From 6097741bd21d2b5552ed31b2ce560b3dd8ffe617 Mon Sep 17 00:00:00 2001
From: David Hadley <davehadley@users.noreply.github.com>
Date: Wed, 12 Nov 2025 08:59:29 +0000
Subject: [PATCH] fix(charts): disable vcluster s3 secret syncing and revert
 GeneratingPolicy

---
 charts/workflows-cluster/values.yaml          |  1 -
 charts/workflows/Chart.yaml                   |  2 +-
 .../templates/sessionspace-clusterpolicy.yaml | 50 ++++++++++---------
 3 files changed, 27 insertions(+), 26 deletions(-)

diff --git a/charts/workflows-cluster/values.yaml b/charts/workflows-cluster/values.yaml
index 7427a5c70..c039f3666 100644
--- a/charts/workflows-cluster/values.yaml
+++ b/charts/workflows-cluster/values.yaml
@@ -122,7 +122,6 @@ vcluster:
             "/argo-server-sso": "workflows/argo-server-sso"
             "/sessionspaces-ispyb": "kube-system/sessionspaces-ispyb"
             "/artifact-s3-secret": "graph-proxy/artifact-s3-secret"
-            "/s3-artifact": "workflows/artifact-s3"
   rbac:
     clusterRole:
       enabled: false
diff --git a/charts/workflows/Chart.yaml b/charts/workflows/Chart.yaml
index cc71819ab..f6ffc339e 100644
--- a/charts/workflows/Chart.yaml
+++ b/charts/workflows/Chart.yaml
@@ -3,7 +3,7 @@ name: workflows
 description: Data Analysis workflow orchestration
 type: application
 
-version: 0.13.25
+version: 0.13.26
 
 dependencies:
   - name: argo-workflows
diff --git a/charts/workflows/templates/sessionspace-clusterpolicy.yaml b/charts/workflows/templates/sessionspace-clusterpolicy.yaml
index f5816f416..1a8ef271c 100644
--- a/charts/workflows/templates/sessionspace-clusterpolicy.yaml
+++ b/charts/workflows/templates/sessionspace-clusterpolicy.yaml
@@ -111,29 +111,31 @@ spec:
             name: argo-workflow
             apiGroup: rbac.authorization.k8s.io
 ---
-apiVersion: policies.kyverno.io/v1alpha1
-kind: GeneratingPolicy
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
 metadata:
-  name: copy-host-secret-artifact-s3
+  name: {{ .Release.Name }}-copy-artifact-s3-secret
 spec:
-  evaluation:
-    generateExisting:
-      enabled: true
-    synchronize:
-      enabled: true
-  matchConstraints:
-    resourceRules:
-    - apiGroups:   [""]
-      apiVersions: ["v1"]
-      operations:  ["CREATE"]
-      resources:   ["namespaces"]
-    namespaceSelector:
-      matchLabels:
-          app.kubernetes.io/managed-by: sessionspaces
-  variables:
-    - name: targetNs
-      expression: "object.metadata.name"
-    - name: sourceSecret
-      expression: resource.Get("v1", "secrets", "workflows", "artifact-s3")
-  generate:
-    - expression: generator.Apply(variables.targetNs, [variables.sourceSecret])
+  validationFailureAction: Enforce
+  background: true
+  generateExisting: true
+  mutateExistingOnPolicyUpdate: true
+  useServerSideApply: true
+  rules:
+    - name: copy-artifact-s3-secret
+      match:
+        resources:
+          kinds:
+            - Namespace
+          selector:
+            matchLabels:
+              app.kubernetes.io/managed-by: sessionspaces
+      generate:
+        synchronize: true
+        apiVersion: v1
+        kind: Secret
+        name: artifact-s3
+        namespace: "{{ `{{request.object.metadata.name}}` }}"
+        clone:
+          namespace: workflows
+          name: artifact-s3