---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kyverno-secret-clone
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "create", "update", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kyverno-secret-clone-binding
subjects:
  - kind: ServiceAccount
    name: kyverno-admission-controller
    namespace: kyverno
  - kind: ServiceAccount
    name: kyverno-background-controller
    namespace: kyverno
roleRef:
  kind: ClusterRole
  name: kyverno-secret-clone
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: sync-rbx1theadam-tls-secret
spec:
  background: true
  rules:
    - name: sync-rbx1theadam-tls
      match:
        any:
          - resources:
              kinds:
                - Namespace
              names:
                - ingress-nginx
                - openbao
                - nvdaremoteserver
      generate:
        apiVersion: v1
        kind: Secret
        name: rbx1theadam-tls
        namespace: "{{request.object.metadata.name}}"
        synchronize: true
        clone:
          namespace: cert-manager
          name: rbx1theadam-tls