33 lines
947 B
YAML
33 lines
947 B
YAML
apiVersion: kyverno.io/v1
|
|
kind: Policy
|
|
metadata:
|
|
name: add-openfga-secrets
|
|
namespace: openfga
|
|
spec:
|
|
admission: true
|
|
background: true
|
|
generateExisting: true
|
|
mutateExistingOnPolicyUpdate: true
|
|
rules:
|
|
- name: add-db-uri
|
|
match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- Secret
|
|
names:
|
|
- prod-openfga-db-superuser
|
|
- staging-openfga-db-superuser
|
|
mutate:
|
|
targets:
|
|
- apiVersion: v1
|
|
kind: Secret
|
|
name: "{{ request.object.metadata.name }}"
|
|
patchStrategicMerge:
|
|
stringData:
|
|
postgres-password: '{{ request.object.data.password | base64_decode(@) }}'
|
|
uri: 'postgres://{{ request.object.data.username | base64_decode(@) }}:{{ request.object.data.password | base64_decode(@) }}@{{ request.object.metadata.labels."cnpg.io/cluster" }}-rw/app?sslmode=disable'
|
|
skipBackgroundRequests: true
|
|
validationFailureAction: Audit
|
|
|