Assign mutation not working with external provider

[FouedD]

Hi. I am using an "Assign" to mutate image containers to my desired image. I am using an external provider for that. My external provider is a flask deployment on the same cluster. In front of this deployment I have a service of type ClusterIP. I am using HTTPS for my provider. I generated the TLS cert as mentioned in the doc https://open-policy-agent.github.io/gatekeeper/website/docs/externaldata#how-to-generate-a-self-signed-ca-and-a-keypair-for-the-external-data-provider and added the base64 encoded CA bundle to my provider declaration. After applying everything (my assign and provider), the mutation is not working although in the logs of my provider I see the HTTP Call coming for the webhook. Part of the error I see in the logs of gatekeeper-controller is : "" failed to resolve external data placeholders: failed to send external data request to provider my-provider: failed to send external data request: Post "https://flask-app-service.default.svc.cluster.local/": context deadline exceeded" "" where "my-provider" is the name of my provider and "flask-app-service" is the name of my service's provider. For info, my assign mutation is applied on pods, deployments and replicaSets :

apiVersion: mutations.gatekeeper.sh/v1beta1 kind: Assign metadata: name: mutate-pod-images spec: applyTo:

• groups: [""] kinds: ["Pod"] versions: ["v1"] match: scope: Namespaced location: "spec.containers[name:*].image" parameters: assign: externalData: provider: my-provider dataSource: ValueAtLocation

  apiVersion: mutations.gatekeeper.sh/v1beta1 kind: Assign metadata: name: mutate-deploy-images spec: applyTo:

• groups: ["apps"] kinds: ["Deployment"] versions: ["v1"] match: scope: Namespaced location: "spec.template.spec.containers[name:*].image" parameters: assign: externalData: provider: my-provider dataSource: ValueAtLocation

  apiVersion: mutations.gatekeeper.sh/v1beta1 kind: Assign metadata: name: mutate-rs-images spec: applyTo:

• groups: ["apps"] kinds: ["ReplicaSet"] versions: ["v1"] match: scope: Namespaced location: "spec.template.spec.containers[name:*].image" parameters: assign: externalData: provider: my-provider dataSource: ValueAtLocation

• My provider is the following : apiVersion: externaldata.gatekeeper.sh/v1beta1 kind: Provider metadata: name: my-provider spec: url: https://flask-app-service.default.svc.cluster.local/ timeout: 3 # timeout value in seconds (e.g., 1). this is the timeout on the Provider custom resource, not the provider implementation. caBundle:

When creating the cert the first time, I used flask-app-service.namespace and the spec.url was https://flask-app-service.default for my provider. It did not work. I created another cert with th subject "flask-app-service.default.svc.cluster.local" and it did not work either.

I can't understand what is the issue. Any tip please ?

• Gatekeeper version: 3.17.1
• Kubernetes version: GKE cluster: Client Version: v1.30.5-dispatcher Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.30.5-gke.1014001

[FouedD]

I forgot to mention that I am receiving the request. I can see that in my provider's logs : The request is like this : {'apiVersion': 'externaldata.gatekeeper.sh/v1beta1', 'kind': 'ProviderRequest', 'request': {'keys': ['']}}

and my reponse is this: {'apiVersion': 'externaldata.gatekeeper.sh/v1beta1', 'kind': 'ProviderResponse', 'response': {'idempotent': True, 'items': [{'key': '', 'value': ''}]}}

[FouedD]

Sorry for bothering, I found the issue. I had to change the timeout of the mutation webhook!