apiVersion: kyverno.io/v1 kind: ClusterPolicy metadata: name: generate-authelia-acl annotations: policies.kyverno.io/title: Generate Authelia ACL policies.kyverno.io/category: Other policies.kyverno.io/severity: medium policies.kyverno.io/subject: Secret kyverno.io/kyverno-version: 1.7.0 policies.kyverno.io/minversion: 1.7.0 kyverno.io/kubernetes-version: "1.23" spec: rules: - name: update-from-base match: any: - resources: kinds: - Secret name: authelia-acl namespaces: - authelia context: - name: rules apiCall: urlPath: "/api/v1/configmaps" jmesPath: 'join('''', items[?metadata.annotations."config.huizinga.dev/fragment"==''authelia-acl''].data.rules)' mutate: patchStrategicMerge: stringData: "configuration.acl.yaml": | access_control: rules: {{ replace_all(base64_decode(request.object.data.rules || ''), ' ', ' ') }}{{ replace_all(rules, ' ', ' ') }} - name: update-from-fragment match: any: - resources: kinds: - ConfigMap annotations: config.huizinga.dev/fragment: authelia-acl context: - name: rules apiCall: urlPath: "/api/v1/configmaps" jmesPath: 'join('''', items[?metadata.annotations."config.huizinga.dev/fragment"==''authelia-acl''].data.rules)' mutate: mutateExistingOnPolicyUpdate: true targets: - apiVersion: v1 kind: Secret name: authelia-acl namespace: authelia patchStrategicMerge: stringData: "configuration.acl.yaml": | access_control: rules: {{ replace_all(base64_decode(target.data.rules || ''), ' ', ' ') }}{{ replace_all(rules, ' ', ' ') }}