{{- if .Values.clusterConfig.kyverno.enabled }} apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: whitelist-internal-ingresses annotations: policies.clusterConfig.kyverno.io/title: Concatenate Ingresss policies.clusterConfig.kyverno.io/category: Other policies.clusterConfig.kyverno.io/severity: medium policies.clusterConfig.kyverno.io/subject: Ingress policies.clusterConfig.kyverno.io/description: >- Ingresses with the annotation "oceanbox.io/expose=internal" should be whitelisted. If no whitelist exists, add the default values, otherwise append whitelist to the already existing ones spec: mutateExistingOnPolicyUpdate: false rules: - name: ensure-haproxy-allowlist-exists skipBackgroundRequests: true match: resources: kinds: - Ingress annotations: oceanbox.io/expose: internal mutate: patchStrategicMerge: metadata: annotations: +(haproxy.org/allow-list): "" - name: append-existing-haproxy-allowlist skipBackgroundRequests: true match: resources: kinds: - Ingress annotations: oceanbox.io/expose: internal preconditions: any: - key: "{{`{{request.object.metadata.annotations.\"haproxy.org/allow-list\"}}`}}" operator: NotEquals value: "" mutate: patchStrategicMerge: metadata: annotations: {{- with .Values.clusterConfig.ingress_whitelist }} haproxy.org/allow-list: "{{`{{ @ }}`}},{{ join "," . }}" {{- end }} - name: add-haproxy-allowlist skipBackgroundRequests: true match: resources: kinds: - Ingress annotations: oceanbox.io/expose: internal preconditions: any: - key: "{{`{{request.object.metadata.annotations.\"haproxy.org/allow-list\"}}`}}" operator: Equals value: "" mutate: patchStrategicMerge: metadata: annotations: {{- with .Values.clusterConfig.ingress_whitelist }} haproxy.org/allow-list: "{{ join "," . }}" {{- end }} {{- end }}