From 00a9f25d5c89925e9dec9f27975760e405a0acff Mon Sep 17 00:00:00 2001
From: Dreaded_X <tim@huizinga.dev>
Date: Sat, 1 Mar 2025 06:29:41 +0100
Subject: [PATCH] Restart authelia on acl config update

---
 .../generate-authelia-acl.yaml                |  3 +-
 infra/kyverno-policies/kustomization.yaml     |  1 +
 .../restart-on-secret-change.yaml             | 43 +++++++++++++++++++
 infra/kyverno/values.yaml                     |  6 +++
 4 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 infra/kyverno-policies/restart-on-secret-change.yaml

diff --git a/infra/kyverno-policies/generate-authelia-acl.yaml b/infra/kyverno-policies/generate-authelia-acl.yaml
index f052f8b..b80677f 100644
--- a/infra/kyverno-policies/generate-authelia-acl.yaml
+++ b/infra/kyverno-policies/generate-authelia-acl.yaml
@@ -18,7 +18,8 @@ spec:
           - resources:
               kinds:
                 - Secret
-              name: authelia-acl
+              names:
+                - authelia-acl
               namespaces:
                 - authelia
       context:
diff --git a/infra/kyverno-policies/kustomization.yaml b/infra/kyverno-policies/kustomization.yaml
index 13c9e41..400d5c1 100644
--- a/infra/kyverno-policies/kustomization.yaml
+++ b/infra/kyverno-policies/kustomization.yaml
@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
   - ./kube-vip-network-adapter.yaml
   - ./generate-authelia-acl.yaml
+  - ./restart-on-secret-change.yaml
diff --git a/infra/kyverno-policies/restart-on-secret-change.yaml b/infra/kyverno-policies/restart-on-secret-change.yaml
new file mode 100644
index 0000000..5636919
--- /dev/null
+++ b/infra/kyverno-policies/restart-on-secret-change.yaml
@@ -0,0 +1,43 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restart-deployment-on-secret-change
+  annotations:
+    policies.kyverno.io/title: Restart Deployment On Secret Change
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Deployment
+    kyverno.io/kyverno-version: 1.7.0
+    policies.kyverno.io/minversion: 1.7.0
+    kyverno.io/kubernetes-version: "1.23"
+spec:
+  mutateExistingOnPolicyUpdate: false
+  rules:
+    - name: update-secret
+      skipBackgroundRequests: false
+      match:
+        any:
+          - resources:
+              kinds:
+                - Secret
+              names:
+                - authelia-acl
+              namespaces:
+                - authelia
+      preconditions:
+        all:
+          - key: "{{request.operation || 'BACKGROUND'}}"
+            operator: Equals
+            value: UPDATE
+      mutate:
+        targets:
+          - apiVersion: apps/v1
+            kind: Deployment
+            name: authelia
+            namespace: authelia
+        patchStrategicMerge:
+          spec:
+            template:
+              metadata:
+                annotations:
+                  config.huizinga.dev/triggerRestart: "{{request.object.metadata.resourceVersion}}"
diff --git a/infra/kyverno/values.yaml b/infra/kyverno/values.yaml
index b114d75..25881ce 100644
--- a/infra/kyverno/values.yaml
+++ b/infra/kyverno/values.yaml
@@ -28,6 +28,12 @@ backgroundController:
           verbs:
             - get
             - update
+        - apiGroups:
+            - "apps"
+          resources:
+            - "deployments"
+          verbs:
+            - update
 cleanupController:
   replicas: 2
 reportsController: