From a3957595516e6864c762fbeedb9fdc50c02920cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thorsten=20Ro=C3=9Fner?= Date: Fri, 9 Aug 2024 08:50:50 +0200 Subject: [PATCH] fix(helmfile): Add `cluster.networking.proxies`. Deployments need to set this if their load balancer or reverse proxy IPs are not part of the `cluster.networking.cidr`. --- docs/getting-started.md | 10 ++++++++++ .../apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl | 2 +- helmfile/environments/default/cluster.yaml | 5 ++++- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/docs/getting-started.md b/docs/getting-started.md index 226db3fd..b09a8488 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -199,6 +199,16 @@ cluster: - "127.0.0.0/8" ``` +If your load balancer / reverse proxy IPs are not already covered by the above `cidr` you need to +explicitly configure the related IPs or IP ranges: + +```yaml +cluster: + networking: + incomingCIDR: + - "172.16.0.0/12" +``` + ### Ingress By default, the `ingressClassName` is empty to choose your default ingress controller. You may want to customize it by diff --git a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl index 9ce0fb01..ce5694c7 100644 --- a/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl +++ b/helmfile/apps/nextcloud/values-nextcloud-mgmt.yaml.gotmpl @@ -37,7 +37,7 @@ configuration: port: {{ .Values.cache.nextcloud.port | quote }} collabora: # internalWopiUrl: "" - wopiAllowlist: {{ join " " .Values.cluster.networking.cidr | quote }} + wopiAllowlist: {{ join ", " ( concat .Values.cluster.networking.cidr .Values.cluster.networking.incomingCIDR ) | quote }} database: host: {{ .Values.databases.nextcloud.host | quote }} port: {{ .Values.databases.nextcloud.port | quote }} diff --git a/helmfile/environments/default/cluster.yaml b/helmfile/environments/default/cluster.yaml index ab31b3cc..c9d4bdbe 100644 --- a/helmfile/environments/default/cluster.yaml +++ b/helmfile/environments/default/cluster.yaml @@ -18,11 +18,14 @@ cluster: # Kubernetes cluster network CIDRs. cidr: - "10.0.0.0/8" + # IP addresses or IP ranges of the reverse proxy / load balancer to restrict the requesting source + # for defined services. + incomingCIDR: [] # Ingress-gateway IP - only relevant for "NodePort" cluster services. # When ingress and egress gateway use different ips, which results that pods can't self-discover their incoming ip, # you need to provide the public (load-balanced) ingress gateways ip address. ingressGatewayIP: "" - # LoadBalancer status fiel - only relevant for "LoadBalancer" cluster services. + # LoadBalancer status field - only relevant for "LoadBalancer" cluster services. # The IP/DNS of your load-balancer will be fetched for some components from 'status' map of services. # Most providers use '.status.loadBalancer.ingress[0].ip' to store public ip. You can modify the chosen field here. loadBalancerStatusField: "ip"