mbaldessari · December 23, 2024 09:30
diff --git a/gistfile1.txt b/gistfile1.txt
 ---
 apiVersion: policy.open-cluster-management.io/v1
 kind: Policy
 metadata:
  annotations:
    argocd.argoproj.io/compare-options: IgnoreExtraneous
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  labels:
    argocd.argoproj.io/instance: acm
  name: acm-hub-ca-policy
  namespace: open-cluster-management
 spec:
  disabled: false
  policy-templates:
  - objectDefinition:
      apiVersion: policy.open-cluster-management.io/v1
      kind: ConfigurationPolicy
      metadata:
        name: acm-hub-ca-config-policy
      spec:
        namespaceSelector:
          include:
          - default
        object-templates:
        - complianceType: mustonlyhave
          objectDefinition:
            apiVersion: v1
            data:
              hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt"
                | base64enc hub}}'
              hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt"
                "service-ca.crt" | base64enc hub}}'
            kind: Secret
            metadata:
              name: hub-ca
              namespace: golang-external-secrets
            type: Opaque
        - complianceType: mustonlyhave
          objectDefinition:
            apiVersion: v1
            data:
              hub-kube-root-ca.crt: |
                {{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" | autoindent hub}}
              hub-openshift-service-ca.crt: |
                {{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" | autoindent hub}}
            kind: ConfigMap
            metadata:
              name: trusted-hub-bundle
              namespace: imperative
        remediationAction: enforce
        severity: medium
  remediationAction: enforce
 ---
 apiVersion: apps.open-cluster-management.io/v1
 kind: PlacementRule
 metadata:
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  labels:
    argocd.argoproj.io/instance: acm
  name: acm-hub-ca-policy-placement
  namespace: open-cluster-management
 spec:
  clusterConditions:
  - status: "True"
    type: ManagedClusterConditionAvailable
  clusterSelector:
    matchExpressions:
    - key: local-cluster
      operator: NotIn
      values:
      - "true"
 ---
 apiVersion: policy.open-cluster-management.io/v1
 kind: PlacementBinding
 metadata:
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  labels:
    argocd.argoproj.io/instance: acm
  name: acm-hub-ca-policy-placement-binding
  namespace: open-cluster-management
 placementRef:
  apiGroup: apps.open-cluster-management.io
  kind: PlacementRule
  name: acm-hub-ca-policy-placement
 subjects:
 - apiGroup: policy.open-cluster-management.io
  kind: Policy
  name: acm-hub-ca-policy
	---
	apiVersion: policy.open-cluster-management.io/v1
	kind: Policy
	metadata:
	annotations:
	argocd.argoproj.io/compare-options: IgnoreExtraneous
	argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
	labels:
	argocd.argoproj.io/instance: acm
	name: acm-hub-ca-policy
	namespace: open-cluster-management
	spec:
	disabled: false
	policy-templates:
	- objectDefinition:
	apiVersion: policy.open-cluster-management.io/v1
	kind: ConfigurationPolicy
	metadata:
	name: acm-hub-ca-config-policy
	spec:
	namespaceSelector:
	include:
	- default
	object-templates:
	- complianceType: mustonlyhave
	objectDefinition:
	apiVersion: v1
	data:
	hub-kube-root-ca.crt: '{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt"
	\| base64enc hub}}'
	hub-openshift-service-ca.crt: '{{hub fromConfigMap "" "openshift-service-ca.crt"
	"service-ca.crt" \| base64enc hub}}'
	kind: Secret
	metadata:
	name: hub-ca
	namespace: golang-external-secrets
	type: Opaque
	- complianceType: mustonlyhave
	objectDefinition:
	apiVersion: v1
	data:
	hub-kube-root-ca.crt: \|
	{{hub fromConfigMap "" "kube-root-ca.crt" "ca.crt" \| autoindent hub}}
	hub-openshift-service-ca.crt: \|
	{{hub fromConfigMap "" "openshift-service-ca.crt" "service-ca.crt" \| autoindent hub}}
	kind: ConfigMap
	metadata:
	name: trusted-hub-bundle
	namespace: imperative
	remediationAction: enforce
	severity: medium
	remediationAction: enforce
	---
	apiVersion: apps.open-cluster-management.io/v1
	kind: PlacementRule
	metadata:
	annotations:
	argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
	labels:
	argocd.argoproj.io/instance: acm
	name: acm-hub-ca-policy-placement
	namespace: open-cluster-management
	spec:
	clusterConditions:
	- status: "True"
	type: ManagedClusterConditionAvailable
	clusterSelector:
	matchExpressions:
	- key: local-cluster
	operator: NotIn
	values:
	- "true"
	---
	apiVersion: policy.open-cluster-management.io/v1
	kind: PlacementBinding
	metadata:
	annotations:
	argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
	labels:
	argocd.argoproj.io/instance: acm
	name: acm-hub-ca-policy-placement-binding
	namespace: open-cluster-management
	placementRef:
	apiGroup: apps.open-cluster-management.io
	kind: PlacementRule
	name: acm-hub-ca-policy-placement
	subjects:
	- apiGroup: policy.open-cluster-management.io
	kind: Policy
	name: acm-hub-ca-policy