chore(charts): define and use named ports for probes

[jcpunk]

Problem Statement

popeyecli.io linter reported that this container used undefined ports for its probes and that they were listed by port number rather than using named ports.

Related Issue

Fixes #...

Proposed Changes

Ensure ports are defined and named following kubernetes best practices.

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

Define and use named ports for container probes across the Helm chart.

• Add named containerPorts: "ready" for readiness/startup probes and "live" for liveness; update cert-controller, webhook and controller deployment templates to reference these names instead of hard-coded numeric ports. Add conditional rendering so liveness container port uses livenessProbe.spec.port when httpGet.port is a string vs integer.
• Expose livenessProbe.spec.port (integer) in values.yaml and add port property to values.schema.json; livenessProbe.spec.httpGet.port intended to accept either a named port (string) or an integer. Update README/examples to show named-port usage.
• Update tests to validate named ports, startupProbe/readinessProbe behavior, port-override precedence (spec.port vs spec.httpGet), and adjust expectations/snapshots accordingly.
• Contributor completed checklist items (signed commits, tests pass, test coverage) and renamed a test per review feedback.
• Reviewer requested making the probe port configurable without breaking changes by allowing the port schema to accept string OR integer and asked to run make helm.schema.update to regenerate docs/schema. Contributor noted difficulty getting README/schema to show the combined type and believes Helm schema remained unchanged; follow-up needed to ensure schema/docs are regenerated and the values schema allows string|integer to avoid breaking changes.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Probe ports were changed to named ports: readiness -> ready, startup -> startup, liveness -> live. Templates, values, README, schema and tests were updated; startup port rendering is conditional on probe settings and liveness supports a numeric spec.port plus a named httpGet.port.

Changes

Cohort / File(s)	Summary
Docs & Schema deploy/charts/external-secrets/README.md, deploy/charts/external-secrets/values.yaml, deploy/charts/external-secrets/values.schema.json	README and values updated to document/use named httpGet port "live" while adding numeric livenessProbe.spec.port. Schema adds livenessProbe.spec.properties.port (integer). Comments and examples adjusted to show string (named) vs numeric port resolution.
Controller Deployment Templates deploy/charts/external-secrets/templates/deployment.yaml, deploy/charts/external-secrets/templates/cert-controller-deployment.yaml	Add named container ports (live, ready, conditional startup), switch probes to reference named ports, and add conditional logic to resolve liveness httpGet.port between a named string and numeric spec.port. Startup port rendered only when enabled and not using readiness port.
Webhook Deployment Template deploy/charts/external-secrets/templates/webhook-deployment.yaml	Add ready containerPort and switch readinessProbe.httpGet.port to the named port ready.
Tests deploy/charts/external-secrets/tests/controller_test.yaml, deploy/charts/external-secrets/tests/cert_controller_test.yaml	Update assertions for named-port usage (live, ready, startup), validate full livenessProbe fields and container port propagation, and assert conditional exposure of the startup container port.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Skarlso]

This requires a bit more. Like this:

      # -- Set this value to 8082 to active liveness probes.
      # @schema type: [string, integer]
      port: 8082

Otherwise this would be a breaking change.

Further, you need to run make helm.schema.update.

[jcpunk]

I ran make reviewable, something must be wrong with my system.... I'll take a closer look

[jcpunk]

I think this is largely sorted. I cannot figure out how to get the README to say livenessProbe.spec.httpGet.port is either string or integer in the type column... but the helm schema is unchanged so that should mean this is non-breaking. I may be wrong...

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

deploy/charts/external-secrets/README.md (1)

141-146: Documentation reflects the breaking change from values.yaml.

The README now documents the liveness probe port as "metrics" (string, port 8080), which differs from the previous default of 8082 (integer). This documentation change is contingent on the values.yaml change being finalized.

If the values.yaml default is reverted to maintain backward compatibility (as suggested in the review comment on that file), this documentation will need to be updated accordingly to show the numeric default with an explanation that string port names are also supported.

deploy/charts/external-secrets/templates/cert-controller-deployment.yaml (1)

106-123: Probe port references correctly use named ports.

The readinessProbe (line 108) and startupProbe (lines 116, 118) correctly reference the named ports ready and startup rather than numeric ports. The conditional logic properly handles the useReadinessProbePort setting.

Note: The readinessProbe port reference is hard-coded to use the ready named port. Unlike the startupProbe which has configurable port options, the readinessProbe always uses the port defined in certController.readinessProbe.port (currently 8081). This is acceptable for the cert-controller component.

