Kubeseal not working on EKS IPv6 CLuster

Question

Kubeseal not working on EKS IPv6 CLuster

Vinaum8 opened this issue 4 months ago · comments

Vinícius Fernandes commented 4 months ago

Which component:
SERVER:
Helm chart: https://bitnami-labs.github.io/sealed-secrets/sealed-secrets
Chart Version: 2.14.1
Container Image: docker.io/bitnami/sealed-secrets-controller:v0.24.5

CLIENT:
kubeseal version: v0.24.5

Describe the bug
well, i tried generate the sealed secrets with kubeseal binary version 0.24.5 and the connection start and finalize with message:

error: cannot fetch certificate: error trying to reach service: dial tcp [2600:1f1e:82a:9d05:25f3::a]:8080: connect: connection timed out

this same kubeseal (server and client version) installed in other clusters with ipv4 work fine.

I had this same error with rabbitmq maganement port and metrics port and the solution was to change the config file in the line of listen port.

From: 0.0.0.0
To: ::

Is there anything i can do?

To Reproduce
Wih EKS Cluster IPV6.
Install Helm Chart Version
Install Binary Version
Generate Secret.

Expected behavior
[A clear and concise description of what you expected to happen.](error: cannot fetch certificate: error trying to reach service: dial tcp [CLUSTERIP]:8080: connect: connection timed out)

Version of Kubernetes: 1.28

Output of kubectl version:

Client Version: v1.29.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.4-eks-8cb36c9

Vinícius Fernandes · Answer 1 · Tue Feb 27 2024 21:03:14 GMT+0800 (China Standard Time)

@alvneiayu Do you have any suggestions or alternatives for this problem?

Alvaro Neira Ayuso · Answer 2 · Thu Feb 29 2024 17:19:46 GMT+0800 (China Standard Time)

sorry @Vinaum8, trying to reproduce it. I will come back as soon as possible. Thanks for your time

zarak · Answer 3 · Mon Apr 08 2024 21:02:46 GMT+0800 (China Standard Time)

Simply add

command:
          - controller
          - --listen-addr
          - '[::]:8080'
          - --listen-metrics-addr
          - '[::]:8081'

to the values of your helm chart and voilà :)

Alfredo Garcia · Answer 4 · Thu Apr 11 2024 15:56:56 GMT+0800 (China Standard Time)

@Vinaum8 Did that configuration worked for you?

Vinícius Fernandes · Answer 5 · Thu Apr 11 2024 19:54:23 GMT+0800 (China Standard Time)

@agarcia-oss yes, my kube seal server is listen on ipv6 address.
Thanks @fayak

HTTP server serving on [::]:8080 HTTP metrics server serving on [::]:8081

But, my connection beetwen kubeseal client and kubeseal server not working.

`$ kubeseal < secret.yaml > sealed-secret.yaml

error: cannot fetch certificate: error trying to reach service: dial tcp [2600:1f1e:82a:9d05:df4f::b]:8080: connect: connection timed out`

zarak · Answer 6 · Thu Apr 11 2024 19:57:36 GMT+0800 (China Standard Time)

Not sure what's your issue there, but in my case I found it easier to enable the ingress and use kubeseal --cert https://example.com/v1/cert.pem instead of working with the service directly, especially since most of my users don't have access to the kubernetes API

Vinícius Fernandes · Answer 7 · Thu Apr 11 2024 21:01:50 GMT+0800 (China Standard Time)

Hmmmm, i'll test this.