Michal.Wrobel/openbao-helm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Set default object selector for webhooks to exclude injector itself (#736)

Browse source 
Set default object selector for webhooks to exclude injector itself

If `injector.failurePolicy` is set to `Fail`, there is a race condition
where if the mutating webhook config is setup before the injector, then
the injector can fail to start because it tries to inject itself.

We can work around this by ignoring the injector pod in in the webhook
by default.

Thanks to @joeyslalom for the object selector to exclude the pod.

Fixes https://github.com/hashicorp/vault-k8s/issues/258
This commit is contained in:
Christopher Swenson 2022-05-24 09:48:01 -07:00 committed by GitHub
parent 830761a293
commit daa2b3b236
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 39 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
CHANGELOG.md
View file

@ -1,7 +1,8 @@
## Unreleased
CHANGES:
* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0
* `vault` service account is now created even if the server is set to disabled, as per before 0.20.0 [GH-737](https://github.com/hashicorp/vault-helm/pull/737)
* Mutating webhook will no longer target the agent injector pod [GH-736](https://github.com/hashicorp/vault-helm/pull/736)
## 0.20.0 (May 16th, 2022)

16
templates/_helpers.tpl
View file

@ -485,6 +485,22 @@ Sets extra injector webhook annotations
{{- end }}
{{- end -}}
{{/*
Set's the injector webhook objectSelector
*/}}
{{- define "injector.objectSelector" -}}
{{- $v := or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) -}}
{{ if $v }}
objectSelector:
{{- $tp := typeOf $v -}}
{{ if eq $tp "string" }}
{{ tpl $v . | indent 6 | trim }}
{{ else }}
{{ toYaml $v | indent 6 | trim }}
{{ end }}
{{ end }}
{{ end }}
{{/*
Sets extra ui service annotations
*/}}

5
templates/injector-mutating-webhook.yaml
View file

@ -35,8 +35,5 @@ webhooks:
namespaceSelector:
{{ toYaml (((.Values.injector.webhook)).namespaceSelector | default .Values.injector.namespaceSelector) | indent 6}}
{{ end }}
{{- if or (((.Values.injector.webhook)).objectSelector) (.Values.injector.objectSelector) }}
objectSelector:
{{ toYaml (((.Values.injector.webhook)).objectSelector | default .Values.injector.objectSelector) | indent 6}}
{{ end }}
{{- template "injector.objectSelector" . -}}
{{ end }}

6
test/unit/injector-mutating-webhook.bats
View file

@ -301,15 +301,15 @@ load _helpers
[ "${actual}" = "true" ]
}
@test "injector/MutatingWebhookConfiguration: webhook.objectSelector empty by default" {
@test "injector/MutatingWebhookConfiguration: webhook.objectSelector not empty by default" {
cd `chart_dir`
local actual=$(helm template \
--show-only templates/injector-mutating-webhook.yaml \
--set 'injector.enabled=true' \
--namespace foo \
. | tee /dev/stderr |
yq '.webhooks[0].objectSelector' | tee /dev/stderr)
[ "${actual}" = "null" ]
yq -r '.webhooks[0].objectSelector.matchExpressions[0].key' | tee /dev/stderr)
[ "${actual}" = "app.kubernetes.io/name" ]
}
@test "injector/MutatingWebhookConfiguration: can set webhook.objectSelector" {

10
values.schema.json
View file

@ -336,7 +336,10 @@
]
},
"objectSelector": {
"type": "object"
"type": [
"object",
"string"
]
},
"podDisruptionBudget": {
"type": "object"
@ -406,7 +409,10 @@
"type": "object"
},
"objectSelector": {
"type": "object"
"type": [
"object",
"string"
]
},
"timeoutSeconds": {
"type": "integer"

7
values.yaml
View file

@ -132,7 +132,12 @@ injector:
# objectSelector:
# matchLabels:
# vault-sidecar-injector: enabled
objectSelector: {}
objectSelector: |
matchExpressions:
- key: app.kubernetes.io/name
operator: NotIn
values:
- {{ template "vault.name" . }}-agent-injector
# Extra annotations to attach to the webhook
annotations: {}