apiVersion: v1
kind: ConfigMap
metadata:
  name: external-data-cache
  namespace: kyverno
  labels:
    app: kyverno-config
data:
  # Список разрешённых реестров (обновляется CronJob)
  allowed-registries: |
    registry.company.com
    gcr.io/company-project
    public.ecr.aws/company
  # Список одобренных StorageClass
  approved-storage-classes: |
    standard-ssd
    premium-ssd
    backup-hdd
  # Последнее обновление (проставляется CronJob)
  last-updated: "2024-01-01T00:00:00Z"
---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: update-policy-cache
  namespace: kyverno
  annotations:
    description: >-
      Обновляет ConfigMap external-data-cache данными из внешних API.
      Позволяет политикам использовать актуальные данные без прямых apiCall
      к внешним сервисам на каждый запрос.
spec:
  schedule: "*/10 * * * *"    # каждые 10 минут
  concurrencyPolicy: Forbid
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: policy-cache-updater
          restartPolicy: OnFailure
          containers:
          - name: cache-updater
            image: bitnami/kubectl:1.28
            env:
            - name: EXTERNAL_API_URL
              value: "https://api.company.com/v1"
            - name: CONFIGMAP_NAME
              value: "external-data-cache"
            - name: NAMESPACE
              value: "kyverno"
            command:
            - /bin/bash
            - -c
            - |
              set -e

              echo "Fetching allowed registries from external API..."
              # В реальности заменить на curl к вашему API
              REGISTRIES=$(echo -e "registry.company.com\ngcr.io/company-project")

              echo "Updating ConfigMap..."
              kubectl patch configmap ${CONFIGMAP_NAME} \
                -n ${NAMESPACE} \
                --type merge \
                -p "{\"data\":{
                  \"allowed-registries\": \"${REGISTRIES}\",
                  \"last-updated\": \"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"
                }}"

              echo "Cache updated successfully"
            resources:
              limits:
                cpu: 100m
                memory: 64Mi
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: policy-cache-updater
  namespace: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: configmap-updater
  namespace: kyverno
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["external-data-cache"]
  verbs: ["get", "patch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: policy-cache-updater
  namespace: kyverno
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: configmap-updater
subjects:
- kind: ServiceAccount
  name: policy-cache-updater
  namespace: kyverno