fix(charts): disable vcluster s3 secret syncing and revert GeneratingPolicy

Author: davehadley

charts/workflows-cluster/values.yaml

@@ -122,7 +122,6 @@ vcluster:
             "/argo-server-sso": "workflows/argo-server-sso"
             "/sessionspaces-ispyb": "kube-system/sessionspaces-ispyb"
             "/artifact-s3-secret": "graph-proxy/artifact-s3-secret"
-            "/s3-artifact": "workflows/artifact-s3"
   rbac:
     clusterRole:
       enabled: false

charts/workflows/Chart.yaml

@@ -3,7 +3,7 @@ name: workflows
 description: Data Analysis workflow orchestration
 type: application
 
-version: 0.13.25
+version: 0.13.26
 
 dependencies:
   - name: argo-workflows

charts/workflows/templates/sessionspace-clusterpolicy.yaml

@@ -111,29 +111,30 @@ spec:
             name: argo-workflow
             apiGroup: rbac.authorization.k8s.io
 ---
-apiVersion: policies.kyverno.io/v1alpha1
-kind: GeneratingPolicy
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
 metadata:
-  name: copy-host-secret-artifact-s3
+  name: {{ .Release.Name }}-copy-artifact-s3-secret
 spec:
-  evaluation:
-    generateExisting:
-      enabled: true
-    synchronize:
-      enabled: true
-  matchConstraints:
-    resourceRules:
-    - apiGroups:   [""]
-      apiVersions: ["v1"]
-      operations:  ["CREATE"]
-      resources:   ["namespaces"]
-    namespaceSelector:
-      matchLabels:
-          app.kubernetes.io/managed-by: sessionspaces
-  variables:
-    - name: targetNs
-      expression: "object.metadata.name"
-    - name: sourceSecret
-      expression: resource.Get("v1", "secrets", "workflows", "artifact-s3")
-  generate:
-    - expression: generator.Apply(variables.targetNs, [variables.sourceSecret])
+  validationFailureAction: Enforce
+  background: true
+  generateExisting: true
+  mutateExistingOnPolicyUpdate: true
+  rules:
+    - name: copy-artifact-s3-secret
+      match:
+        resources:
+          kinds:
+            - Namespace
+          selector:
+            matchLabels:
+              app.kubernetes.io/managed-by: sessionspaces
+      generate:
+        synchronize: true
+        apiVersion: v1
+        kind: Secret
+        name: artifact-s3
+        namespace: "{{ `{{request.object.metadata.name}}` }}"
+        clone:
+          namespace: workflows
+          name: artifact-s3