Skip to content

Commit

Permalink
fix: Change default external-secrets port when addons are deployed …
Browse files Browse the repository at this point in the history
…on EKS Fargate to avoid port conflict (#373)
  • Loading branch information
bryantbiggs authored Mar 15, 2024
1 parent 8498301 commit 257677a
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 1 deletion.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -200,6 +200,7 @@ module "eks" {
| <a name="input_enable_cert_manager"></a> [enable\_cert\_manager](#input\_enable\_cert\_manager) | Enable cert-manager add-on | `bool` | `false` | no |
| <a name="input_enable_cluster_autoscaler"></a> [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `false` | no |
| <a name="input_enable_cluster_proportional_autoscaler"></a> [enable\_cluster\_proportional\_autoscaler](#input\_enable\_cluster\_proportional\_autoscaler) | Enable Cluster Proportional Autoscaler | `bool` | `false` | no |
| <a name="input_enable_eks_fargate"></a> [enable\_eks\_fargate](#input\_enable\_eks\_fargate) | Identifies whether or not respective addons should be modified to support deployment on EKS Fargate | `bool` | `false` | no |
| <a name="input_enable_external_dns"></a> [enable\_external\_dns](#input\_enable\_external\_dns) | Enable external-dns operator add-on | `bool` | `false` | no |
| <a name="input_enable_external_secrets"></a> [enable\_external\_secrets](#input\_enable\_external\_secrets) | Enable External Secrets operator add-on | `bool` | `false` | no |
| <a name="input_enable_fargate_fluentbit"></a> [enable\_fargate\_fluentbit](#input\_enable\_fargate\_fluentbit) | Enable Fargate FluentBit add-on | `bool` | `false` | no |
Expand Down
10 changes: 9 additions & 1 deletion docs/addons/external-secrets.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ You can optionally customize the Helm chart that deploys External Secrets via th
external_secrets = {
name = "external-secrets"
chart_version = "0.8.1"
chart_version = "0.9.13"
repository = "https://charts.external-secrets.io"
namespace = "external-secrets"
values = [templatefile("${path.module}/values.yaml", {})]
Expand All @@ -33,3 +33,11 @@ external-secrets-67bfd5b47c-xc5xf 1/1 Running 1 (2d1h ago
external-secrets-cert-controller-8f75c6f79-qcfx4 1/1 Running 1 (2d1h ago) 2d6h
external-secrets-webhook-78f6bd456-76wmm 1/1 Running 1 (2d1h ago) 2d6h
```

## EKS Fargate

By default, `external-secrets` creates a webhook pod that listens on port `10250` [[Reference](https://github.com/external-secrets/external-secrets/issues/1306#issuecomment-1171540600)]:

> yes, by default we use port 10250 for the webhook pod because it's generally allowed throughout most default firewall implementations (GKE, EKS), but it conflicts with Fargate. Any port number should do the trick, as long as there is no sg rules or NACLs blocking it :).
This module adds a value `enable_eks_fargate` which will change the webhook port from `10250` to `9443` which matches the [prior default value](https://github.com/external-secrets/external-secrets/issues/1078#issuecomment-1117077327) for `external-secrets` and is typically an acceptable port value within most clusters firewalls today.
4 changes: 4 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -2436,6 +2436,10 @@ module "external_secrets" {
{
name = "serviceAccount.name"
value = local.external_secrets_service_account
},
{
name = "webhook.port"
value = var.enable_eks_fargate ? "9443" : "10250"
}],
try(var.external_secrets.set, [])
)
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,12 @@ variable "create_delay_dependencies" {
default = []
}

variable "enable_eks_fargate" {
description = "Identifies whether or not respective addons should be modified to support deployment on EKS Fargate"
type = bool
default = false
}

################################################################################
# (Generic) Helm Release
################################################################################
Expand Down

0 comments on commit 257677a

Please sign in to comment.