fix: fix kyveno policies

values/env.yaml

@@ -41,3 +41,5 @@ clusterConfig:
     enabled: true
   cilium:
     enabled: true
+  kyverno:
+    enabled: true

values/system/oceanbox/kyverno/add-openfga-secret.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.clusterConfig.kyverno.enabled }}
 apiVersion: kyverno.io/v1
 kind: Policy
 metadata:
@@ -29,4 +30,4 @@ spec:
           uri: '{{`postgres://{{ request.object.data.username | base64_decode(@) }}:{{ request.object.data.password | base64_decode(@) }}@{{ request.object.metadata.labels."cnpg.io/cluster" }}-rw/app?sslmode=disable`}}'
     skipBackgroundRequests: true
   validationFailureAction: Audit
-
+{{- end }}

values/system/oceanbox/kyverno/sync-atlantis-secrets.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.clusterConfig.kyverno.enabled }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
@@ -173,3 +174,4 @@ spec:
          - prod-atlantis-db-replication
          annotations:
            kyverno/clone: "true"
+{{- end }}

values/system/oceanbox/kyverno/sync-gitlab.yaml

@@ -1,12 +1,13 @@
+{{- if .Values.clusterConfig.kyverno.enabled }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
   name: sync-gitlab-secret
   annotations:
-    policies.kyverno.io/title: Sync Secrets
+    policies.clusterConfig.kyverno.io/title: Sync Secrets
-    policies.kyverno.io/category: Sample
+    policies.clusterConfig.kyverno.io/category: Sample
-    policies.kyverno.io/subject: Secret
+    policies.clusterConfig.kyverno.io/subject: Secret
-    policies.kyverno.io/description: >-
+    policies.clusterConfig.kyverno.io/description: >-
       Secrets like registry credentials often need to exist in multiple
       Namespaces so Pods there have access. Manually duplicating those Secrets
       is time consuming and error prone. This policy will copy a
@@ -30,3 +31,4 @@ spec:
       clone:
         namespace: default
         name: gitlab-pull-secret
+{{- end }}

values/system/oceanbox/kyverno/sync-keyvault-secret.yaml

@@ -1,9 +1,10 @@
+{{- if .Values.clusterConfig.kyverno.enabled }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
   annotations:
-    policies.kyverno.io/category: Sample
+    policies.clusterConfig.kyverno.io/category: Sample
-    policies.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault'
+    policies.clusterConfig.kyverno.io/description: 'Access dataprotection keys from Azure Key Vault'
   creationTimestamp: "2024-01-15T11:58:24Z"
   name: sync-keyvault-secrets
 spec:
@@ -28,5 +29,4 @@ spec:
           names:
           - "*-atlantis"
     name: sync-keyvault-secrets
-
+{{- end }}
-

values/system/oceanbox/kyverno/sync-regcred.yaml

@@ -1,13 +1,13 @@
-{{- if .Values.kyverno.enabled }}
+{{- if .Values.clusterConfig.kyverno.enabled }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
   name: sync-regcred-secret
   annotations:
-    policies.kyverno.io/title: Sync Secrets
+    policies.clusterConfig.kyverno.io/title: Sync Secrets
-    policies.kyverno.io/category: Sample
+    policies.clusterConfig.kyverno.io/category: Sample
-    policies.kyverno.io/subject: Secret
+    policies.clusterConfig.kyverno.io/subject: Secret
-    policies.kyverno.io/description: >-
+    policies.clusterConfig.kyverno.io/description: >-
       Secrets like registry credentials often need to exist in multiple
       Namespaces so Pods there have access. Manually duplicating those Secrets
       is time consuming and error prone. This policy will copy a

values/system/oceanbox/kyverno/sync-s3-secret.yaml

@@ -1,11 +1,11 @@
-{{- if .Values.kyverno.enabled }}
+{{- if .Values.clusterConfig.kyverno.enabled }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
   annotations:
-    policies.kyverno.io/description: 'This policy will sync the s3 secret in kube-system namespace across namespaces'
+    policies.clusterConfig.kyverno.io/description: 'This policy will sync the s3 secret in kube-system namespace across namespaces'
-    policies.kyverno.io/subject: Secret
+    policies.clusterConfig.kyverno.io/subject: Secret
-    policies.kyverno.io/title: Sync s3 Secrets
+    policies.clusterConfig.kyverno.io/title: Sync s3 Secrets
   name: sync-s3-credentials
 spec:
   generateExistingOnPolicyUpdate: true

values/system/oceanbox/kyverno/whitelist-internal-ingresses.yaml

@@ -1,20 +1,20 @@
-{{- if .Values.kyverno.enabled }}
+{{- if .Values.clusterConfig.kyverno.enabled }}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
   name: whitelist-internal-ingresses
   annotations:
-    policies.kyverno.io/title: Concatenate Ingresss
+    policies.clusterConfig.kyverno.io/title: Concatenate Ingresss
-    policies.kyverno.io/category: Other
+    policies.clusterConfig.kyverno.io/category: Other
-    policies.kyverno.io/severity: medium
+    policies.clusterConfig.kyverno.io/severity: medium
-    policies.kyverno.io/subject: Ingress
+    policies.clusterConfig.kyverno.io/subject: Ingress
-    policies.kyverno.io/description: >-
+    policies.clusterConfig.kyverno.io/description: >-
-      Ingresses with the label "internal=true" should be whitelisted. 
+      Ingresses with the label "internal=true" should be whitelisted.
-      If no whitelist exists, add the default values, otherwise append 
+      If no whitelist exists, add the default values, otherwise append
       whitelist to the already existing ones
 spec:
   mutateExistingOnPolicyUpdate: false
-  #precondition: has whitelist annotation or 
+  #precondition: has whitelist annotation or
   rules:
   - name: ensure-nginx-whitelist-exists
     skipBackgroundRequests: true