Optional: Consider making readinessProbe port configurable

If there's a future need to allow users to customize which port the readinessProbe uses (similar to the startupProbe's useReadinessProbePort flag), you could add logic like:

readinessProbe:
  httpGet:
    {{- if .Values.certController.readinessProbe.useNamedPort }}
    port: ready
    {{- else }}
    port: {{ .Values.certController.readinessProbe.port }}
    {{- end }}
    path: /readyz

However, this is likely unnecessary complexity for the current use case.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 314eda1 and 9a60dbb.

⛔ Files ignored due to path filters (2)

• deploy/charts/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap is excluded by !**/*.snap
• deploy/charts/external-secrets/tests/__snapshot__/webhook_test.yaml.snap is excluded by !**/*.snap

📒 Files selected for processing (5)

• deploy/charts/external-secrets/README.md
• deploy/charts/external-secrets/templates/cert-controller-deployment.yaml
• deploy/charts/external-secrets/templates/webhook-deployment.yaml
• deploy/charts/external-secrets/tests/cert_controller_test.yaml
• deploy/charts/external-secrets/values.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• deploy/charts/external-secrets/templates/webhook-deployment.yaml

🔇 Additional comments (2)

deploy/charts/external-secrets/tests/cert_controller_test.yaml (1)

220-255: LGTM! Test assertions correctly validate named port usage.

The test updates properly verify:

• Default readinessProbe uses the named port ready (line 231)
• When startup probe is configured with a custom port, a third containerPort named startup is added (lines 242-247)
• The startupProbe references the named port startup (line 252)

The test expectations align with the template implementation.

deploy/charts/external-secrets/templates/cert-controller-deployment.yaml (1)

98-105: Named port implementation is correct for cert-controller.

The template properly:

• Defines a containerPort named ready for the readiness probe (lines 98-100)
• Conditionally adds a containerPort named startup when startupProbe.enabled is true and useReadinessProbePort is false (lines 101-105)

This aligns with Kubernetes best practices for using named ports in probe configurations.

[jcpunk]

I think I've made coderabbit happy?

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

deploy/charts/external-secrets/tests/controller_test.yaml (1)

182-215: Consider clarifying test name for precedence behavior.

The test name "should customize livenessProbe port under spec.httpGet before spec.port" is slightly ambiguous. The test shows that when both spec.port: 3030 and httpGet.port: 8080 are set, httpGet.port (8080) determines the containerPort.

This is correct behavior based on the template logic at line 142-145 of deployment.yaml, which uses httpGet.port when it's not a string. Consider renaming to clarify the precedence, e.g., "should use httpGet.port over spec.port when httpGet.port is numeric".

Suggested test name clarification

-  - it: should customize livenessProbe port under spec.httpGet before spec.port
+  - it: should use httpGet.port for containerPort when httpGet.port is numeric (ignoring spec.port)

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7328be1 and d429baa.

⛔ Files ignored due to path filters (2)

• deploy/charts/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap is excluded by !**/*.snap
• deploy/charts/external-secrets/tests/__snapshot__/webhook_test.yaml.snap is excluded by !**/*.snap

📒 Files selected for processing (8)

• deploy/charts/external-secrets/README.md
• deploy/charts/external-secrets/templates/cert-controller-deployment.yaml
• deploy/charts/external-secrets/templates/deployment.yaml
• deploy/charts/external-secrets/templates/webhook-deployment.yaml
• deploy/charts/external-secrets/tests/cert_controller_test.yaml
• deploy/charts/external-secrets/tests/controller_test.yaml
• deploy/charts/external-secrets/values.schema.json
• deploy/charts/external-secrets/values.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• deploy/charts/external-secrets/templates/webhook-deployment.yaml
• deploy/charts/external-secrets/README.md

🔇 Additional comments (12)

deploy/charts/external-secrets/values.schema.json (1)

481-483: LGTM! Schema correctly separates numeric port from named port.

The new port property under livenessProbe.spec is typed as integer, which provides the numeric port value for CLI arguments (e.g., --live-addr), while httpGet.port at lines 467-472 accepts both string and integer to support Kubernetes named ports. This separation resolves the past critical issue where named ports broke operator startup.

deploy/charts/external-secrets/tests/cert_controller_test.yaml (2)

231-231: LGTM! Readiness probe now correctly uses named port.

The test validates that when startupProbe.enabled: true with default useReadinessProbePort, the readiness probe uses the named port ready instead of a numeric port, aligning with Kubernetes best practices.

---

242-255: LGTM! Startup port override test validates named port configuration.

The test correctly validates:

1. A new container port entry with name: startup at ports[2]
2. The startupProbe using the named startup port when useReadinessProbePort: false

This ensures proper separation between readiness and startup probes when custom startup ports are configured.

deploy/charts/external-secrets/templates/deployment.yaml (3)

123-128: LGTM! CLI argument now correctly uses numeric port.

