Kubeseal not working on EKS IPv6 CLuster
Vinaum8 opened this issue · comments
Which component:
SERVER:
Helm chart: https://bitnami-labs.github.io/sealed-secrets/sealed-secrets
Chart Version: 2.14.1
Container Image: docker.io/bitnami/sealed-secrets-controller:v0.24.5
CLIENT:
kubeseal version: v0.24.5
Describe the bug
well, i tried generate the sealed secrets with kubeseal binary version 0.24.5 and the connection start and finalize with message:
error: cannot fetch certificate: error trying to reach service: dial tcp [2600:1f1e:82a:9d05:25f3::a]:8080: connect: connection timed out
this same kubeseal (server and client version) installed in other clusters with ipv4 work fine.
I had this same error with rabbitmq maganement port and metrics port and the solution was to change the config file in the line of listen port.
From: 0.0.0.0
To: ::
Is there anything i can do?
To Reproduce
Wih EKS Cluster IPV6.
Install Helm Chart Version
Install Binary Version
Generate Secret.
Expected behavior
[A clear and concise description of what you expected to happen.](error: cannot fetch certificate: error trying to reach service: dial tcp [CLUSTERIP]:8080: connect: connection timed out)
Version of Kubernetes: 1.28
- Output of
kubectl version
:
Client Version: v1.29.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.4-eks-8cb36c9
@alvneiayu Do you have any suggestions or alternatives for this problem?
sorry @Vinaum8, trying to reproduce it. I will come back as soon as possible. Thanks for your time
Simply add
command:
- controller
- --listen-addr
- '[::]:8080'
- --listen-metrics-addr
- '[::]:8081'
to the values of your helm chart and voilà :)
@Vinaum8 Did that configuration worked for you?
@agarcia-oss yes, my kube seal server is listen on ipv6 address.
Thanks @fayak
HTTP server serving on [::]:8080 HTTP metrics server serving on [::]:8081
But, my connection beetwen kubeseal client and kubeseal server not working.
`$ kubeseal < secret.yaml > sealed-secret.yaml
error: cannot fetch certificate: error trying to reach service: dial tcp [2600:1f1e:82a:9d05:df4f::b]:8080: connect: connection timed out`
Not sure what's your issue there, but in my case I found it easier to enable the ingress and use kubeseal --cert https://example.com/v1/cert.pem
instead of working with the service directly, especially since most of my users don't have access to the kubernetes API
Hmmmm, i'll test this.