From f3db2438cf14c233af8bbbe7cfd835e337868299 Mon Sep 17 00:00:00 2001
From: Jonas Juselius <jonas.juselius@oceanbox.io>
Date: Fri, 20 Jun 2025 14:55:18 +0200
Subject: [PATCH] fix: fix kyveno policies

---
 values/env.yaml                                |  2 ++
 .../oceanbox/kyverno/add-openfga-secret.yaml   |  3 ++-
 .../kyverno/sync-atlantis-secrets.yaml         |  2 ++
 .../system/oceanbox/kyverno/sync-gitlab.yaml   | 10 ++++++----
 .../oceanbox/kyverno/sync-keyvault-secret.yaml |  8 ++++----
 .../system/oceanbox/kyverno/sync-regcred.yaml  | 10 +++++-----
 .../oceanbox/kyverno/sync-s3-secret.yaml       |  8 ++++----
 .../kyverno/whitelist-internal-ingresses.yaml  | 18 +++++++++---------
 8 files changed, 34 insertions(+), 27 deletions(-)

diff --git a/values/env.yaml b/values/env.yaml
index 887b70ac..0872e232 100644
--- a/values/env.yaml
+++ b/values/env.yaml
@@ -41,3 +41,5 @@ clusterConfig:
     enabled: true
   cilium:
     enabled: true
+  kyverno:
+    enabled: true
diff --git a/values/system/oceanbox/kyverno/add-openfga-secret.yaml b/values/system/oceanbox/kyverno/add-openfga-secret.yaml
index 5a3b9ab3..4432b123 100644
--- a/values/system/oceanbox/kyverno/add-openfga-secret.yaml
+++ b/values/system/oceanbox/kyverno/add-openfga-secret.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.clusterConfig.kyverno.enabled }}
 apiVersion: kyverno.io/v1
 kind: Policy
 metadata:
@@ -29,4 +30,4 @@ spec:
           uri: '{{`postgres://{{ request.object.data.username | base64_decode(@) }}:{{ request.object.data.password | base64_decode(@) }}@{{ request.object.metadata.labels."cnpg.io/cluster" }}-rw/app?sslmode=disable`}}'
     skipBackgroundRequests: true
   validationFailureAction: Audit
-
+{{- end }}
diff --git a/values/system/oceanbox/kyverno/sync-atlantis-secrets.yaml b/values/system/oceanbox/kyverno/sync-atlantis-secrets.yaml
index d074df59..f416795e 100644
--- a/values/system/oceanbox/kyverno/sync-atlantis-secrets.yaml
+++ b/values/system/oceanbox/kyverno/sync-atlantis-secrets.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.clusterConfig.kyverno.enabled }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
@@ -173,3 +174,4 @@ spec:
          - prod-atlantis-db-replication
          annotations:
            kyverno/clone: "true"
+{{- end }}
diff --git a/values/system/oceanbox/kyverno/sync-gitlab.yaml b/values/system/oceanbox/kyverno/sync-gitlab.yaml
index d20f865c..c9499880 100644
--- a/values/system/oceanbox/kyverno/sync-gitlab.yaml
+++ b/values/system/oceanbox/kyverno/sync-gitlab.yaml
@@ -1,12 +1,13 @@
+{{- if .Values.clusterConfig.kyverno.enabled }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
   name: sync-gitlab-secret
   annotations:
-    policies.kyverno.io/title: Sync Secrets
-    policies.kyverno.io/category: Sample
-    policies.kyverno.io/subject: Secret
-    policies.kyverno.io/description: >-
+    policies.clusterConfig.kyverno.io/title: Sync Secrets
+    policies.clusterConfig.kyverno.io/category: Sample
+    policies.clusterConfig.kyverno.io/subject: Secret
+    policies.clusterConfig.kyverno.io/description: >-
       Secrets like registry credentials often need to exist in multiple
       Namespaces so Pods there have access. Manually duplicating those Secrets
       is time consuming and error prone. This policy will copy a
@@ -30,3 +31,4 @@ spec:
       clone:
         namespace: default
         name: gitlab-pull-secret
+{{- end }}
diff --git a/values/system/oceanbox/kyverno/sync-keyvault-secret.yaml b/values/system/oceanbox/kyverno/sync-keyvault-secret.yaml
index ec2c584e..78359ccb 100644
--- a/values/system/oceanbox/kyverno/sync-keyvault-secret.yaml
+++ b/values/system/oceanbox/kyverno/sync-keyvault-secret.yaml
@@ -1,9 +1,10 @@
+{{- if .Values.clusterConfig.kyverno.enabled }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
   annotations:
-    policies.kyverno.io/category: Sample
-    policies.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault'
