openshift-helm-charts / charts

OpenShift Helm charts Repository
https://charts.openshift.io
31 stars 188 forks source link

Vault NetworkPolicy requires additional `from` rules in OCP 4.13 #934

Closed komish closed 1 year ago

komish commented 1 year ago

@tvoran @jasonodonnell @tomhjp @calvn @swenson

Hi Folks! We've been doing some work to prepare our certification workflows for OCP 4.13, and think you you may need to update and submit a revised chart in prep. You've been pinged as you're listed as owners of the hashicorp/vault charts.

We had issues in our testing with vault's MutatingWebhookConfiguration not being accessible by kube-apiserver in 4.13. Per my testing, this is just because the NetworkPolicy that's created needs an extra match criteria.

The policy looks like this in your latest chart: https://github.com/openshift-helm-charts/charts/blob/main/charts/partners/hashicorp/vault/0.24.0/src/templates/injector-network-policy.yaml

The from items needs to include an additional entry allowing host network workloads to reach it.

...
spec:
  podSelector:
    ... removed for brevity ...
  ingress:
    - from:
        - namespaceSelector: {}
        - namespaceSelector:      # add this and the following lines
            matchLabels:
              policy-group.network.openshift.io/host-network: ""
...

This is documented here: https://docs.openshift.com/container-platform/4.13/networking/network_policy/about-network-policy.html#nw-networkpolicy-allow-from-hostnetwork_about-network-policy

We discovered it when chart-testing would run. The webhook would be live and the chart-test would immediately fail because the pod it creates would fail at admission (due to the webhook being inaccessible from the kube-apiserver).

Please let me know how I can help! If it would help, I'm happy to open an issue or a PR to the chart repo if you provide a link.

komish commented 1 year ago

Closing this issue in favor of https://github.com/hashicorp/vault-helm/issues/953 which seems to be a better home.