From 4ebfe8da912218f093acf828ee3d3ea9b022ed5a Mon Sep 17 00:00:00 2001 From: Travis Raines Date: Tue, 23 Nov 2021 12:39:39 -0800 Subject: [PATCH] fix(webhook) exclude Helm Secrets Helm charts with webhooks that handle Secrets run into an issue that prevents changes after an action that enables the webhook: https://github.com/helm/helm/issues/10023 Because Helm's Secret for release information is subject to the webhook, Kubernetes will attempt to validate it, likely before the webhook service comes online (because Helm just created the Pod that will provide it). If the service is not online, validation fails, and Helm cannot update its Secret to mark the release status, usually leaving it stuck in a pending state that blocks future interactions. This change excludes Helm Secrets from our validation, because we have no need to validate them. --- charts/kong/templates/admission-webhook.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/kong/templates/admission-webhook.yaml b/charts/kong/templates/admission-webhook.yaml index 61576cfcc..007ddee3d 100644 --- a/charts/kong/templates/admission-webhook.yaml +++ b/charts/kong/templates/admission-webhook.yaml @@ -34,6 +34,9 @@ metadata: {{- include "kong.metaLabels" . | nindent 4 }} webhooks: - name: validations.kong.konghq.com + objectSelector: + matchLabels: + owner: !helm failurePolicy: {{ .Values.ingressController.admissionWebhook.failurePolicy }} sideEffects: None admissionReviewVersions: ["v1beta1"]