kyverno: rework how the Apps work so user can better choose to use Audit or Enforce mode

Signed-off-by: Boris 'B' Kurktchiev <kurktchiev@gmail.com>

kyverno-integration/README.md

@@ -8,11 +8,11 @@ The Stack installs `Kyverno` and `Kyverno Pod Security Policies - Restricted` im
   - `kyverno-pss-policies-audit.yaml` - for testing and understanding of the impact
   - `kyverno-pss-policies-enforce.yaml` - once the proper state of platform is understood and all necessary workload exceptions or violations have been accounted for.
     - If you chose to enable `Enforce` mode. Exceptions for the following `ref-implementation` components are included, to ensure proper operability:
-      - [ArgoCD](exceptions/argocd.yaml)
-      - [Crossplane](exceptions/crossplane.yaml)
-      - [Backstage](exceptions/backstage.yaml)
-      - [Ingress-Nginx](exceptions/ingress-nginx.yaml)
-      - [Kind cluster](exceptions/kind.yaml), this should mainly be needed when testing `ref-implementation` on a `kind` installation
+      - [ArgoCD](modules/enforce/exceptions/argocd.yaml)
+      - [Crossplane](modules/enforce/exceptions/crossplane.yaml)
+      - [Backstage](modules/enforce/exceptions/backstage.yaml)
+      - [Ingress-Nginx](modules/enforce/exceptions/ingress-nginx.yaml)
+      - [Kind cluster](modules/enforce/exceptions/kind.yaml), this should mainly be needed when testing `ref-implementation` on a `kind` installation
 
 *NOTE* - enabling `Enforce` mode without prior testing will most likely cause issues, always start with `Audit` unless you are completely sure of the impact enabling blocking policies will have on your platform.
 
@@ -26,27 +26,21 @@ idpbuilder create --use-path-routing \
   -p https://github.com/cnoe-io/stacks//kyverno-integration
 ```
 
-Depending on your use case, install the Kubernetes PSS Policies, implemented in Kyverno as follows:
+Depending on your use case, install the Kubernetes PSS Policies in `Audit`, implemented in Kyverno as follows:
 
 ```bash
-git clone https://github.com/cnoe-io/stacks.git
-cd stacks
-
 idpbuilder create --use-path-routing \
   -p https://github.com/cnoe-io/stacks//ref-implementation
   -p https://github.com/cnoe-io/stacks//kyverno-integration
-  -p kyverno-integration/manifests/kyverno-pss-policies-audit.yaml
+  -p https://github.com/cnoe-io/stacks//kyverno-integration/modules/audit
 ```
 
-If you would like to change to `Enforce` mode, replace with `-p kyverno-integration/manifests/kyverno-pss-policies-audit.yaml` and add the provided exceptions to the installation.
+If you would like to change to `Enforce` mode:
 
 ```bash
-git clone https://github.com/cnoe-io/stacks.git
-cd stacks
-
 idpbuilder create --use-path-routing \
   -p https://github.com/cnoe-io/stacks//ref-implementation
   -p https://github.com/cnoe-io/stacks//kyverno-integration
-  -p kyverno-integration/manifests/kyverno-pss-policies-enforce.yaml
-  -p kyverno-integration/manifests/exceptions
+  -p https://github.com/cnoe-io/stacks//kyverno-integration/modules/enforce
 ```
+

kyverno-integration/manifests/kyverno-pss-policies-enforce.yaml

@@ -1,24 +0,0 @@
-kind: Application
-apiVersion: argoproj.io/v1alpha1
-metadata:
-  name: kyverno-pss-policies-enforce
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://github.com/nirmata/kyverno-policies
-    targetRevision: HEAD
-    path: pod-security/enforce
-  destination:
-    server: "https://kubernetes.default.svc"
-  syncPolicy:
-    syncOptions:
-    - Replace=true
-    automated:
-      selfHeal: true
-    retry:
-      limit: 30
-      backoff:
-        duration: 5s
-        factor: 2
-        maxDuration: 3m0s

kyverno-integration/modules/enforce/kyverno-pss-policies-enforce.yaml

@@ -0,0 +1,61 @@
+---
+kind: Application
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: kyverno-pss-policies-enforce
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/kyverno/kyverno
+    targetRevision: 3.2.5
+    path: charts/kyverno-policies
+    helm:
+      releaseName: "kyverno-policies"
+      parameters:
+        - name: "podSecurityStandard"
+          value: restricted
+        - name: "validationFailureAction"
+          value: Enforce
+        - name: "podSecuritySeverity"
+          value: High
+  destination:
+    server: "https://kubernetes.default.svc"
+  syncPolicy:
+    syncOptions:
+    - Replace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: 30
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s
+---
+kind: Application
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: kyverno-pss-policies-enforce-exceptions
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: cnoe://exceptions
+    targetRevision: HEAD
+    path: "."
+    directory:
+      recurse: true
+  destination:
+    server: "https://kubernetes.default.svc"
+  syncPolicy:
+    syncOptions:
+    - Replace=true
+    automated:
+      selfHeal: true
+    retry:
+      limit: 30
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m0s