apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: sync-dev-atlantis-secrets spec: background: true generateExisting: false rules: - name: sync-rabbitmq-secret generate: apiVersion: v1 kind: Secret name: '{{ request.object.metadata.name }}' namespace: '{{ request.object.metadata.namespace }}' synchronize: true clone: name: staging-rabbitmq namespace: rabbitmq match: any: - resources: kinds: - Secret names: - "*-rabbitmq" annotations: kyverno/clone: "true" - name: sync-redis-secret generate: apiVersion: v1 kind: Secret name: '{{ request.object.metadata.name }}' namespace: '{{ request.object.metadata.namespace }}' synchronize: true clone: name: staging-redis namespace: redis match: any: - resources: kinds: - Secret names: - "*-redis" annotations: kyverno/clone: "true" - name: sync-archmaester-secret generate: apiVersion: v1 kind: Secret name: '{{ request.object.metadata.name }}' namespace: '{{ request.object.metadata.namespace }}' synchronize: true clone: name: prod-archmeister-superuser namespace: atlantis match: any: - resources: kinds: - Secret names: - "*-db-superuser" annotations: kyverno/clone: "true" - name: sync-archmaester-replication-secret generate: apiVersion: v1 kind: Secret name: '{{ request.object.metadata.name }}' namespace: '{{ request.object.metadata.namespace }}' synchronize: true clone: name: prod-archmeister-replication namespace: atlantis match: any: - resources: kinds: - Secret names: - prod-archmeister-replication annotations: kyverno/clone: "true" - name: sync-archmaester-ca generate: apiVersion: v1 kind: Secret name: '{{ request.object.metadata.name }}' namespace: '{{ request.object.metadata.namespace }}' synchronize: true clone: name: prod-archmeister-ca namespace: atlantis match: any: - resources: kinds: - Secret names: - prod-archmeister-ca annotations: kyverno/clone: "true" # exclude: # any: # - resources: # kinds: # - Secret # selector: # matchLabels: # generate.kyverno.io/clone-source: ""