Provide a way to use Mattermost Webhooks from other Namespaces internal to a Cluster
Summary
Currently it's not possible to communicate with a Mattermost webhook from inside our clusters. We got help from the Big Bang Integration team by way of @jrb who was very helpful in identifying the root cause being strict NetworkPolicy (which is a good thing).
We would like a way to specify a namespace(s) and pod(s) combinations, because there could examples where we use Grafana and Gitlab.
Steps to reproduce
Try to curl http://mattermost.mattermost.svc.cluster.local:8065 from any other pod in any other namespace.
What is the current behavior?
HTTP 503 Service Unavailable.
upstream connect error or disconnect/reset before headers. retried and the latest reset reason: remote connection failure, transport failure reason: delayed connect error: 111 response from Envoy.
What is the expected behavior?
HTTP 200 OK
Relevant logs and/or screenshots
N/A
Possible fixes
Provide a way to provision this NetworkPolicy from values.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-mattermost-webhook-ingress
namespace: mattermost
spec:
podSelector:
matchLabels:
app: mattermost
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
xxx
podSelector:
matchLabels:
app: xxx
ports:
- port: 8065
protocol: TCPWe are working around this by sideloading the exact manifest using a Zarf package.