{{- if .Values.kyverno.enabled }}
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    policies.kyverno.io/description: 'This policy will sync the s3 secret in kube-system namespace across namespaces'
    policies.kyverno.io/subject: Secret
    policies.kyverno.io/title: Sync s3 Secrets
  name: sync-s3-credentials
spec:
  generateExistingOnPolicyUpdate: true
  background: true
  rules:
  - generate:
      apiVersion: v1
      clone:
        name: s3-credentials
        namespace: kube-system
      kind: Secret
      name: s3-credentials
      namespace: '{{`{{request.object.metadata.name}}`}}'
      synchronize: true
    match:
      resources:
        kinds:
        - Namespace
        names:
        - "velero"
        - "loki"
        - "tempo"
    name: sync-s3-secret
  validationFailureAction: audit
{{- end }}