All Policies

Argo Cluster Secret Generation From Rancher CAPI Secret

This policy generates and synchronizes Argo CD cluster secrets from Rancher managed cluster.provisioning.cattle.io/v1 resources and their corresponding CAPI secrets. In this solution, Argo CD integrates with Rancher managed clusters via the central Rancher authentication proxy which shares the network endpoint of the Rancher API/GUI. The policy implements work-arounds for Argo CD issue https://github.com/argoproj/argo-cd/issues/9033 "Cluster-API cluster auto-registration" and Rancher issue https://github.com/rancher/rancher/issues/38053 "Fix type and labels Rancher v2 provisioner specifies when creating CAPI Cluster Secret".

Policy Definition

/argo/argo-cluster-generation-from-rancher-capi/argo-cluster-generation-from-rancher-capi.yaml

  1apiVersion: kyverno.io/v1
  2kind: ClusterPolicy
  3metadata:
  4  name: argo-cluster-generation-from-rancher-capi
  5  annotations:
  6    policies.kyverno.io/title: Argo Cluster Secret Generation From Rancher CAPI Secret
  7    policies.kyverno.io/category: Argo
  8    policies.kyverno.io/severity: medium
  9    policies.kyverno.io/subject: Secret
 10    kyverno.io/kyverno-version: 1.7.1
 11    policies.kyverno.io/minversion: 1.7.0
 12    kyverno.io/kubernetes-version: "1.23"
 13    policies.kyverno.io/description: >-
 14      This policy generates and synchronizes Argo CD cluster secrets from Rancher 
 15      managed cluster.provisioning.cattle.io/v1 resources and their corresponding CAPI secrets.
 16      In this solution, Argo CD integrates with Rancher managed clusters via the central
 17      Rancher authentication proxy which shares the network endpoint of the Rancher API/GUI.
 18      The policy implements work-arounds for Argo CD issue https://github.com/argoproj/argo-cd/issues/9033
 19      "Cluster-API cluster auto-registration" and Rancher issue https://github.com/rancher/rancher/issues/38053
 20      "Fix type and labels Rancher v2 provisioner specifies when creating CAPI Cluster Secret".      
 21spec:
 22  generateExistingOnPolicyUpdate: true
 23  rules:
 24  - name: source-rancher-non-local-cluster-and-capi-secret
 25    match:
 26      all:
 27      - resources:
 28          kinds:
 29          - provisioning.cattle.io/v1/Cluster
 30    exclude:
 31      any:
 32      - resources:
 33          namespaces:
 34          - fleet-local
 35    context:
 36    - name: clusterName
 37      variable:
 38        value: "{{request.object.metadata.name}}"
 39        jmesPath: 'to_string(@)'
 40    - name: clusterPrefixedName
 41      variable:
 42        value: "{{ join('-', ['cluster', clusterName]) }}"
 43        jmesPath: 'to_string(@)'
 44    - name: kubeconfigName
 45      variable:
 46        value: "{{ join('-', [clusterName, 'kubeconfig']) }}"
 47        jmesPath: 'to_string(@)'
 48    - name: extraLabels
 49      variable:
 50        value:
 51          argocd.argoproj.io/secret-type: cluster
 52          clusterId: "{{ clusterName }}"
 53    - name: metadataLabels
 54      variable:
 55        jmesPath: request.object.metadata.labels
 56    - name: metadataLabels
 57      variable:
 58        jmesPath: merge(metadataLabels, extraLabels)
 59    - name: kubeconfigData
 60      apiCall:
 61        urlPath: "/api/v1/namespaces/{{request.object.metadata.namespace}}/secrets/{{kubeconfigName}}"
 62        jmesPath: 'data | to_string(@)'
 63    - name: serverName
 64      variable:
 65        value: "{{ kubeconfigData | parse_yaml(@).value | base64_decode(@) | parse_yaml(@).clusters[0].cluster.server }}"
 66        jmesPath: 'to_string(@)'
 67    - name: bearerToken
 68      variable:
 69        value: "{{ kubeconfigData | parse_yaml(@).token | base64_decode(@) }}"
 70        jmesPath: 'to_string(@)'
 71    - name: caData
 72      variable:
 73        value: "{{ kubeconfigData | parse_yaml(@).value | base64_decode(@) | parse_yaml(@).clusters[0].cluster.\"certificate-authority-data\" }}"
 74        jmesPath: 'to_string(@)'
 75    - name: dataConfig
 76      variable:
 77        value: |
 78          {
 79            "bearerToken": "{{ bearerToken }}",
 80            "tlsClientConfig": {
 81              "insecure": false,
 82              "caData": "{{ caData }}"
 83            }
 84          }          
 85        jmesPath: 'to_string(@)'
 86    generate:
 87      synchronize: true
 88      apiVersion: v1
 89      kind: Secret
 90      name: "{{ clusterPrefixedName }}"
 91      namespace: argocd
 92      data:
 93        metadata:
 94          labels:
 95            "{{ metadataLabels }}"
 96        type: Opaque
 97        data:
 98          name: "{{ clusterPrefixedName | base64_encode(@) }}"
 99          server: "{{ serverName | base64_encode(@) }}"
100          config: "{{ dataConfig | base64_encode(@) }}"
Create policy issue