apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: sync-rabbitmq-secrets
spec:
  background: true
  generateExisting: true
  rules:
  - name: add-rabbitmq-connstring
    mutate:
      patchStrategicMerge:
        stringData:
          connString: 'amqp://user:{{ request.object.data."rabbitmq-password" | base64_decode(@) }}@{{ request.object.metadata.labels."app.kubernetes.io/instance" }}.rabbitmq.svc'
    match:
     any:
       - resources:
           kinds:
           - Secret
           names:
           - prod-rabbitmq
           - staging-rabbitmq
           namespaces:
           - rabbitmq
  - name: sync-prod-rabbitmq-secret
    generate:
      apiVersion: v1
      kind: Secret
      name: '{{ request.object.metadata.name }}'
      namespace: '{{ request.object.metadata.namespace }}'
      synchronize: true
      clone:
        name: prod-rabbitmq
        namespace: rabbitmq
    match:
     any:
     - resources:
         kinds:
         - Secret
         names:
         - prod-rabbitmq
         annotations:
           clone: "true"
    # exclude:
    #  any:
    #  - resources:
    #      kinds:
    #      - Secret
    #      selector:
    #        matchLabels:
    #          generate.kyverno.io/clone-source: ""
  - name: sync-staging-rabbitmq-secret
    generate:
      apiVersion: v1
      kind: Secret
      name: '{{ request.object.metadata.name }}'
      namespace: '{{ request.object.metadata.namespace }}'
      synchronize: true
      clone:
        name: staging-rabbitmq
        namespace: rabbitmq
    match:
     any:
     - resources:
         kinds:
         - Secret
         names:
         - staging-rabbitmq
         annotations:
           clone: "true"
    # exclude:
    #  any:
    #  - resources:
    #      kinds:
    #      - Secret
    #      selector:
    #        matchLabels:
    #          generate.kyverno.io/clone-source: ""