From 7d0b90e45ffbf4fd41d4d756617a05ea1ab01ae5 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Mon, 29 Jan 2024 00:12:27 +0100
Subject: [PATCH] feat(renovate): Move namespace restricitons into kustomize
 component

---
 apps/base/renovate/kustomization.yaml         |  3 ++-
 apps/base/renovate/namespace.yaml             |  7 -------
 .../namespace-baseline/kustomization.yaml     |  7 +++++++
 .../namespace-baseline/namespace.yaml         | 21 +++++++++++++++++++
 4 files changed, 30 insertions(+), 8 deletions(-)
 create mode 100644 shared/components/namespace-baseline/kustomization.yaml
 create mode 100644 shared/components/namespace-baseline/namespace.yaml

diff --git a/apps/base/renovate/kustomization.yaml b/apps/base/renovate/kustomization.yaml
index 68348b99c..644684573 100644
--- a/apps/base/renovate/kustomization.yaml
+++ b/apps/base/renovate/kustomization.yaml
@@ -7,4 +7,5 @@ resources:
   - release.yaml
 
 components:
-  - ../../../shared/components/flux-namespace-admin
\ No newline at end of file
+  - ../../../shared/components/flux-namespace-admin
+  - ../../../shared/components/namespace-baseline
\ No newline at end of file
diff --git a/apps/base/renovate/namespace.yaml b/apps/base/renovate/namespace.yaml
index 572a3f4db..ec7c378f1 100644
--- a/apps/base/renovate/namespace.yaml
+++ b/apps/base/renovate/namespace.yaml
@@ -2,10 +2,3 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: renovate
-  labels:
-    pod-security.kubernetes.io/audit: restricted
-    pod-security.kubernetes.io/enforce: baseline
-    pod-security.kubernetes.io/warn: restricted
-    pod-security.kubernetes.io/audit-version: v1.26
-    pod-security.kubernetes.io/enforce-version: v1.23
-    pod-security.kubernetes.io/warn-version: v1.26
diff --git a/shared/components/namespace-baseline/kustomization.yaml b/shared/components/namespace-baseline/kustomization.yaml
new file mode 100644
index 000000000..e748e75a5
--- /dev/null
+++ b/shared/components/namespace-baseline/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+patches:
+  - path: namespace.yaml
+    target:
+      kind: Namespace
\ No newline at end of file
diff --git a/shared/components/namespace-baseline/namespace.yaml b/shared/components/namespace-baseline/namespace.yaml
new file mode 100644
index 000000000..97788fd6e
--- /dev/null
+++ b/shared/components/namespace-baseline/namespace.yaml
@@ -0,0 +1,21 @@
+- op: add
+  path: /metadata/labels
+  value: {}
+- op: add
+  path: /metadata/labels/pod-security.kubernetes.io~1audit
+  value: restricted
+- op: add
+  path: /metadata/labels/pod-security.kubernetes.io~1enforce
+  value: baseline
+- op: add
+  path: /metadata/labels/pod-security.kubernetes.io~1warn
+  value: restricted
+- op: add
+  path: /metadata/labels/pod-security.kubernetes.io~1audit-version
+  value: v1.28
+- op: add
+  path: /metadata/labels/pod-security.kubernetes.io~1enforce-version
+  value: v1.28
+- op: add
+  path: /metadata/labels/pod-security.kubernetes.io~1warn-version
+  value: v1.28
-- 
GitLab