viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

kyverno: force_new on sync-ghcr-credentials — generate rules are immutable
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Details
ci/woodpecker/push/build-cli Pipeline was successful
Details

Browse source 
Pipeline 138: the validate-policy webhook denies in-place edits of a
generate rule (allowlist additions). force_new = delete+recreate;
generated secrets survive and generateExisting re-adopts.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-12 23:18:15 +00:00
parent 6b0d42c7bc
commit 12bdd06f74
1 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
stacks/kyverno/modules/kyverno/ghcr-credentials.tf
View file

@ -47,6 +47,11 @@ resource "kubernetes_secret" "ghcr_credentials" {
}
resource "kubectl_manifest" "sync_ghcr_credentials" {
# Kyverno's validate-policy webhook DENIES in-place changes to a generate
# rule's spec ("changes of immutable fields ... is disallowed"), so any
# allowlist edit must delete+recreate the policy. Generated secrets survive
# policy deletion; generateExisting re-adopts them on recreate.
force_new = true
yaml_body = yamlencode({
apiVersion = "kyverno.io/v1"
kind = "ClusterPolicy"