komish
commented
1 year ago Closing this issue in favor of https://github.com/hashicorp/vault-helm/issues/953 which seems to be a better home.
Closed komish closed 1 year ago
komish
commented
1 year ago Closing this issue in favor of https://github.com/hashicorp/vault-helm/issues/953 which seems to be a better home.
@tvoran @jasonodonnell @tomhjp @calvn @swenson
Hi Folks! We've been doing some work to prepare our certification workflows for OCP 4.13, and think you you may need to update and submit a revised chart in prep. You've been pinged as you're listed as owners of the hashicorp/vault charts.
We had issues in our testing with vault's MutatingWebhookConfiguration not being accessible by kube-apiserver in 4.13. Per my testing, this is just because the NetworkPolicy that's created needs an extra match criteria.
The policy looks like this in your latest chart: https://github.com/openshift-helm-charts/charts/blob/main/charts/partners/hashicorp/vault/0.24.0/src/templates/injector-network-policy.yaml
The
fromitems needs to include an additional entry allowing host network workloads to reach it.This is documented here: https://docs.openshift.com/container-platform/4.13/networking/network_policy/about-network-policy.html#nw-networkpolicy-allow-from-hostnetwork_about-network-policy
We discovered it when chart-testing would run. The webhook would be live and the chart-test would immediately fail because the pod it creates would fail at admission (due to the webhook being inaccessible from the kube-apiserver).
Please let me know how I can help! If it would help, I'm happy to open an issue or a PR to the chart repo if you provide a link.