secret gen

2026-03-13 12:21:21 +01:00
parent cc7c5fea70
commit 4624cc7278
1 changed files with 52 additions and 1 deletions
--- a/cluster-resources/policies/auth-sidecar-injector.yaml
+++ b/cluster-resources/policies/auth-sidecar-injector.yaml
@@ -10,7 +10,13 @@ metadata:
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
-      Injects an auth sidecar container into Pods annotated with policies.forteapps.io/auth: "true". The sidecar proxies requests through a token-based auth layer. Upstream URL and image can be overridden via policies.forteapps.io/auth-upstream-url and policies.forteapps.io/auth-image annotations.
+      Injects an auth sidecar container into Pods annotated with
+      policies.forteapps.io/auth: "true". The sidecar proxies requests through
+      a token-based auth layer. If the auth-tokens Secret does not exist in the
+      namespace, an empty one is created to prevent volume mount failures.
+      Upstream URL and image can be overridden via
+      policies.forteapps.io/auth-upstream-url and
+      policies.forteapps.io/auth-image annotations.
 spec:
  background: false
  rules:
@@ -85,3 +91,48 @@ spec:
          - name: auth-tokens
            secret:
              secretName: auth-tokens
+  - name: generate-auth-tokens-secret
+    skipBackgroundRequests: true
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+          annotations:
+            policies.forteapps.io/auth: "true"
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - kyverno
+          - argocd
+          - cert-manager
+          - monitoring
+    context:
+    - name: secretCount
+      apiCall:
+        urlPath: /api/v1/namespaces/{{request.namespace}}/secrets
+        jmesPath: "items[?metadata.name == 'auth-tokens'] | length(@)"
+    preconditions:
+      all:
+      - key: "{{ request.operation }}"
+        operator: In
+        value:
+        - CREATE
+      - key: "{{ secretCount }}"
+        operator: Equals
+        value: 0
+    generate:
+      synchronize: false
+      apiVersion: v1
+      kind: Secret
+      name: auth-tokens
+      namespace: "{{ request.namespace }}"
+      data:
+        metadata:
+          labels:
+            app.kubernetes.io/managed-by: kyverno
+            app.kubernetes.io/created-by: inject-auth-sidecar
+        type: Opaque
+        data: {}