Closed FouedD closed 1 hour ago
I forgot to mention that I am receiving the request. I can see that in my provider's logs :
The request is like this :
{'apiVersion': 'externaldata.gatekeeper.sh/v1beta1', 'kind': 'ProviderRequest', 'request': {'keys': ['
and my reponse is this:
{'apiVersion': 'externaldata.gatekeeper.sh/v1beta1', 'kind': 'ProviderResponse', 'response': {'idempotent': True, 'items': [{'key': '
Sorry for bothering, I found the issue. I had to change the timeout of the mutation webhook!
Hi. I am using an "Assign" to mutate image containers to my desired image. I am using an external provider for that. My external provider is a flask deployment on the same cluster. In front of this deployment I have a service of type ClusterIP. I am using HTTPS for my provider. I generated the TLS cert as mentioned in the doc https://open-policy-agent.github.io/gatekeeper/website/docs/externaldata#how-to-generate-a-self-signed-ca-and-a-keypair-for-the-external-data-provider and added the base64 encoded CA bundle to my provider declaration. After applying everything (my assign and provider), the mutation is not working although in the logs of my provider I see the HTTP Call coming for the webhook. Part of the error I see in the logs of gatekeeper-controller is : "" failed to resolve external data placeholders: failed to send external data request to provider my-provider: failed to send external data request: Post "https://flask-app-service.default.svc.cluster.local/": context deadline exceeded" "" where "my-provider" is the name of my provider and "flask-app-service" is the name of my service's provider. For info, my assign mutation is applied on pods, deployments and replicaSets :
apiVersion: mutations.gatekeeper.sh/v1beta1 kind: Assign metadata: name: mutate-pod-images spec: applyTo:
groups: [""] kinds: ["Pod"] versions: ["v1"] match: scope: Namespaced location: "spec.containers[name:*].image" parameters: assign: externalData: provider: my-provider dataSource: ValueAtLocation
apiVersion: mutations.gatekeeper.sh/v1beta1 kind: Assign metadata: name: mutate-deploy-images spec: applyTo:
groups: ["apps"] kinds: ["Deployment"] versions: ["v1"] match: scope: Namespaced location: "spec.template.spec.containers[name:*].image" parameters: assign: externalData: provider: my-provider dataSource: ValueAtLocation
apiVersion: mutations.gatekeeper.sh/v1beta1 kind: Assign metadata: name: mutate-rs-images spec: applyTo:
When creating the cert the first time, I used flask-app-service.namespace and the spec.url was https://flask-app-service.default for my provider. It did not work. I created another cert with th subject "flask-app-service.default.svc.cluster.local" and it did not work either.
I can't understand what is the issue. Any tip please ?