This policy generates and synchronizes Argo CD cluster secrets from Rancher managed cluster.provisioning.cattle.io/v1 resources and their corresponding CAPI secrets. In this solution, Argo CD integrates with Rancher managed clusters via the central Rancher authentication proxy which shares the network endpoint of the Rancher API/GUI. The policy implements work-arounds for Argo CD issue https://github.com/argoproj/argo-cd/issues/9033 "Cluster-API cluster auto-registration" and Rancher issue https://github.com/rancher/rancher/issues/38053 "Fix type and labels Rancher v2 provisioner specifies when creating CAPI Cluster Secret".
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: argo-cluster-generation-from-rancher-capiannotations:policies.kyverno.io/title: Argo Cluster Secret Generation From Rancher CAPI Secretpolicies.kyverno.io/category: Argopolicies.kyverno.io/severity: mediumpolicies.kyverno.io/subject: Secretkyverno.io/kyverno-version: 1.7.1policies.kyverno.io/minversion: 1.7.0kyverno.io/kubernetes-version: "1.23"policies.kyverno.io/description: This policy generates and synchronizes Argo CD cluster secrets from Rancher managed cluster.provisioning.cattle.io/v1 resources and their corresponding CAPI secrets. In this solution, Argo CD integrates with Rancher managed clusters via the central Rancher authentication proxy which shares the network endpoint of the Rancher API/GUI. The policy implements work-arounds for Argo CD issue https://github.com/argoproj/argo-cd/issues/9033 "Cluster-API cluster auto-registration" and Rancher issue https://github.com/rancher/rancher/issues/38053 "Fix type and labels Rancher v2 provisioner specifies when creating CAPI Cluster Secret".spec:generateExisting: truerules:- name: source-rancher-non-local-cluster-and-capi-secretmatch:all:- resources:kinds:- provisioning.cattle.io/v1/Clusterexclude:any:- resources:namespaces:- fleet-localcontext:- name: clusterNamevariable:value: "{{request.object.metadata.name}}"jmesPath: to_string(@)- name: clusterPrefixedNamevariable:value: "{{ join('-', ['cluster', clusterName]) }}"jmesPath: to_string(@)- name: kubeconfigNamevariable:value: "{{ join('-', [clusterName, 'kubeconfig']) }}"jmesPath: to_string(@)- name: extraLabelsvariable:value:argocd.argoproj.io/secret-type: clusterclusterId: "{{ clusterName }}"- name: metadataLabelsvariable:jmesPath: request.object.metadata.labelsdefault: {}- name: metadataLabelsvariable:jmesPath: merge(metadataLabels, extraLabels)- name: kubeconfigDataapiCall:urlPath: /api/v1/namespaces/{{request.object.metadata.namespace}}/secrets/{{kubeconfigName}}jmesPath: data | to_string(@)- name: serverNamevariable:value: "{{ kubeconfigData | parse_yaml(@).value | base64_decode(@) | parse_yaml(@).clusters[0].cluster.server }}"jmesPath: to_string(@)- name: bearerTokenvariable:value: "{{ kubeconfigData | parse_yaml(@).token | base64_decode(@) }}"jmesPath: to_string(@)- name: caDatavariable:value: "{{ kubeconfigData | parse_yaml(@).value | base64_decode(@) | parse_yaml(@).clusters[0].cluster.\"certificate-authority-data\" }}"jmesPath: to_string(@)- name: dataConfigvariable:value: |{"bearerToken": "{{ bearerToken }}","tlsClientConfig": {"insecure": false,"caData": "{{ caData }}"}}jmesPath: to_string(@)generate:synchronize: trueapiVersion: v1kind: Secretname: "{{ clusterPrefixedName }}"namespace: argocddata:metadata:labels: "{{ metadataLabels }}"type: Opaquedata:name: "{{ clusterPrefixedName | base64_encode(@) }}"server: "{{ serverName | base64_encode(@) }}"config: "{{ dataConfig | base64_encode(@) }}"
This policy prevents the use of the default project in an Application.
This policy prevents updates to the project field after an Application is created.
This policy ensures that the name of the ApplicationSet is the same value provided in the project.