{{- if .Values.clusterConfig.kyverno.enabled }} apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: sync-atlantis-secrets spec: background: true generateExisting: false rules: - name: sync-prod-rabbitmq-secret skipBackgroundRequests: true generate: apiVersion: v1 kind: Secret name: '{{`{{ request.object.metadata.name }}`}}' namespace: '{{`{{ request.object.metadata.namespace }}`}}' synchronize: true clone: name: prod-rabbitmq namespace: rabbitmq match: any: - resources: kinds: - Secret names: - "*-rabbitmq" annotations: kyverno/clone: "true" kyverno/env: "prod" exclude: any: - resources: annotations: vcluster.loft.sh/controlled-by: secret/v1/GenericImport - name: sync-dev-rabbitmq-secret skipBackgroundRequests: true generate: apiVersion: v1 kind: Secret name: '{{`{{ request.object.metadata.name }}`}}' namespace: '{{`{{ request.object.metadata.namespace }}`}}' synchronize: true clone: name: staging-rabbitmq namespace: rabbitmq match: any: - resources: kinds: - Secret names: - "*-rabbitmq" annotations: kyverno/clone: "true" kyverno/env: "staging" exclude: any: - resources: annotations: vcluster.loft.sh/controlled-by: secret/v1/GenericImport - name: sync-atlantis-secret skipBackgroundRequests: true generate: apiVersion: v1 kind: Secret name: '{{`{{ request.object.metadata.name }}`}}' namespace: '{{`{{ request.object.metadata.namespace }}`}}' synchronize: true clone: name: staging-atlantis-env namespace: staging-atlantis match: any: - resources: kinds: - Secret names: - "*-atlantis-env" annotations: kyverno/clone: "true" exclude: any: - resources: annotations: vcluster.loft.sh/controlled-by: secret/v1/GenericImport - name: sync-azure-keyvault-secret skipBackgroundRequests: true generate: apiVersion: v1 kind: Secret name: '{{`{{ request.object.metadata.name }}`}}' namespace: '{{`{{ request.object.metadata.namespace }}`}}' synchronize: true clone: name: azure-keyvault namespace: prod-atlantis match: any: - resources: kinds: - Secret names: - azure-keyvault annotations: kyverno/clone: "true" exclude: any: - resources: annotations: vcluster.loft.sh/controlled-by: secret/v1/GenericImport - name: sync-dapr-api-token skipBackgroundRequests: true generate: apiVersion: v1 kind: Secret name: '{{`{{ request.object.metadata.name }}`}}' namespace: '{{`{{ request.object.metadata.namespace }}`}}' synchronize: true clone: name: dapr-api-token namespace: prod-atlantis match: any: - resources: kinds: - Secret names: - dapr-api-token annotations: kyverno/clone: "true" exclude: any: - resources: annotations: vcluster.loft.sh/controlled-by: secret/v1/GenericImport - name: sync-atlantis-db-ca skipBackgroundRequests: true generate: apiVersion: v1 kind: Secret name: prod-atlantis-db-ca namespace: '{{`{{ request.object.metadata.namespace }}`}}' synchronize: true clone: namespace: prod-atlantis name: prod-atlantis-db-ca match: any: - resources: kinds: - Secret names: - prod-atlantis-db-ca annotations: kyverno/clone: "true" - name: sync-atlantis-db-replication skipBackgroundRequests: true generate: apiVersion: v1 kind: Secret name: prod-atlantis-db-replication namespace: '{{`{{ request.object.metadata.namespace }}`}}' synchronize: true clone: namespace: prod-atlantis name: prod-atlantis-db-replication match: any: - resources: kinds: - Secret names: - prod-atlantis-db-replication annotations: kyverno/clone: "true" {{- end }}