Setup sealer: cannot fetch certificate: error trying to reach service: Address is not allowed (AWS EKS)

[rowi1de]

I'm currently facing the following issue when using sealed-secrets + https://github.com/bakito/sealed-secrets-web.
As sealed-secret-web is using sealed-secrets API, maybe you guys have an idea:

2023/05/09 07:22:56 Connection to sealed secrets with (Namespace: infrastructure / ServiceName: sealed-secrets)
2023/05/09 07:22:56 Setup sealer: cannot fetch certificate: error trying to reach service: Address is not allowed

• sealed-secrets 2.8.1
  with:

 repoURL: 'https://bitnami-labs.github.io/sealed-secrets'
  targetRevision: 2.8.1
  helm:
    values: |-
      ingress:
        enabled: true
        hostname: sealed-secrets.something.com
        pathType: Prefix
        ingressClassName: "nginx"
        annotations:
          nginx.ingress.kubernetes.io/auth-type: basic
          # name of the secret that contains the user/password definitions
          nginx.ingress.kubernetes.io/auth-secret: sealed-secrets-cert-basic-auth
          # message to display with an appropriate context why the authentication is required
          nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - sealed-secrets-cert'

destination:
  server: 'https://kubernetes.default.svc'
  namespace: infrastructure
syncPolicy:
  automated:
    prune: true
    selfHeal: true
  syncOptions:
    - CreateNamespace=true

• sealed-secrets-web 3.0.7

project: infrastructure
source:
  repoURL: 'https://charts.bakito.net'
  targetRevision: 3.0.*
  helm:
    values: |
      sealedSecrets:
        namespace: infrastructure
        serviceName: sealed-secrets
        # certURL: "http://sealed-secrets.infrastructure.svc.cluster.local:8080/v1/cert.pem" # https://github.com/bitnami-labs/sealed-secrets/issues/1206
      disableLoadSecrets: true
  chart: sealed-secrets-web
destination:
  server: 'https://kubernetes.default.svc'
  namespace: infrastructure
syncPolicy:
  automated:
    prune: true
    selfHeal: true
  syncOptions:
    - CreateNamespace=true

The namespace & service mentioned in the error exist Namespace: infrastructure / ServiceName: sealed-secrets
any hints for further debugging welcome

[rowi1de]

Overrding the certUrl with the cluster internal DNS fixes it, but this should not be required:
certURL: "http://sealed-secrets.infrastructure.svc.cluster.local:8080/v1/cert.pem"

I have the feeling something is wrong with service port / name
https://github.com/bitnami-labs/sealed-secrets/blob/67c2699797425dff2d39f550b42b1782d2ba406e/pkg/kubeseal/kubeseal.go#LL120C2-L120C40

[rowi1de]

Same error happens when using kubeseal --validate --cert $SEALED_SECRETS_CERT --controller-namespace infrastructure --controller-name sealed-secrets or kubeseal --fetch-cert --controller-namespace infrastructure --controller-name sealed-secrets

[rowi1de]

Looks like it’s related to networking issues
https://medium.com/@denisstortisilva/kubernetes-eks-calico-and-custom-admission-webhooks-a2956b49bd0d

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions]

Due to the lack of activity in the last 7 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.