The conditional logic properly handles the separation:

• When httpGet.port is a string (e.g., "live"), it uses spec.port (numeric) for the --live-addr CLI argument
• When httpGet.port is an integer, it uses that value directly

This resolves the past critical issue where using a named port like "metrics" for the CLI argument caused operator startup failures.

---

139-147: LGTM! Container port "live" correctly defined with conditional containerPort.

The template properly:

1. Only adds the port when livenessProbe.enabled is true
2. Uses spec.port when httpGet.port is a string (named port configuration)
3. Uses httpGet.port when it's numeric

This ensures the container port definition matches the actual listening port regardless of how the probe is configured.

---

150-150: LGTM! Properly omits internal-only fields from probe spec.

Adding "port" to the omit list alongside "address" ensures these chart-internal configuration fields don't leak into the Kubernetes livenessProbe spec, which would cause validation errors.

deploy/charts/external-secrets/values.yaml (1)

345-346: LGTM! Dual-port configuration properly resolves the past critical issue.

The configuration now correctly separates:

• spec.port: 8082 - Numeric port used for CLI argument --live-addr
• spec.httpGet.port: live - Named port used in Kubernetes probe specification

This addresses the previously flagged critical issue where using a named port string for the CLI argument caused operator startup failures. The comment on line 359 clearly documents the expected values.

Also applies to: 359-361

deploy/charts/external-secrets/templates/cert-controller-deployment.yaml (2)

98-105: LGTM! Container ports properly defined with named ports.

The template correctly:

1. Defines a ready port for the readiness probe
2. Conditionally defines a startup port only when startupProbe.enabled and useReadinessProbePort: false

This avoids duplicate port definitions and aligns with Kubernetes best practices for named port references.

---

106-122: LGTM! Probes correctly reference named ports.

Both readinessProbe and startupProbe now use named port references (ready or startup) instead of numeric ports, satisfying the Popeye linter requirements and following Kubernetes best practices for probe configuration.

deploy/charts/external-secrets/tests/controller_test.yaml (3)

103-124: LGTM! Comprehensive test for default livenessProbe configuration.

The test validates:

1. The complete livenessProbe spec including httpGet.port: live (named port)
2. The container port entry with containerPort: 8082 and name: live

This ensures the default configuration works correctly with the dual-port setup.

---

125-148: LGTM! Test validates spec.port override behavior.

When spec.port: 8888 is set:

• The httpGet.port remains live (named port)
• The containerPort updates to 8888

This confirms that spec.port controls the listening port while httpGet.port can remain a named reference.

---

149-181: LGTM! Test validates spec.httpGet.port override behavior.

When spec.httpGet.port: 8080 (integer) is set:

• The livenessProbe.httpGet.port becomes 8080 (numeric)
• The containerPort also becomes 8080

This validates the template correctly detects numeric ports and uses them for both the probe and container port.

[jcpunk]

Renamed test per request from coderabbit.

[Skarlso]

/ok-to-test sha=d583812525513e75a8a2f2703d1f2233d68b945d

[eso-service-account-app]

[Bot] - ✅ e2e for d583812525513e75a8a2f2703d1f2233d68b945d passed

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@deploy/charts/external-secrets/values.schema.json`:
- Around line 484-486: The schema entry for livenessProbe.spec.port currently
restricts "port" to integer only; change the JSON Schema for the "port" property
(the same property validated for livenessProbe.spec.port) to accept both string
and integer (e.g., "type": ["string","integer"] or equivalent anyOf with {
"type": "string" } and { "type": "integer" }) so named ports are allowed and it
matches the existing httpGet.port schema.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d583812 and c218c2e.

⛔ Files ignored due to path filters (2)

• deploy/charts/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap is excluded by !**/*.snap
• deploy/charts/external-secrets/tests/__snapshot__/webhook_test.yaml.snap is excluded by !**/*.snap

📒 Files selected for processing (3)

• deploy/charts/external-secrets/README.md
• deploy/charts/external-secrets/values.schema.json
• deploy/charts/external-secrets/values.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• deploy/charts/external-secrets/README.md
• deploy/charts/external-secrets/values.yaml

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2026-01-09T19:14:48.246Z

Learnt from: rbstp
Repo: external-secrets/external-secrets PR: 5712
File: config/crds/bases/external-secrets.io_secretstores.yaml:1958-2044
Timestamp: 2026-01-09T19:14:48.246Z
Learning: In external-secrets CRDs, new providers are added to the GA v1 schema only; v1beta1 is maintained for backward compatibility and does not receive new features (e.g., DVLS should be v1-only).

Applied to files:

• deploy/charts/external-secrets/values.schema.json

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[jcpunk]

Are there any remaining blockers for this?

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud