Keep things simpler, remove GS VPN IPs

giantswarm · Sep 28, 2023 · b1cc9a5 · b1cc9a5
1 parent 8c6f38d
commit b1cc9a5
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,7 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
-- Add `controlPlane.allowList` to configure control plane load balancer ingress rules. It always adds GiantSwarm VPN IPs.
+- Add `controlPlane.allowList` to configure control plane load balancer ingress rules.
 
 ### Changed
 

diff --git a/helm/cluster-aws/README.md b/helm/cluster-aws/README.md
@@ -83,8 +83,8 @@ Properties within the `.controlPlane` top-level object
 
 | **Property** | **Description** | **More Details** |
 | :----------- | :-------------- | :--------------- |
-| `controlPlane.allowList` | **Load balancer allow list** - IPs that are allowed to connect to the control plane load balancer.|**Type:** `array`<br/>**Default:** `["0.0.0.0/0"]`|
-| `controlPlane.allowList[*]` | **CIDR**|**Type:** `string`<br/>|
+| `controlPlane.allowList` | **Load balancer allow list** - IPv4 address ranges that are allowed to connect to the control plane load balancer, in CIDR notation.|**Type:** `array`<br/>**Default:** `["0.0.0.0/0"]`|
+| `controlPlane.allowList[*]` | **Address range**|**Type:** `string`<br/>|
 | `controlPlane.apiMode` | **API mode** - Whether the Kubernetes API server load balancer should be reachable from the internet (public) or internal only (private).|**Type:** `string`<br/>**Default:** `"public"`|
 | `controlPlane.containerdVolumeSizeGB` | **Containerd volume size (GB)**|**Type:** `integer`<br/>**Default:** `100`|
 | `controlPlane.etcdVolumeSizeGB` | **Etcd volume size (GB)**|**Type:** `integer`<br/>**Default:** `100`|

diff --git a/helm/cluster-aws/templates/_aws_cluster.tpl b/helm/cluster-aws/templates/_aws_cluster.tpl
@@ -32,17 +32,15 @@ spec:
     {{- end }}
   controlPlaneLoadBalancer:
     scheme: {{ if (eq .Values.controlPlane.apiMode "public") }}internet-facing{{ else }}internal{{ end }}
+    {{- if .Values.controlPlane.allowList }}
     ingressRules:
     - description: "Kubernetes API"
       protocol: tcp
       fromPort: 6443
       toPort: 6443
       cidrBlocks:
-      - 95.179.153.65/32
-      - 185.102.95.187/32
-      {{- if .Values.controlPlane.allowList }}
       {{- toYaml .Values.controlPlane.allowList | nindent 6 }}
-      {{- end }}
+    {{- end }}
   network:
     cni:
       cniIngressRules: