Make advertising proxy port (port 80) optional (#107)

champtar · web-flow · commit 2f8687eb48b7 · 2025-11-04T20:57:29.000-08:00
eks-pod-identity-agent only bind on 169.254.170.23 and fd00:ec2::23 for port 80.
By configuring the portmap cni plugin to exclude those 2 addresses
```
{
  "type": "portmap",
  "capabilities": {"portMappings": true},
  "snat": true,
  "conditionsV4": ['!', '-d', '169.254.170.23'],
  "conditionsV6": ['!', '-d', 'fd00:ec2::23']
}
```
we can have a pod using `hostPort: 80` (let's say ingress-nginx) and
eks-pod-identity-agent running on the same node, we just need `advertiseProxyPort: false`.
diff --git a/charts/eks-pod-identity-agent/templates/daemonset.yaml b/charts/eks-pod-identity-agent/templates/daemonset.yaml
@@ -91,9 +91,11 @@ spec:
             - {{ $value | quote }}
             {{- end }}
           ports:
+            {{- if $top.Values.agent.advertiseProxyPort }}
             - containerPort: 80
               protocol: TCP
               name: proxy
+            {{- end }}
             - containerPort: {{ $top.Values.agent.probePort }}
               protocol: TCP
               name: probes-port
diff --git a/charts/eks-pod-identity-agent/values.yaml b/charts/eks-pod-identity-agent/values.yaml
@@ -105,6 +105,7 @@ affinity:
 agent:
   additionalArgs:
     "-v": "trace"
+  advertiseProxyPort: true
   command: "['/go-runner', '/eks-pod-identity-agent', 'server']"
   livenessEndpoint: /healthz
   probePort: 2703
