forked from adetalhouet/distributed-cloud-native-application
-
Notifications
You must be signed in to change notification settings - Fork 1
/
link-to-central-policy.yaml
75 lines (75 loc) · 2.67 KB
/
link-to-central-policy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
apiVersion: policy.open-cluster-management.io/v1
kind: Policy
metadata:
name: link-to-central
namespace: onlineboutique
annotations:
policy.open-cluster-management.io/standards: Infrastructure security
policy.open-cluster-management.io/categories: Data security
policy.open-cluster-management.io/controls: PR.DS-1 Data-at-rest
policy.open-cluster-management.io/trigger-update: ""
spec:
remediationAction: enforce
disabled: false
policy-templates:
- objectDefinition:
apiVersion: policy.open-cluster-management.io/v1
kind: ConfigurationPolicy
metadata:
name: create-secret-from-configmap
spec:
remediationAction: enforce
severity: high
namespaceSelector:
exclude:
- openshift-*
- kube-*
include:
- onlineboutique
object-templates:
- complianceType: musthave
objectDefinition:
kind: Secret
apiVersion: v1
metadata:
name: link-to-central
namespace: onlineboutique
labels:
skupper.io/type: connection-token
annotations:
edge-host: '{{hub ( index ( lookup "v1" "Secret" "onlineboutique" "link-to-central").metadata.annotations "edge-host" ) hub}}'
edge-port: '443'
inter-router-host: '{{hub ( index ( lookup "v1" "Secret" "onlineboutique" "link-to-central").metadata.annotations "inter-router-host" ) hub}}'
inter-router-port: '443'
data:
ca.crt: '{{hub ( index ( lookup "v1" "Secret" "onlineboutique" "link-to-central").data "ca.crt" ) hub}}'
tls.key: '{{hub ( index ( lookup "v1" "Secret" "onlineboutique" "link-to-central").data "tls.key" ) hub}}'
tls.crt: '{{hub ( index ( lookup "v1" "Secret" "onlineboutique" "link-to-central").data "tls.crt" ) hub}}'
type: Opaque
---
apiVersion: policy.open-cluster-management.io/v1
kind: PlacementBinding
metadata:
name: link-to-central-binding
namespace: onlineboutique
placementRef:
name: link-to-central-clusters
kind: PlacementRule
apiGroup: apps.open-cluster-management.io
subjects:
- name: link-to-central
kind: Policy
apiGroup: policy.open-cluster-management.io
---
apiVersion: apps.open-cluster-management.io/v1
kind: PlacementRule
metadata:
name: link-to-central-clusters
namespace: onlineboutique
spec:
clusterConditions:
- status: "True"
type: ManagedClusterConditionAvailable
clusterSelector:
matchLabels:
link-to-central: "True"