-
Notifications
You must be signed in to change notification settings - Fork 671
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix Cannot fetch certificate: no endpoints available for service "http:sealed-secrets-controller:" #648
Conversation
And include a fix for #502. |
@juan131 Please review 🙏. |
@sathieu the new major version was just released!
Please feel to rebase this branch in your fork with the latest changes in the main branch, and update this PR. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks so much for the PR @sathieu !! Please check my comments
…p:sealed-secrets-controller:" See also https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/#explicit-protocol-selection Fixes: bitnami-labs#502 Fixes: bitnami-labs#694
@juan131 Comments addressed. Please review again. |
This is indeed critical one. Appreciate the fix. |
@juan131 Anything missing in this PR? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! I can confirm this fix works
@juan131 Maybe this fix deserve a major version bump? Also the CI is failing, is this related to this change? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sathieu I just realized that this fixes the chart.. but it breaks the compatibility with the controller.yaml
manifests that we publish at:
These manifests don't have a "http" name in the service port.
maybe this fix deserve a major version bump?
Why do you think so? I don't see that they break backwards compatibility.
@sathieu I updated your branch with a suggestion that dynamically obtains the svc port name. Please let me know what you think |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome work, LGTM
@juan131 Thanks. This is great! lgtm! |
Hello @juan131 , I'm addressing this here because I think your change broke the sealed-secrets-controller for k8s users with no permissions in kube-system - no blame intended. Edit: Confirmed to be broken with 0.17.2 but works with 0.17.1 kubeseal CLI. As you can see in this line the proxier role only grants permissions to get sealed-secrets/helm/sealed-secrets/templates/role.yaml Lines 43 to 45 in 1490884
I guess this is because Thanks for checking. |
Hi @linkvt You're totally right!! That should be pretty straight forward to fix since it just requires to update the RBAC permissions. I'll send a PR to fix it.
We still use a proxy to access the service (I didn't change that), but previously we access the services to obtain the service port name information. |
@juan131 Coming off of @linkvt 's comment, is there no alternative that would support using the original Maybe I'm a little over cautious, but I feel that only allowing |
Just brainstorming here, but one approach could be to control this "discover service endpoint" functionality via feature flag, but by default have kubeseal assume the default |
Hi @chrisob Thanks for sharing your concerns, we really appreciate your opinion. IMHO, the security risk is not that high. It limits the scope to the namespace where the SealedSecrets controller is installed, offering the opportunity to use a dedicated namespace for the controller so authenticated users can exclusively obtain the controller service metadata. Furthermore, this service is by default a "ClusterIP" service that exposes a single HTTP port, I don't think we add much value in terms of security by hiding this info from authenticated users. |
My plan for fixing this was to create a ConfigMap with the public key |
See https://istio.io/latest/docs/ops/configuration/traffic-management/protocol-selection/#explicit-protocol-selection