Description : The spire-server StatefulSet contains two containers (spire-server and spire-controller-manager) that both define a port with the same name healthz but different container ports (8080 and 8083 respectively). This causes Kubernetes to issue a warning and may lead to unexpected behavior with Services, health probes, and monitoring configurations that reference ports by name.

 

Steps to Reproduce:

  

Step 1: Set up environment variables
export SPIRE_NAMESPACE=zero-trust-workload-identity-manager
Step 2: Deploy ZTWIM components

1. Deploy the main CR
   export APP_DOMAIN=apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }')
   export CLUSTER_NAME=test01

oc apply -f - <<EOF
apiVersion: operator.openshift.io/v1alpha1
kind: ZeroTrustWorkloadIdentityManager
metadata:
  name: cluster
spec:
  trustDomain: ${APP_DOMAIN}
  clusterName: ${CLUSTER_NAME}
  bundleConfigMap: spire-bundle
EOF

1. Deploy SpireServer CR
   export JWT_ISSUER_ENDPOINT=oidc-discovery.${APP_DOMAIN}

oc apply -f - <<EOF
apiVersion: operator.openshift.io/v1alpha1
kind: SpireServer
metadata:
  name: cluster
spec:
  caSubject:
    commonName: "SPIRE Server CA"
    country: "US"
    organization: "RH"
  jwtIssuer: https://${JWT_ISSUER_ENDPOINT}
  persistence:
    type: pvc
    size: "2Gi"
    accessMode: ReadWriteOncePod
  datastore:
    databaseType: sqlite3
    connectionString: "/run/spire/data/datastore.sqlite3"
EOF

Step 3: Wait for StatefulSet to be ready
oc rollout status statefulset/spire-server -n ${SPIRE_NAMESPACE} --timeout=300s

Step 4: Verify the duplicate port name issue
oc get statefulset spire-server -n ${SPIRE_NAMESPACE} -o json | \
  jq '.spec.template.spec.containers[] | {name: .name, ports: .ports}'

Step 5: Trigger an update to observe the warning
oc scale statefulset spire-server -n ${SPIRE_NAMESPACE} --replicas=2

 

Expected Result
Each container should have uniquely named ports to avoid ambiguity:

containers:

• name: spire-server
    ports:
    - name: grpc
      containerPort: 8081
      protocol: TCP
    - name: spire-server-healthz    # Unique name
      containerPort: 8080
      protocol: TCP

• name: spire-controller-manager
    ports:
    - name: https
      containerPort: 9443
      protocol: TCP
    - name: controller-mgr-healthz  # Unique name
      containerPort: 8083
      protocol: TCP

 

 

Actual Result
Both containers use the same port name healthz:

{
  "name": "spire-server",
  "ports": [
   

{       "containerPort": 8081,       "name": "grpc",       "protocol": "TCP"     }

,
   

{       "containerPort": 8080,       "name": "healthz",        // ❌ Duplicate       "protocol": "TCP"     }

  ]
}
{
  "name": "spire-controller-manager",
  "ports": [
   

{       "containerPort": 9443,       "name": "https",       "protocol": "TCP"     }

,
   

{       "containerPort": 8083,       "name": "healthz",        // ❌ Duplicate       "protocol": "TCP"     }

  ]
}
Kubernetes Warning Message
Warning: spec.template.spec.containers[1].ports[1]: duplicate port name "healthz" 
with spec.template.spec.containers[0].ports[1], services and probes that select 
ports by name will use spec.template.spec.containers[0].ports[1]

 

 

 

 

Suggested Fix
Option 1: Use Container-Prefixed Names (Recommended)

1. spire-server container
   ports:

• name: server-healthz
    containerPort: 8080
    protocol: TCP

1. spire-controller-manager container
   ports:

• name: ctrlmgr-healthz
    containerPort: 8083
    protocol: TCP
  Option 2: Use Function-Based Names

1. spire-server container
   ports:

• name: spire-health
    containerPort: 8080
    protocol: TCP

1. spire-controller-manager container
   ports:

• name: webhook-health
    containerPort: 8083
    protocol: TCP