Skip to content

Commit 257677a

Browse files
authored
fix: Change default external-secrets port when addons are deployed on EKS Fargate to avoid port conflict (#373)
1 parent 8498301 commit 257677a

File tree

4 files changed

+20
-1
lines changed

4 files changed

+20
-1
lines changed

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -200,6 +200,7 @@ module "eks" {
200200
| <a name="input_enable_cert_manager"></a> [enable\_cert\_manager](#input\_enable\_cert\_manager) | Enable cert-manager add-on | `bool` | `false` | no |
201201
| <a name="input_enable_cluster_autoscaler"></a> [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `false` | no |
202202
| <a name="input_enable_cluster_proportional_autoscaler"></a> [enable\_cluster\_proportional\_autoscaler](#input\_enable\_cluster\_proportional\_autoscaler) | Enable Cluster Proportional Autoscaler | `bool` | `false` | no |
203+
| <a name="input_enable_eks_fargate"></a> [enable\_eks\_fargate](#input\_enable\_eks\_fargate) | Identifies whether or not respective addons should be modified to support deployment on EKS Fargate | `bool` | `false` | no |
203204
| <a name="input_enable_external_dns"></a> [enable\_external\_dns](#input\_enable\_external\_dns) | Enable external-dns operator add-on | `bool` | `false` | no |
204205
| <a name="input_enable_external_secrets"></a> [enable\_external\_secrets](#input\_enable\_external\_secrets) | Enable External Secrets operator add-on | `bool` | `false` | no |
205206
| <a name="input_enable_fargate_fluentbit"></a> [enable\_fargate\_fluentbit](#input\_enable\_fargate\_fluentbit) | Enable Fargate FluentBit add-on | `bool` | `false` | no |

docs/addons/external-secrets.md

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@ You can optionally customize the Helm chart that deploys External Secrets via th
1717
1818
external_secrets = {
1919
name = "external-secrets"
20-
chart_version = "0.8.1"
20+
chart_version = "0.9.13"
2121
repository = "https://charts.external-secrets.io"
2222
namespace = "external-secrets"
2323
values = [templatefile("${path.module}/values.yaml", {})]
@@ -33,3 +33,11 @@ external-secrets-67bfd5b47c-xc5xf 1/1 Running 1 (2d1h ago
3333
external-secrets-cert-controller-8f75c6f79-qcfx4 1/1 Running 1 (2d1h ago) 2d6h
3434
external-secrets-webhook-78f6bd456-76wmm 1/1 Running 1 (2d1h ago) 2d6h
3535
```
36+
37+
## EKS Fargate
38+
39+
By default, `external-secrets` creates a webhook pod that listens on port `10250` [[Reference](https://github.com/external-secrets/external-secrets/issues/1306#issuecomment-1171540600)]:
40+
41+
> yes, by default we use port 10250 for the webhook pod because it's generally allowed throughout most default firewall implementations (GKE, EKS), but it conflicts with Fargate. Any port number should do the trick, as long as there is no sg rules or NACLs blocking it :).
42+
43+
This module adds a value `enable_eks_fargate` which will change the webhook port from `10250` to `9443` which matches the [prior default value](https://github.com/external-secrets/external-secrets/issues/1078#issuecomment-1117077327) for `external-secrets` and is typically an acceptable port value within most clusters firewalls today.

main.tf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2436,6 +2436,10 @@ module "external_secrets" {
24362436
{
24372437
name = "serviceAccount.name"
24382438
value = local.external_secrets_service_account
2439+
},
2440+
{
2441+
name = "webhook.port"
2442+
value = var.enable_eks_fargate ? "9443" : "10250"
24392443
}],
24402444
try(var.external_secrets.set, [])
24412445
)

variables.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,12 @@ variable "create_delay_dependencies" {
3636
default = []
3737
}
3838

39+
variable "enable_eks_fargate" {
40+
description = "Identifies whether or not respective addons should be modified to support deployment on EKS Fargate"
41+
type = bool
42+
default = false
43+
}
44+
3945
################################################################################
4046
# (Generic) Helm Release
4147
################################################################################

0 commit comments

Comments
 (0)