Add loadBalancerSourceRanges to Helm Chart for Enhanced IP Allowlisting Support

[sjberman]

Discussed in #1863

^{Originally posted by briancheldelin April 20, 2024}

Background

In environments like Google Cloud Platform and other cloud providers, Kubernetes services of type LoadBalancer can specify loadBalancerSourceRanges. This feature restricts the IP addresses that can access the load balancer. Currently, the Helm chart for deploying the nginx-gateway-fabric cannot configure these IP ranges directly through the Helm values.

Proposal

I propose to enhance the Helm chart by adding support for loadBalancerSourceRanges in the service specification. This addition will allow users to define IP ranges that can access the service, improving security by restricting access to trusted IPs only.

Implementation

The addition involves updating the service.yaml template to include a conditional check for loadBalancerSourceRanges values and append them to the service spec if provided. The values.yaml file will also need to be updated to include a sample configuration for users to modify.

Example:
In values.yaml, users could specify:

service:
  type: LoadBalancer
  loadBalancerSourceRanges:
    - 192.168.0.0/16
    - 172.17.0.0/16

This list would be utilized in service.yaml as:

spec:
  {{- if .Values.service.loadBalancerSourceRanges }}
  loadBalancerSourceRanges: {{ .Values.service.loadBalancerSourceRanges }}
  {{- end }}

Benefits

• Security: Enables users to secure their gateway by limiting load balancer access to specific IP addresses.
• Flexibility: Provides flexibility for enterprise users who must comply with strict network access policies.
• Usability: Simplifies configuration management by allowing IP allowlisting directly through Helm values.