+    policies.clusterConfig.kyverno.io/category: Sample
+    policies.clusterConfig.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault'
   creationTimestamp: "2024-01-15T11:58:24Z"
   name: sync-keyvault-secrets
 spec:
@@ -28,5 +29,4 @@ spec:
           names:
           - "*-atlantis"
     name: sync-keyvault-secrets
-
-
+{{- end }}
diff --git a/values/system/oceanbox/kyverno/sync-regcred.yaml b/values/system/oceanbox/kyverno/sync-regcred.yaml
index abaf2691..b8c65f3f 100644
--- a/values/system/oceanbox/kyverno/sync-regcred.yaml
+++ b/values/system/oceanbox/kyverno/sync-regcred.yaml
@@ -1,13 +1,13 @@
-{{- if .Values.kyverno.enabled }}
+{{- if .Values.clusterConfig.kyverno.enabled }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
   name: sync-regcred-secret
   annotations:
-    policies.kyverno.io/title: Sync Secrets
-    policies.kyverno.io/category: Sample
-    policies.kyverno.io/subject: Secret
-    policies.kyverno.io/description: >-
+    policies.clusterConfig.kyverno.io/title: Sync Secrets
+    policies.clusterConfig.kyverno.io/category: Sample
+    policies.clusterConfig.kyverno.io/subject: Secret
+    policies.clusterConfig.kyverno.io/description: >-
       Secrets like registry credentials often need to exist in multiple
       Namespaces so Pods there have access. Manually duplicating those Secrets
       is time consuming and error prone. This policy will copy a
diff --git a/values/system/oceanbox/kyverno/sync-s3-secret.yaml b/values/system/oceanbox/kyverno/sync-s3-secret.yaml
index 002579e5..c1796722 100644
--- a/values/system/oceanbox/kyverno/sync-s3-secret.yaml
+++ b/values/system/oceanbox/kyverno/sync-s3-secret.yaml
@@ -1,11 +1,11 @@
-{{- if .Values.kyverno.enabled }}
+{{- if .Values.clusterConfig.kyverno.enabled }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
   annotations:
-    policies.kyverno.io/description: 'This policy will sync the s3 secret in kube-system namespace across namespaces'
-    policies.kyverno.io/subject: Secret
-    policies.kyverno.io/title: Sync s3 Secrets
+    policies.clusterConfig.kyverno.io/description: 'This policy will sync the s3 secret in kube-system namespace across namespaces'
+    policies.clusterConfig.kyverno.io/subject: Secret
+    policies.clusterConfig.kyverno.io/title: Sync s3 Secrets
   name: sync-s3-credentials
 spec:
   generateExistingOnPolicyUpdate: true
diff --git a/values/system/oceanbox/kyverno/whitelist-internal-ingresses.yaml b/values/system/oceanbox/kyverno/whitelist-internal-ingresses.yaml
index d032d268..8108ff30 100644
--- a/values/system/oceanbox/kyverno/whitelist-internal-ingresses.yaml
+++ b/values/system/oceanbox/kyverno/whitelist-internal-ingresses.yaml
@@ -1,20 +1,20 @@
-{{- if .Values.kyverno.enabled }}
+{{- if .Values.clusterConfig.kyverno.enabled }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
   name: whitelist-internal-ingresses
   annotations:
-    policies.kyverno.io/title: Concatenate Ingresss
-    policies.kyverno.io/category: Other
-    policies.kyverno.io/severity: medium
-    policies.kyverno.io/subject: Ingress
-    policies.kyverno.io/description: >-
-      Ingresses with the label "internal=true" should be whitelisted. 
-      If no whitelist exists, add the default values, otherwise append 
+    policies.clusterConfig.kyverno.io/title: Concatenate Ingresss
+    policies.clusterConfig.kyverno.io/category: Other
+    policies.clusterConfig.kyverno.io/severity: medium
+    policies.clusterConfig.kyverno.io/subject: Ingress
+    policies.clusterConfig.kyverno.io/description: >-
+      Ingresses with the label "internal=true" should be whitelisted.
+      If no whitelist exists, add the default values, otherwise append
       whitelist to the already existing ones
 spec:
   mutateExistingOnPolicyUpdate: false
-  #precondition: has whitelist annotation or 
+  #precondition: has whitelist annotation or
   rules:
   - name: ensure-nginx-whitelist-exists
     skipBackgroundRequests: true