Webhook in local k8s and in GKE

[TomaszKlosinski]

Hi guys, I've deployed webhook into two clusters - one onprem in my DC, and another one in GCP/GKE. The first one works like a charm, but the second seems to be ignored by k8s - no vault client is injected, and nothing happens in the container. Any ideas about what might be wrong?

I've installed it with helm:

helm upgrade --install --namespace=vault vault-secrets-webhook oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook --version 1.21.0 --values values.yaml --wait

and I've used the following values:

debug: true

volumes:
- name: ca-certificates
  hostPath:
    path: /etc/ssl/ssl-alpine/

volumeMounts:
- name: ca-certificates
  mountPath: /etc/ssl/
  readOnly: true

resources:
  requests:
    cpu: "0.05"
    memory: "72Mi"
  limits:
    cpu: "0.25"
    memory: "512Mi"

metrics:
  enabled: false

Then when I tested it with the following deployment:

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-vault-secrets
spec:
  replicas: 1
  selector:
    matchLabels:
      app:  test-vault-secrets
  template:
    metadata:
      labels:
        app: test-vault-secrets
      annotations:
        vault.security.banzaicloud.io/vault-addr: "https://vault.mycompany.com:443"
        vault.security.banzaicloud.io/vault-path: "kubernetes-remote"
        vault.security.banzaicloud.io/vault-skip-verify: "true"
    spec:
      containers:
        - name: test-vault-secrets
          image: alpine
          command: ["/bin/sh"]
          args: ["-c", "echo $REDIS_HOST; tail -f /dev/null"]
          env:
          - name: REDIS_HOST
            value: vault:secret/data/redis#host

On the on prem cluster I get the correct value of the secret, but on GKE I get nothing:

$ kubectl logs deployment.apps/test-vault-secrets
vault:secret/data/redis#host

And I don't see any errors in the logs of vault server, webhook or the deployment. Any ideas what's wrong here?

Update: It actually works but in a different namespace than the webhook. In the beginning I was trying to test it in the namespace of the webhook and for some reason in doesn't work there.

[akijakya]

Hi @TomaszKlosinski, thanks for using Bank-Vaults!

The behavior you described is intended, so the webhook won't mutate its own resources (or other Bank-Vaults components that might also be installed in that namespace). Here is the part responsible for adding this namespace selector to the webhook in the Helm chart!