Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Helm Chart Webhook Provider port mismatch #4764

Closed
Skaronator opened this issue Sep 20, 2024 · 2 comments
Closed

Helm Chart Webhook Provider port mismatch #4764

Skaronator opened this issue Sep 20, 2024 · 2 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@Skaronator
Copy link

Skaronator commented Sep 20, 2024
edited
Loading

What happened:

External-dns uses a hardcoded port (8888) for Webhook providers:

external-dns/main.go

Line 371 in b336c52

webhookapi.StartHTTPApi(p, nil, cfg.WebhookProviderReadTimeout, cfg.WebhookProviderWriteTimeout, "127.0.0.1:8888")

However, the Helm chart defines a liveness probe for the webhook provider on port 8080:

external-dns/charts/external-dns/templates/deployment.yaml

Line 162 in b336c52

containerPort: 8080

This inconsistency results in a CrashLoopBackOff, as the health check is looking for the service on port 8080, while the actual service runs on port 8888.

What you expected to happen:

Both ports are hardcoded and should be aligned to avoid this issue.

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

Environment:
@Skaronator Skaronator added the kind/bug Categorizes issue or PR as related to a bug. label Sep 20, 2024
@Skaronator Skaronator mentioned this issue Sep 20, 2024
Closed
2 tasks
Skaronator added a commit to Skaronator/homelab that referenced this issue Sep 22, 2024
@Skaronator
Fix invalid port in external-dns webhook deployment
54c3f64 
See:
kubernetes-sigs/external-dns#4764
kubernetes-sigs/external-dns#4765
@mloiseleur
Copy link
Contributor

The documentation explain the purpose of those two ports:

The default recommended port is 8888, and should listen only on localhost (ie: only accessible for k8s probes and external-dns).

And

The metrics should listen “:8080” on /metrics following Open Metrics format.

For security reason, only this metrics port is exposed in the Chart. It allows API port to listen only for localhost, so only external-dns can call it. The metrics port is not sensitive, so it can listen more widely without any risk.

external-dns/charts/external-dns/templates/deployment.yaml

Lines 159 to 162 in 45257fb

ports:
- name: http-webhook
protocol: TCP
containerPort: 8080

The probes are entirely configurable:

external-dns/charts/external-dns/values.yaml

Lines 252 to 260 in 45257fb

livenessProbe:
httpGet:
path: /healthz
port: http-webhook
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 2
successThreshold: 1

So I am not sure to get your issue. There is no mismatch, it's done on purpose, for security reason.

@Skaronator Skaronator mentioned this issue Oct 2, 2024
Closed
@Skaronator
Copy link
Author

Thanks for the detailed explanation, that makes sense! I raised an issue with the webhook provider I use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[helm-chart] Fix wrongly hardcoded port of webhook provider Skaronator/external-dns
2 participants
@Skaronator @mloiseleur