From 3bca7a97c21714455ed9e3cde8730eb69205ee73 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Mon, 23 Mar 2026 22:36:22 +0200
Subject: [PATCH] fix(renew-tls): update TLS secret in ALL namespaces, not just
 kyverno

Kyverno generate+synchronize only manages secrets it created itself.
Existing Terraform-managed secrets in ~70 namespaces weren't updated.
Now loops through all namespaces and kubectl apply the new cert.
---
 .woodpecker/renew-tls.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.woodpecker/renew-tls.yml b/.woodpecker/renew-tls.yml
index 72577ccd..d2d8bf89 100644
--- a/.woodpecker/renew-tls.yml
+++ b/.woodpecker/renew-tls.yml
@@ -57,10 +57,13 @@ steps:
       - "apk update && apk add curl"
       - "curl -LO https://dl.k8s.io/release/v1.31.0/bin/linux/amd64/kubectl && chmod +x kubectl && mv kubectl /usr/local/bin/"
       - |
-        kubectl create secret tls tls-secret \
+        SECRET_YAML=$(kubectl create secret tls tls-secret \
           --cert=secrets/fullchain.pem --key=secrets/privkey.pem \
-          --namespace=kyverno --dry-run=client -o yaml | kubectl apply -f -
-      - "echo 'Source TLS secret updated in kyverno namespace — Kyverno will sync to all namespaces'"
+          --namespace=placeholder --dry-run=client -o yaml)
+        for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}' | tr ' ' '\n' | grep -v '^kube-'); do
+          echo "$SECRET_YAML" | sed "s/namespace: placeholder/namespace: $ns/" | kubectl apply -f - 2>/dev/null || true
+        done
+      - "echo 'TLS secret updated in all namespaces'"
 
   - name: slack
     image: curlimages/curl