apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: inject-auth-sidecar
  annotations:
    pod-policies.kyverno.io/autogen-controllers: none
    policies.kyverno.io/title: Inject Auth Sidecar
    policies.kyverno.io/minversion: 1.6.0
    policies.kyverno.io/category: Security
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      Injects an auth sidecar container into Pods annotated with policies.forteapps.io/auth: "true". The sidecar proxies requests through a token-based auth layer. Upstream URL and image can be overridden via policies.forteapps.io/auth-upstream-url and policies.forteapps.io/auth-image annotations.
spec:
  background: false
  rules:
  - name: inject-sidecar
    skipBackgroundRequests: true
    match:
      any:
      - resources:
          kinds:
          - Pod
          annotations:
            policies.forteapps.io/auth: "true"
    exclude:
      any:
      - resources:
          namespaces:
          - kube-system
          - kyverno
          - argocd
          - cert-manager
          - monitoring
    mutate:
      patchStrategicMerge:
        spec:
          containers:
          - name: authn
            image: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image\" || 'ghcr.io/snothub/stunning-memory' }}:{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image-version\" || 'latest' }}"
            ports:
            - containerPort: 8080
              name: auth
              protocol: TCP
            env:
            - name: AUTH_LISTEN_ADDR
              value: ":8080"
            - name: AUTH_UPSTREAM_URL
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-upstream-url\" || 'http://localhost:3000' }}"
            - name: AUTH_TOKEN_FILE
              value: "/etc/auth/tokens"
            - name: AUTH_MODE
              value: "token"
            volumeMounts:
            - name: auth-tokens
              mountPath: /etc/auth
              readOnly: true
            resources:
              limits:
                cpu: 50m
                memory: 64Mi
              requests:
                cpu: 10m
                memory: 32Mi
            readinessProbe:
              httpGet:
                path: /healthz
                port: 8080
              initialDelaySeconds: 2
              periodSeconds: 5
            livenessProbe:
              httpGet:
                path: /healthz
                port: 8080
              initialDelaySeconds: 5
              periodSeconds: 10
            securityContext:
              runAsNonRoot: true
              allowPrivilegeEscalation: false
              readOnlyRootFilesystem: true
              capabilities:
                drop:
                - ALL
          volumes:
          - name: auth-tokens
            secret:
              secretName: auth-tokens