - name: append-existing-whitelist
+    skipBackgroundRequests: true
+    match:
+      resources:
+        kinds:
+          - Ingress
+        annotations:
+          oceanbox.io/expose: internal
+    preconditions:
+      any:
+      - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
+        operator: NotEquals
+        value: ""
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            {{- with .Values.clusterConfig.ingress_whitelist }}
+            nginx.ingress.kubernetes.io/whitelist-source-range: "{{`{{ @ }}`}},{{ join "," . }}"
+            {{- end }}
+  - name: add-nginx-whitelist
+    skipBackgroundRequests: true
+    match:
+      resources:
+        kinds:
+          - Ingress
+        annotations:
+          oceanbox.io/expose: internal
+    preconditions:
+      any:
+      - key: "{{`{{request.object.metadata.annotations.\"nginx.ingress.kubernetes.io/whitelist-source-range\"}}`}}"
+        operator: Equals
+        value: ""
+    mutate:
+      patchStrategicMerge:
+        metadata:
+          annotations:
+            {{- with .Values.clusterConfig.ingress_whitelist }}
+            nginx.ingress.kubernetes.io/whitelist-source-range: "{{ join "," . }}"
+            {{- end }}
+{{- end }}
+