Use Istio port name naming convention

See https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/#explicit-protocol-selection Fixes: #502 Signed-off-by: Mathieu Parent <math.parent@gmail.com>
bitnami-labs · Oct 28, 2021 · 274bb3f · 274bb3f
1 parent 62cfb26
commit 274bb3f
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 22 deletions.
diff --git a/cmd/kubeseal/main.go b/cmd/kubeseal/main.go
@@ -51,24 +51,25 @@ const (
 
 var (
 	// TODO: Verify k8s server signature against cert in kube client config.
-	certURL        = flag.String("cert", "", "Certificate / public key file/URL to use for encryption. Overrides --controller-*")
-	controllerNs   = flag.String("controller-namespace", metav1.NamespaceSystem, "Namespace of sealed-secrets controller.")
-	controllerName = flag.String("controller-name", "sealed-secrets-controller", "Name of sealed-secrets controller.")
-	outputFormat   = flag.StringP("format", "o", "json", "Output format for sealed secret. Either json or yaml")
-	outputFileName = flag.StringP("sealed-secret-file", "w", "", "Sealed-secret (output) file")
-	inputFileName  = flag.StringP("secret-file", "f", "", "Secret (input) file")
-	dumpCert       = flag.Bool("fetch-cert", false, "Write certificate to stdout. Useful for later use with --cert")
-	allowEmptyData = flag.Bool("allow-empty-data", false, "Allow empty data in the secret object")
-	printVersion   = flag.Bool("version", false, "Print version information and exit")
-	validateSecret = flag.Bool("validate", false, "Validate that the sealed secret can be decrypted")
-	mergeInto      = flag.String("merge-into", "", "Merge items from secret into an existing sealed secret file, updating the file in-place instead of writing to stdout.")
-	raw            = flag.Bool("raw", false, "Encrypt a raw value passed via the --from-* flags instead of the whole secret object")
-	secretName     = flag.String("name", "", "Name of the sealed secret (required with --raw and default (strict) scope)")
-	fromFile       = flag.StringSlice("from-file", nil, "(only with --raw) Secret items can be sourced from files. Pro-tip: you can use /dev/stdin to read pipe input. This flag tries to follow the same syntax as in kubectl")
-	sealingScope   ssv1alpha1.SealingScope
-	reEncrypt      bool // re-encrypt command
-	unseal         = flag.Bool("recovery-unseal", false, "Decrypt a sealed secrets file obtained from stdin, using the private key passed with --recovery-private-key. Intended to be used in disaster recovery mode.")
-	privKeys       = flag.StringSlice("recovery-private-key", nil, "Private key filename used by the --recovery-unseal command. Multiple files accepted either via comma separated list or by repetition of the flag. Either PEM encoded private keys or a backup of a json/yaml encoded k8s sealed-secret controller secret (and v1.List) are accepted. ")
+	certURL            = flag.String("cert", "", "Certificate / public key file/URL to use for encryption. Overrides --controller-*")
+	controllerNs       = flag.String("controller-namespace", metav1.NamespaceSystem, "Namespace of sealed-secrets controller.")
+	controllerName     = flag.String("controller-name", "sealed-secrets-controller", "Name of sealed-secrets controller.")
+	controllerPortName = flag.String("controller-port-name", "", "Port name of sealed-secrets controller.")
+	outputFormat       = flag.StringP("format", "o", "json", "Output format for sealed secret. Either json or yaml")
+	outputFileName     = flag.StringP("sealed-secret-file", "w", "", "Sealed-secret (output) file")
+	inputFileName      = flag.StringP("secret-file", "f", "", "Secret (input) file")
+	dumpCert           = flag.Bool("fetch-cert", false, "Write certificate to stdout. Useful for later use with --cert")
+	allowEmptyData     = flag.Bool("allow-empty-data", false, "Allow empty data in the secret object")
+	printVersion       = flag.Bool("version", false, "Print version information and exit")
+	validateSecret     = flag.Bool("validate", false, "Validate that the sealed secret can be decrypted")
+	mergeInto          = flag.String("merge-into", "", "Merge items from secret into an existing sealed secret file, updating the file in-place instead of writing to stdout.")
+	raw                = flag.Bool("raw", false, "Encrypt a raw value passed via the --from-* flags instead of the whole secret object")
+	secretName         = flag.String("name", "", "Name of the sealed secret (required with --raw and default (strict) scope)")
+	fromFile           = flag.StringSlice("from-file", nil, "(only with --raw) Secret items can be sourced from files. Pro-tip: you can use /dev/stdin to read pipe input. This flag tries to follow the same syntax as in kubectl")
+	sealingScope       ssv1alpha1.SealingScope
+	reEncrypt          bool // re-encrypt command
+	unseal             = flag.Bool("recovery-unseal", false, "Decrypt a sealed secrets file obtained from stdin, using the private key passed with --recovery-private-key. Intended to be used in disaster recovery mode.")
+	privKeys           = flag.StringSlice("recovery-private-key", nil, "Private key filename used by the --recovery-unseal command. Multiple files accepted either via comma separated list or by repetition of the flag. Either PEM encoded private keys or a backup of a json/yaml encoded k8s sealed-secret controller secret (and v1.List) are accepted. ")
 
 	// VERSION set from Makefile
 	VERSION = buildinfo.DefaultVersion
@@ -208,10 +209,10 @@ func openCertURI(uri string) (io.ReadCloser, error) {
 
 // openCertCluster fetches a certificate by performing an HTTP request to the controller
 // through the k8s API proxy.
-func openCertCluster(c corev1.CoreV1Interface, namespace, name string) (io.ReadCloser, error) {
+func openCertCluster(c corev1.CoreV1Interface, namespace, name, portName string) (io.ReadCloser, error) {
 	f, err := c.
 		Services(namespace).
-		ProxyGet("http", name, "", "/v1/cert.pem", nil).
+		ProxyGet("http", name, portName, "/v1/cert.pem", nil).
 		Stream()
 	if err != nil {
 		return nil, fmt.Errorf("cannot fetch certificate: %v", err)
@@ -233,7 +234,7 @@ func openCert(certURL string) (io.ReadCloser, error) {
 	if err != nil {
 		return nil, err
 	}
-	return openCertCluster(restClient, *controllerNs, *controllerName)
+	return openCertCluster(restClient, *controllerNs, *controllerName, *controllerPortName)
 }
 
 // Seal reads a k8s Secret resource parsed from an input reader by a given codec, encrypts all its secrets

diff --git a/helm/sealed-secrets/templates/deployment.yaml b/helm/sealed-secrets/templates/deployment.yaml
@@ -46,6 +46,7 @@ spec:
           args:
             - "--key-prefix"
             - "{{ .Values.secretName }}"
+            - --controller-port-name=http
             {{- range $value := .Values.commandArgs }}
             - {{ $value | quote }}
             {{- end }}

diff --git a/helm/sealed-secrets/templates/service.yaml b/helm/sealed-secrets/templates/service.yaml
@@ -15,7 +15,8 @@ metadata:
     {{- end }}
 spec:
   ports:
-    - port: 8080
+    - name: http
+      port: 8080
       targetPort: 8080
   selector:
     app.kubernetes.io/name: {{ template "sealed-secrets.name" . }}