Proposal to Add loadBalancerSourceRanges to Helm Chart for Enhanced IP Allowlisting Support

[briancheldelin]

Background

In environments like Google Cloud Platform and other cloud providers, Kubernetes services of type LoadBalancer can specify loadBalancerSourceRanges. This feature restricts the IP addresses that can access the load balancer. Currently, the Helm chart for deploying the nginx-gateway-fabric cannot configure these IP ranges directly through the Helm values.

Proposal

I propose to enhance the Helm chart by adding support for loadBalancerSourceRanges in the service specification. This addition will allow users to define IP ranges that can access the service, improving security by restricting access to trusted IPs only.

Implementation

The addition involves updating the service.yaml template to include a conditional check for loadBalancerSourceRanges values and append them to the service spec if provided. The values.yaml file will also need to be updated to include a sample configuration for users to modify.

Example:
In values.yaml, users could specify:

service:
  type: LoadBalancer
  loadBalancerSourceRanges:
    - 192.168.0.0/16
    - 172.17.0.0/16

This list would be utilized in service.yaml as:

spec:
  {{- if .Values.service.loadBalancerSourceRanges }}
  loadBalancerSourceRanges: {{ .Values.service.loadBalancerSourceRanges }}
  {{- end }}

Benefits

• Security: Enables users to secure their gateway by limiting load balancer access to specific IP addresses.
• Flexibility: Provides flexibility for enterprise users who must comply with strict network access policies.
• Usability: Simplifies configuration management by allowing IP allowlisting directly through Helm values.

Seeking Feedback

I would appreciate feedback on:

• The overall utility of the proposed feature.
• Possible implications for existing deployments.
• Suggestions for improving the implementation approach.

Contribution Offer

I am enthusiastic about contributing this feature to the nginx-gateway-fabric Helm chart. I am prepared to implement and test this enhancement, ensuring it meets the community standards and integrates seamlessly with the existing deployment process. I welcome collaboration and guidance from the project maintainers and community members to make this feature beneficial for all users.

I am looking forward to community insights and thoughts!

[sjberman]

@briancheldelin Thanks for the suggestion. We agree that this would be a beneficial update to our helm chart. I've converted this discussion to an issue. Feel free to assign yourself and submit a PR!

#1865