bank-vaults: [vault-secrets-webhook] Webhook don't mutate pods

Hello we have external vault server and vault-secrets-webhook 1.4.0

Describe the bug: We have added annotations in deployment

apiVersion: apps/v1
kind: Deployment
...
spec:
...
  template:
    metadata:
      annotations:
        vault.security.banzaicloud.io/vault-addr: https://vault.external.com/
        vault.security.banzaicloud.io/vault-path: kubernetes-stage
        vault.security.banzaicloud.io/vault-role: some-role
        vault.security.banzaicloud.io/vault-skip-verify: "true"
containers:
    - name: <some-name>
      image: <some-image>
      env:
        - name: DATABASE_URL
          value: 'vault:path/data/dev/backend/databases/phprotect#url

After deploy, pods are creating without init vault containers

Expected behaviour: vault-secrets-webhook mutates out pods

Steps to reproduce the bug:

  1. Install chart v1.4.0 to namespace vault with values.yaml:
# Default values for vault-secrets-webhook.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

replicaCount: 2

debug: false                                                                                                                                                                                 
                                                                                                                                                                                             
certificate:                                                                                                                                                                                 
  useCertManager: false                                                                                                                                                                      
  generate: true                                                                                                                                                                             
  server:                                                                                                                                                                                    
    tls:                                                                                                                                                                                     
      crt:                                                                                                                                                                                   
      key:                                                                                                                                                                                   
  ca:                                                                                                                                                                                        
    crt:
image:
  repository: banzaicloud/vault-secrets-webhook
  # tag: ""
  pullPolicy: IfNotPresent
  imagePullSecrets: []

service:
  name: vault-secrets-webhook
  type: ClusterIP
  externalPort: 443
  internalPort: 8443

serviceAccount:
  labels: {}
  #  useful: label
  annotations: {}
  # Enables GKE workload identity
  #  iam.gke.io/gcp-service-account: gsa@project.iam.gserviceaccount.com

env:
  # VAULT_IMAGE: vault:1.5.0
  VAULT_ENV_IMAGE: banzaicloud/vault-env:1.4.0
  # VAULT_CAPATH: /vault/tls
  # used when the pod that should get secret injected does not specify
  # an imagePullSecret
  # DEFAULT_IMAGE_PULL_SECRET:
  # DEFAULT_IMAGE_PULL_SECRET_NAMESPACE:
  # VAULT_CLIENT_TIMEOUT: 10s

metrics:
  enabled: false
  port: 8443
  serviceMonitor:
    enabled: false
    scheme: https
    tlsConfig:
      insecureSkipVerify: true

securityContext:
  runAsUser: 65534

volumes: []
# - name: vault-tls
#   secret:
#     secretName: vault-tls

volumeMounts: []
# - name: vault-tls
#   mountPath: /vault/tls

podAnnotations: {}

labels: {}
  #  team: banzai

resources: {}

nodeSelector: {}

tolerations: []

affinity: {}

## Assign a PriorityClassName to pods if set
priorityClassName: ""

rbac:
  enabled: true
  psp:
    enabled: false

# A list of Kubernetes resource types to mutate as well:
# Example: ["ingresses", "servicemonitors"]
customResourceMutations: []

customResourcesFailurePolicy: Ignore

# This can cause issues when used with Helm, so it is not enabled by default
configMapMutation: false

configMapFailurePolicy: Ignore

podsFailurePolicy: Ignore

secretsFailurePolicy: Ignore

apiSideEffectValue: NoneOnDryRun

namespaceSelector:
  # matchExpressions:
  #   - key: name
  #     operator: NotIn
  #     values:
  #       - kube-system
  matchLabels:
    sidecar.vault.io/inject: "true"

# In case of the K8s cluster version is above 1.15 objectSelector is usable
objectSelector: {}
  # matchExpressions:
  # - key: security.banzaicloud.io/mutate
  #   operator: NotIn
  #   values:
  #   - skip

podDisruptionBudget:
  enabled: true
  minAvailable: 1
  1. Create namespace
kubectl create namespace project
kubectl label namespace project sidecar.vault.io/inject=true
  1. Apply deployment

Additional context: Add any other context about the problem here.

Environment details:

  • Kubernetes version (e.g. v1.17.3):
  • Cloud-provider/provisioner (e.g. run on EC2):
  • Install method (e.g. helm):
  • Logs from the misbehaving component (and any other relevant logs): vault-secrets-webhook pod logs
time="2020-08-05T09:55:48Z" level=warning msg="no tracer active" app=vault-secrets-webhook
time="2020-08-05T09:55:48Z" level=warning msg="no tracer active" app=vault-secrets-webhook
time="2020-08-05T09:55:48Z" level=warning msg="no tracer active" app=vault-secrets-webhook
time="2020-08-05T09:55:48Z" level=warning msg="no tracer active" app=vault-secrets-webhook
time="2020-08-05T09:55:48Z" level=info msg="Listening on https://:8443" app=vault-secrets-webhook

About this issue

  • Original URL
  • State: open
  • Created 4 years ago
  • Comments: 25 (6 by maintainers)

Most upvoted comments

First of all, I think we have two separate issues here:

  • I have submitted #1078 to resolve the issue of @hugomcfonseca, where the webhook registration is defeated by the Kubernetes version.
  • The original issue of @javdet is some kind of firewall issue in my opinion, and I haven’t got back an answer for that one.
+2
bonifaido on Aug 17, 2020

Have you checked this @javdet ?

https://github.com/banzaicloud/bank-vaults/blob/b2fefa92005166b6084728a0d8be90d64682c309/charts/vault-secrets-webhook/README.md#about-gke-private-clusters

+1
bonifaido on Aug 11, 2020
Read more comments on GitHub
← bank-vaults: [vault-secrets-webhook] Container fails to start after CA certificate in Kubernetes secret renewed
bank-vaults: Webhook cannot access private registry →