-
-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setup sealer: cannot fetch certificate: error trying to reach service: Address is not allowed #142
Comments
Hi @rowi1de Can you please verify that the k8s service name of your sealed-secrets installation is |
@bakito yes :) kubectl get service sealed-secrets -n infrastructure
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
sealed-secrets ClusterIP 10.100.216.31 <none> 8080/TCP,80/TCP 33d
kubectl get service sealed-secrets -n infrastructure -o yaml apiVersion: v1
kind: Service
metadata:
annotations:
creationTimestamp: "2023-04-06T12:54:54Z"
labels:
app.kubernetes.io/instance: sealed-secrets
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: sealed-secrets
app.kubernetes.io/part-of: sealed-secrets
app.kubernetes.io/version: v0.20.2
helm.sh/chart: sealed-secrets-2.8.1
name: sealed-secrets
namespace: infrastructure
resourceVersion: "352387267"
uid: ced7b2e5-e75c-428e-a5f1-185142f0571b
spec:
clusterIP: xxxxxx
clusterIPs:
- xxxxx
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: http
port: 8080
protocol: TCP
targetPort: http
- name: http-80
port: 80
protocol: TCP
targetPort: http
selector:
app.kubernetes.io/instance: sealed-secrets
app.kubernetes.io/name: sealed-secrets
sessionAffinity: None
type: ClusterIP
status:
loadBalancer: {} |
@bakito regarding the error "cannot fetch certificate: error trying to reach service: Address is not allowed" do you know how the cluster internal fetching works? How the Endpoint is constructed? |
Good Hint, so I can curl "sealed-secrets.infrastructure.svc.cluster.local:8080/v1/cert.pem" ... I've the feeling something is wrong in here https://github.com/bitnami-labs/sealed-secrets/blob/67c2699797425dff2d39f550b42b1782d2ba406e/pkg/kubeseal/kubeseal.go#LL120C2-L120C40 will need to dig deeper. Thanks |
This comment was marked as outdated.
This comment was marked as outdated.
@bakito one more idea: |
When using |
I’m using the default for both helm charts regarding rbac => this means rbac resources are created in both charts |
To fix the permission issue for the SA I had to extend the Role:
Maybe this is also caused by a change in kubeseal... |
I'm currently facting the following issue:
with:
I can't use the certURL because of #141
Anyway using cluster internal connection would be preferred.
The namespace & service mentioned in the error exist
Namespace: infrastructure / ServiceName: sealed-secrets
any hints for further debugging welcome
The text was updated successfully, but these errors were encountered: