From 4624cc7278c875ba965a923622920b2bb17b1e72 Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@trumf.no>
Date: Fri, 13 Mar 2026 12:21:21 +0100
Subject: [PATCH] secret gen

---
 .../policies/auth-sidecar-injector.yaml       | 53 ++++++++++++++++++-
 1 file changed, 52 insertions(+), 1 deletion(-)

diff --git a/cluster-resources/policies/auth-sidecar-injector.yaml b/cluster-resources/policies/auth-sidecar-injector.yaml
index d0bc726..daa7e2f 100644
--- a/cluster-resources/policies/auth-sidecar-injector.yaml
+++ b/cluster-resources/policies/auth-sidecar-injector.yaml
@@ -10,7 +10,13 @@ metadata:
     policies.kyverno.io/severity: medium
     policies.kyverno.io/subject: Pod
     policies.kyverno.io/description: >-
-      Injects an auth sidecar container into Pods annotated with policies.forteapps.io/auth: "true". The sidecar proxies requests through a token-based auth layer. Upstream URL and image can be overridden via policies.forteapps.io/auth-upstream-url and policies.forteapps.io/auth-image annotations.
+      Injects an auth sidecar container into Pods annotated with
+      policies.forteapps.io/auth: "true". The sidecar proxies requests through
+      a token-based auth layer. If the auth-tokens Secret does not exist in the
+      namespace, an empty one is created to prevent volume mount failures.
+      Upstream URL and image can be overridden via
+      policies.forteapps.io/auth-upstream-url and
+      policies.forteapps.io/auth-image annotations.
 spec:
   background: false
   rules:
@@ -85,3 +91,48 @@ spec:
           - name: auth-tokens
             secret:
               secretName: auth-tokens
+  - name: generate-auth-tokens-secret
+    skipBackgroundRequests: true
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+          annotations:
+            policies.forteapps.io/auth: "true"
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - kyverno
+          - argocd
+          - cert-manager
+          - monitoring
+    context:
+    - name: secretCount
+      apiCall:
+        urlPath: /api/v1/namespaces/{{request.namespace}}/secrets
+        jmesPath: "items[?metadata.name == 'auth-tokens'] | length(@)"
+    preconditions:
+      all:
+      - key: "{{ request.operation }}"
+        operator: In
+        value:
+        - CREATE
+      - key: "{{ secretCount }}"
+        operator: Equals
+        value: 0
+    generate:
+      synchronize: false
+      apiVersion: v1
+      kind: Secret
+      name: auth-tokens
+      namespace: "{{ request.namespace }}"
+      data:
+        metadata:
+          labels:
+            app.kubernetes.io/managed-by: kyverno
+            app.kubernetes.io/created-by: inject-auth-sidecar
+        type: Opaque
+        data: {}