fix(renew-tls): update TLS secret in ALL namespaces, not just kyverno

Kyverno generate+synchronize only manages secrets it created itself. Existing Terraform-managed secrets in ~70 namespaces weren't updated. Now loops through all namespaces and kubectl apply the new cert.
2026-03-23 22:36:22 +02:00 · 2026-03-23 22:36:22 +02:00 · 3bca7a97c2
commit 3bca7a97c2
parent dadbec0eb4
1 changed files with 6 additions and 3 deletions
--- a/.woodpecker/renew-tls.yml
+++ b/.woodpecker/renew-tls.yml
@ -57,10 +57,13 @@ steps:
      - "apk update && apk add curl"
      - "curl -LO https://dl.k8s.io/release/v1.31.0/bin/linux/amd64/kubectl && chmod +x kubectl && mv kubectl /usr/local/bin/"
      - |
-        kubectl create secret tls tls-secret \
+        SECRET_YAML=$(kubectl create secret tls tls-secret \
          --cert=secrets/fullchain.pem --key=secrets/privkey.pem \
-          --namespace=kyverno --dry-run=client -o yaml | kubectl apply -f -
-      - "echo 'Source TLS secret updated in kyverno namespace — Kyverno will sync to all namespaces'"
+          --namespace=placeholder --dry-run=client -o yaml)
+        for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}' | tr ' ' '\n' | grep -v '^kube-'); do
+          echo "$SECRET_YAML" | sed "s/namespace: placeholder/namespace: $ns/" | kubectl apply -f - 2>/dev/null || true
+        done
+      - "echo 'TLS secret updated in all namespaces'"

  - name: slack
    image: curlimages/curl