From 257677adeed1be54326637cf919cf24df6ad7c06 Mon Sep 17 00:00:00 2001
From: Bryant Biggs <bryantbiggs@gmail.com>
Date: Fri, 15 Mar 2024 15:44:06 -0400
Subject: [PATCH] fix: Change default `external-secrets` port when addons are
 deployed on EKS Fargate to avoid port conflict (#373)

---
 README.md                       |  1 +
 docs/addons/external-secrets.md | 10 +++++++++-
 main.tf                         |  4 ++++
 variables.tf                    |  6 ++++++
 4 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6e7fd348..6044a5df 100644
--- a/README.md
+++ b/README.md
@@ -200,6 +200,7 @@ module "eks" {
 | <a name="input_enable_cert_manager"></a> [enable\_cert\_manager](#input\_enable\_cert\_manager) | Enable cert-manager add-on | `bool` | `false` | no |
 | <a name="input_enable_cluster_autoscaler"></a> [enable\_cluster\_autoscaler](#input\_enable\_cluster\_autoscaler) | Enable Cluster autoscaler add-on | `bool` | `false` | no |
 | <a name="input_enable_cluster_proportional_autoscaler"></a> [enable\_cluster\_proportional\_autoscaler](#input\_enable\_cluster\_proportional\_autoscaler) | Enable Cluster Proportional Autoscaler | `bool` | `false` | no |
+| <a name="input_enable_eks_fargate"></a> [enable\_eks\_fargate](#input\_enable\_eks\_fargate) | Identifies whether or not respective addons should be modified to support deployment on EKS Fargate | `bool` | `false` | no |
 | <a name="input_enable_external_dns"></a> [enable\_external\_dns](#input\_enable\_external\_dns) | Enable external-dns operator add-on | `bool` | `false` | no |
 | <a name="input_enable_external_secrets"></a> [enable\_external\_secrets](#input\_enable\_external\_secrets) | Enable External Secrets operator add-on | `bool` | `false` | no |
 | <a name="input_enable_fargate_fluentbit"></a> [enable\_fargate\_fluentbit](#input\_enable\_fargate\_fluentbit) | Enable Fargate FluentBit add-on | `bool` | `false` | no |
diff --git a/docs/addons/external-secrets.md b/docs/addons/external-secrets.md
index a5bf12f7..180571bf 100644
--- a/docs/addons/external-secrets.md
+++ b/docs/addons/external-secrets.md
@@ -17,7 +17,7 @@ You can optionally customize the Helm chart that deploys External Secrets via th
 
   external_secrets = {
     name          = "external-secrets"
-    chart_version = "0.8.1"
+    chart_version = "0.9.13"
     repository    = "https://charts.external-secrets.io"
     namespace     = "external-secrets"
     values        = [templatefile("${path.module}/values.yaml", {})]
@@ -33,3 +33,11 @@ external-secrets-67bfd5b47c-xc5xf                  1/1     Running   1 (2d1h ago
 external-secrets-cert-controller-8f75c6f79-qcfx4   1/1     Running   1 (2d1h ago)   2d6h
 external-secrets-webhook-78f6bd456-76wmm           1/1     Running   1 (2d1h ago)   2d6h
 ```
+
+## EKS Fargate
+
+By default, `external-secrets` creates a webhook pod that listens on port `10250` [[Reference](https://github.com/external-secrets/external-secrets/issues/1306#issuecomment-1171540600)]:
+
+> yes, by default we use port 10250 for the webhook pod because it's generally allowed throughout most default firewall implementations (GKE, EKS), but it conflicts with Fargate. Any port number should do the trick, as long as there is no sg rules or NACLs blocking it :).
+
+This module adds a value `enable_eks_fargate` which will change the webhook port from `10250` to `9443` which matches the [prior default value](https://github.com/external-secrets/external-secrets/issues/1078#issuecomment-1117077327) for `external-secrets` and is typically an acceptable port value within most clusters firewalls today.
diff --git a/main.tf b/main.tf
index f30a04bb..4aa91cb8 100644
--- a/main.tf
+++ b/main.tf
@@ -2436,6 +2436,10 @@ module "external_secrets" {
     {
       name  = "serviceAccount.name"
       value = local.external_secrets_service_account
+    },
+    {
+      name  = "webhook.port"
+      value = var.enable_eks_fargate ? "9443" : "10250"
     }],
     try(var.external_secrets.set, [])
   )
diff --git a/variables.tf b/variables.tf
index 12b0a850..928c8cff 100644
--- a/variables.tf
+++ b/variables.tf
@@ -36,6 +36,12 @@ variable "create_delay_dependencies" {
   default     = []
 }
 
+variable "enable_eks_fargate" {
+  description = "Identifies whether or not respective addons should be modified to support deployment on EKS Fargate"
+  type        = bool
+  default     = false
+}
+
 ################################################################################
 # (Generic) Helm Release
 ################################################################################