7 changed files with 12 additions and 16 deletions
--- a/README.md
+++ b/README.md
@ -180,7 +180,7 @@ flux create kustomization dev-team \
 Create the base `kustomization.yaml` file:

 ```sh
-cd ./tenants/base/dev-team/ && kustomize create --autodetect --namespace apps 
+cd ./tenants/base/dev-team/ && kustomize create --autodetect
 ```

 Create the staging overlay and set the path to the staging dir inside the tenant repository:
@ -199,7 +199,6 @@ EOF
 cat << EOF | tee ./tenants/staging/kustomization.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: apps
 resources:
  - ../base/dev-team
 patches:
@ -524,7 +523,7 @@ flux -n apps create secret git dev-team-auth \
 Print the SSH public key and add it as a read-only deploy key to the dev-team repository:

 ```sh
-yq eval '.stringData."identity.pub"' ./tenants/base/dev-team/auth.yaml
+yq eval 'data."identity.pub"' git-auth.yaml | base64 --decode
 ```

 ### Git over HTTP/S
--- a/infrastructure/kyverno-policies/verify-flux-images.yaml
+++ b/infrastructure/kyverno-policies/verify-flux-images.yaml
@ -29,7 +29,6 @@ spec:
            - "docker.io/fluxcd/image-reflector-controller:*"
            - "docker.io/fluxcd/image-automation-controller:*"
          mutateDigest: false
-          verifyDigest: false
          attestors:
            - entries:
                - keyless:
--- a/infrastructure/kyverno-policies/verify-git-repositories.yaml
+++ b/infrastructure/kyverno-policies/verify-git-repositories.yaml
@ -9,18 +9,19 @@ spec:
  validationFailureAction: Audit # Change to 'Enforce' once the specific org url is set.
  rules:
    - name: github-repositories-only
+      exclude:
+        resources:
+          namespaces:
+            - flux-system
      match:
        any:
        - resources:
            kinds:
              - GitRepository
-      exclude:
-        any:
-        - resources:
-            namespaces:
-              - flux-system
      validate:
        message: ".spec.url must be from a repository within the organisation X"
-        pattern:
-          spec:
-            url: https://github.com/fluxcd/?* | ssh://git@github.com:fluxcd/?*
+        anyPattern:
+        - spec:
+            url: "https://github.com/fluxcd/?*" # repositories in fluxcd via https
+        - spec:
+            url: "ssh://git@github.com:fluxcd/?*" # repositories in fluxcd via ssh
--- a/infrastructure/kyverno/source.yaml
+++ b/infrastructure/kyverno/source.yaml
@ -8,6 +8,6 @@ spec:
  provider: generic
  url: oci://ghcr.io/kyverno/manifests/kyverno
  ref:
-    tag: "v1.14.4"
+    tag: "v1.10.2"
  verify:
    provider: cosign
--- a/tenants/base/dev-team/kustomization.yaml
+++ b/tenants/base/dev-team/kustomization.yaml
@ -1,6 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: apps
 resources:
  - rbac.yaml
  - sync.yaml
--- a/tenants/production/kustomization.yaml
+++ b/tenants/production/kustomization.yaml
@ -1,6 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: apps
 resources:
  - ../base/dev-team
 patches:
--- a/tenants/staging/kustomization.yaml
+++ b/tenants/staging/kustomization.yaml
@ -1,6 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: apps
 resources:
  - ../base/dev-team
 patches: