forked from validatedpatterns/multicloud-gitops
-
Notifications
You must be signed in to change notification settings - Fork 0
/
spokes-custom-ca.yaml
106 lines (106 loc) · 3.66 KB
/
spokes-custom-ca.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# We copy the vp-private-repo-credentials from the "openshift-gitops" namespace
# to the "open-cluster-management" via the "private-hub-policy"
#
# Then we copy the secret from the "open-cluster-management" namespace to the
# managed clusters "openshift-gitops" instance
#
# And we also copy the same secret to the namespaced argo's namespace
{{- if and $.Values.global.certificates $.Values.clusterGroup.isHubCluster }}
{{- range $.Values.clusterGroup.managedClusterGroups }}
{{- $group := . }}
{{- if not .hostedArgoSites }}
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: custom-ca-{{ .name }}-gitops-policy
annotations:
policy.open-cluster-management.io/standards: NIST-CSF
policy.open-cluster-management.io/categories: PR.DS Data Security
policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
argocd.argoproj.io/compare-options: IgnoreExtraneous
spec:
remediationAction: enforce
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: custom-ca-{{ .name }}-openshift-gitops
spec:
remediationAction: enforce
severity: medium
namespaceSelector:
include:
- default
object-templates:
- complianceType: mustonlyhave
objectDefinition:
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-tls-certs-cm
namespace: openshift-gitops
labels:
app.kubernetes.io/managed-by: openshift-gitops-server
app.kubernetes.io/name: argocd-tls-certs-cm
app.kubernetes.io/part-of: argocd
data:
{{- range $.Values.global.certificates }}
{{ .fqdn }}: {{ .certificate | toYaml | indent 18 }}
{{- end }}
- complianceType: mustonlyhave
objectDefinition:
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-tls-certs-cm
namespace: {{ $.Values.global.pattern }}-{{ .name }}
labels:
app.kubernetes.io/managed-by: {{ .name }}-gitops-server
app.kubernetes.io/name: argocd-tls-certs-cm
app.kubernetes.io/part-of: argocd
data:
{{- range $.Values.global.certificates }}
{{ .fqdn }}: {{ .certificate | toYaml | indent 18 }}
{{- end }}
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: custom-ca-{{ .name }}-placement-binding
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
placementRef:
name: custom-ca-{{ .name }}-placement
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: custom-ca-{{ .name }}-gitops-policy
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: custom-ca-{{ .name }}-placement
annotations:
argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
spec:
clusterConditions:
- status: 'True'
type: ManagedClusterConditionAvailable
clusterSelector:
matchExpressions:
- key: vendor
operator: In
values:
- OpenShift
- key: local-cluster
operator: NotIn
values:
- 'true'
{{- end }}
{{- end }}
{{- end }}