apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: sync-atlantis-secrets spec: background: true generateExistingOnPolicyUpdate: true rules: - name: sync-rabbitmq-secrets generate: apiVersion: v1 namespace: atlantis synchronize: true cloneList: namespace: rabbitmq kinds: - Secret selector: matchLabels: clone: "true" match: resources: kinds: - Namespace names: - atlantis - '*-vcluster' - name: add-rabbitmq-connstring mutate: targets: - apiVersion: v1 kind: Secret namespace: atlantis name: '{{request.object.metadata.name}}' patchStrategicMerge: data: connString: "connString: {{base64_encode(join('amqp://user:', '{{request.object.data.rabbitmq-password}}')) }}" # connString: "connString: aHVubnktYnVubnk=" match: all: - resources: kinds: - Secret names: - staging-rabbitmq - resources: kinds: - Namespace names: - rabbitmq - name: sync-redis-secrets generate: apiVersion: v1 namespace: atlantis synchronize: true cloneList: namespace: redis kinds: - Secret selector: matchLabels: app.kubernetes.io/name: redis match: resources: kinds: - Namespace names: - atlantis - '*-vcluster' - name: sync-archmeister-replication-ca generate: apiVersion: v1 kind: Secret name: prod-archmeister-ca namespace: '{{request.object.metadata.name}}' synchronize: true clone: namespace: atlantis name: prod-archmeister-ca match: resources: kinds: - Namespace names: - '*-vcluster' - name: sync-archmeister-replication-replication generate: apiVersion: v1 kind: Secret name: prod-archmeister-replication namespace: '{{request.object.metadata.name}}' synchronize: true clone: namespace: atlantis name: prod-archmeister-replication match: resources: kinds: - Namespace names: - '*-vcluster' validationFailureAction: audit