All Policies

Argo Cluster Secret Generation From Rancher CAPI Secret

This policy generates and synchronizes Argo CD cluster secrets from Rancher managed cluster.provisioning.cattle.io/v1 resources and their corresponding CAPI secrets. In this solution, Argo CD integrates with Rancher managed clusters via the central Rancher authentication proxy which shares the network endpoint of the Rancher API/GUI. The policy implements work-arounds for Argo CD issue https://github.com/argoproj/argo-cd/issues/9033 "Cluster-API cluster auto-registration" and Rancher issue https://github.com/rancher/rancher/issues/38053 "Fix type and labels Rancher v2 provisioner specifies when creating CAPI Cluster Secret".

Policy Definition

/argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi.yaml

  1apiVersion: kyverno.io/v1
  2kind: ClusterPolicy
  3metadata:
  4  name: argo-cluster-generation-from-rancher-capi
  5  annotations:
  6    policies.kyverno.io/title: Argo Cluster Secret Generation From Rancher CAPI Secret
  7    policies.kyverno.io/category: Argo
  8    policies.kyverno.io/severity: medium
  9    policies.kyverno.io/subject: Secret
 10    kyverno.io/kyverno-version: 1.7.1
 11    policies.kyverno.io/minversion: 1.7.0
 12    kyverno.io/kubernetes-version: "1.23"
 13    policies.kyverno.io/description: >-
 14      This policy generates and synchronizes Argo CD cluster secrets from Rancher 
 15      managed cluster.provisioning.cattle.io/v1 resources and their corresponding CAPI secrets.
 16      In this solution, Argo CD integrates with Rancher managed clusters via the central
 17      Rancher authentication proxy which shares the network endpoint of the Rancher API/GUI.
 18      The policy implements work-arounds for Argo CD issue https://github.com/argoproj/argo-cd/issues/9033
 19      "Cluster-API cluster auto-registration" and Rancher issue https://github.com/rancher/rancher/issues/38053
 20      "Fix type and labels Rancher v2 provisioner specifies when creating CAPI Cluster Secret".
 21spec:
 22  generateExisting: true
 23  rules:
 24  - name: source-rancher-non-local-cluster-and-capi-secret
 25    match:
 26      all:
 27      - resources:
 28          kinds:
 29          - provisioning.cattle.io/v1/Cluster
 30    exclude:
 31      any:
 32      - resources:
 33          namespaces:
 34          - fleet-local
 35    context:
 36    - name: clusterName
 37      variable:
 38        value: "{{request.object.metadata.name}}"
 39        jmesPath: 'to_string(@)'
 40    - name: clusterPrefixedName
 41      variable:
 42        value: "{{ join('-', ['cluster', clusterName]) }}"
 43        jmesPath: 'to_string(@)'
 44    - name: kubeconfigName
 45      variable:
 46        value: "{{ join('-', [clusterName, 'kubeconfig']) }}"
 47        jmesPath: 'to_string(@)'
 48    - name: extraLabels
 49      variable:
 50        value:
 51          argocd.argoproj.io/secret-type: cluster
 52          clusterId: "{{ clusterName }}"
 53    - name: metadataLabels
 54      variable:
 55        jmesPath: request.object.metadata.labels
 56        default: {}
 57    - name: metadataLabels
 58      variable:
 59        jmesPath: merge(metadataLabels, extraLabels)
 60    - name: kubeconfigData
 61      apiCall:
 62        urlPath: "/api/v1/namespaces/{{request.object.metadata.namespace}}/secrets/{{kubeconfigName}}"
 63        jmesPath: 'data | to_string(@)'
 64    - name: serverName
 65      variable:
 66        value: "{{ kubeconfigData | parse_yaml(@).value | base64_decode(@) | parse_yaml(@).clusters[0].cluster.server }}"
 67        jmesPath: 'to_string(@)'
 68    - name: bearerToken
 69      variable:
 70        value: "{{ kubeconfigData | parse_yaml(@).token | base64_decode(@) }}"
 71        jmesPath: 'to_string(@)'
 72    - name: caData
 73      variable:
 74        value: "{{ kubeconfigData | parse_yaml(@).value | base64_decode(@) | parse_yaml(@).clusters[0].cluster.\"certificate-authority-data\" }}"
 75        jmesPath: 'to_string(@)'
 76    - name: dataConfig
 77      variable:
 78        value: |
 79          {
 80            "bearerToken": "{{ bearerToken }}",
 81            "tlsClientConfig": {
 82              "insecure": false,
 83              "caData": "{{ caData }}"
 84            }
 85          }
 86        jmesPath: 'to_string(@)'
 87    generate:
 88      synchronize: true
 89      apiVersion: v1
 90      kind: Secret
 91      name: "{{ clusterPrefixedName }}"
 92      namespace: argocd
 93      data:
 94        metadata:
 95          labels:
 96            "{{ metadataLabels }}"
 97        type: Opaque
 98        data:
 99          name: "{{ clusterPrefixedName | base64_encode(@) }}"
100          server: "{{ serverName | base64_encode(@) }}"
101          config: "{{ dataConfig | base64_encode(@) }}"
Create policy issue