Restart authelia on acl config update

2025-03-01 06:29:41 +01:00 · 2025-03-01 06:29:41 +01:00 · 00a9f25d5c
commit 00a9f25d5c
parent 4ae76d668e
4 changed files with 52 additions and 1 deletions
--- a/infra/kyverno-policies/generate-authelia-acl.yaml
+++ b/infra/kyverno-policies/generate-authelia-acl.yaml
@ -18,7 +18,8 @@ spec:
          - resources:
              kinds:
                - Secret
-              name: authelia-acl
+              names:
+                - authelia-acl
              namespaces:
                - authelia
      context:
--- a/infra/kyverno-policies/kustomization.yaml
+++ b/infra/kyverno-policies/kustomization.yaml
@ -3,3 +3,4 @@ kind: Kustomization
 resources:
  - ./kube-vip-network-adapter.yaml
  - ./generate-authelia-acl.yaml
+  - ./restart-on-secret-change.yaml
--- a/infra/kyverno-policies/restart-on-secret-change.yaml
+++ b/infra/kyverno-policies/restart-on-secret-change.yaml
@ -0,0 +1,43 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restart-deployment-on-secret-change
+  annotations:
+    policies.kyverno.io/title: Restart Deployment On Secret Change
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Deployment
+    kyverno.io/kyverno-version: 1.7.0
+    policies.kyverno.io/minversion: 1.7.0
+    kyverno.io/kubernetes-version: "1.23"
+spec:
+  mutateExistingOnPolicyUpdate: false
+  rules:
+    - name: update-secret
+      skipBackgroundRequests: false
+      match:
+        any:
+          - resources:
+              kinds:
+                - Secret
+              names:
+                - authelia-acl
+              namespaces:
+                - authelia
+      preconditions:
+        all:
+          - key: "{{request.operation || 'BACKGROUND'}}"
+            operator: Equals
+            value: UPDATE
+      mutate:
+        targets:
+          - apiVersion: apps/v1
+            kind: Deployment
+            name: authelia
+            namespace: authelia
+        patchStrategicMerge:
+          spec:
+            template:
+              metadata:
+                annotations:
+                  config.huizinga.dev/triggerRestart: "{{request.object.metadata.resourceVersion}}"
--- a/infra/kyverno/values.yaml
+++ b/infra/kyverno/values.yaml
@ -28,6 +28,12 @@ backgroundController:
          verbs:
            - get
            - update
+        - apiGroups:
+            - "apps"
+          resources:
+            - "deployments"
+          verbs:
+            - update
 cleanupController:
  replicas: 2
 reportsController: