---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: ingress-auth-annotations
  annotations:
    policies.kyverno.io/title: Ingress Auth Annotations
    policies.kyverno.io/subject: Ingress
    policies.kyverno.io/description: >-
      This policy creates auth annotations on ingresses. When
      the `auth.home.arpa/enabled` annotation is `true` it
      applies the nginx auth annotations for use with Authelia.
spec:
  mutateExistingOnPolicyUpdate: true
  generateExistingOnPolicyUpdate: true
  rules:
    - name: auth
      match:
        any:
          - resources:
              kinds: ["Ingress"]
              annotations:
                auth.home.arpa/enabled: "true"
      mutate:
        patchStrategicMerge:
          metadata:
            annotations:
              +(nginx.ingress.kubernetes.io/auth-method): GET
              +(nginx.ingress.kubernetes.io/auth-url): |-
                http://authelia.default.svc.cluster.local.:8888/api/verify
              +(nginx.ingress.kubernetes.io/auth-signin): |-
                https://auth.${SECRET_CLUSTER_DOMAIN}?rm=$request_method
              +(nginx.ingress.kubernetes.io/auth-response-headers): |-
                Remote-User,Remote-Name,Remote-Groups,Remote-Email
              +(nginx.ingress.kubernetes.io/auth-snippet): |
                proxy_set_header X-Forwarded-Method $request_method;
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: ingress-external-dns-annotations
  annotations:
    policies.kyverno.io/title: Ingress External-DNS Annotations
    policies.kyverno.io/subject: Ingress
    policies.kyverno.io/description: >-
      This policy creates external-dns annotations on ingresses.
      When the `external-dns.home.arpa/enabled` annotation is `true`
      it applies the external-dns annotations for use with external
      application access.
spec:
  mutateExistingOnPolicyUpdate: true
  generateExistingOnPolicyUpdate: true
  rules:
    - name: external-dns
      match:
        any:
          - resources:
              kinds: ["Ingress"]
              annotations:
                external-dns.home.arpa/enabled: "true"
      mutate:
        patchStrategicMerge:
          metadata:
            annotations:
              +(external-dns.alpha.kubernetes.io/target): |-
                services.${SECRET_DOMAIN}.
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: ingress-whitelist-annotations
  annotations:
    policies.kyverno.io/title: Ingress Whitelist Annotations
    policies.kyverno.io/subject: Ingress
    policies.kyverno.io/description: >-
      This policy creates annotations on ingresses. When
      the `external-dns.home.arpa/enabled` annotation is not
      set it applies the nginx annotations for use with only
      internal application access.
spec:
  mutateExistingOnPolicyUpdate: true
  generateExistingOnPolicyUpdate: true
  rules:
    - name: whitelist
      match:
        any:
          - resources:
              kinds: ["Ingress"]
      exclude:
        any:
          - resources:
              annotations:
                external-dns.home.arpa/enabled: "true"
      mutate:
        patchStrategicMerge:
          metadata:
            annotations:
              +(nginx.ingress.kubernetes.io/whitelist-source-range): |-
                10.0.0.0/8,172.16.0.0/12,192.168.0.0/16