apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: woodpecker-proxy-ca
  annotations:
    policies.kyverno.io/title: "Woodpecker Proxy CA Injection"
    policies.kyverno.io/category: "Networking"
    policies.kyverno.io/subject: "Pod"
spec:
  rules:
    - name: inject-ca-cert
      match:
        any:
          - resources:
              kinds:
                - Pod
              namespaces:
                - woodpecker
      exclude:
        any:
          - resources:
              selector:
                matchLabels:
                  app.kubernetes.io/name: server
          - resources:
              selector:
                matchLabels:
                  app.kubernetes.io/name: agent
      mutate:
        patchStrategicMerge:
          spec:
            containers:
              - (name): "*"
                env:
                  - name: HTTP_PROXY
                    value: "http://192.168.42.1:3128"
                  - name: HTTPS_PROXY
                    value: "http://192.168.42.1:3128"
                  - name: NO_PROXY
                    value: "10.0.0.0/8,192.168.0.0/16,127.0.0.1,localhost,.local"
                  - name: no_proxy
                    value: "10.0.0.0/8,192.168.0.0/16,127.0.0.1,localhost,.local"
                  - name: SSL_CERT_FILE
                    value: "/etc/ssl/certs/proxy-ca.crt"
                volumeMounts:
                  - name: proxy-ca
                    mountPath: /etc/ssl/certs/proxy-ca.crt
                    subPath: ca.crt
                    readOnly: true
            volumes:
              - name: proxy-ca
                configMap:
                  name: proxy-ca-cert