Add value to configure control plane load balancer allow list

CHANGELOG.md

@@ -9,7 +9,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
-- Add teleport.service: Secure SSH access via Teleport
+- Add teleport.service: Secure SSH access via Teleport.
+- Add `controlPlane.loadBalancerIngressAllowCidrBlocks` to configure control plane load balancer ingress rules.
 
 ## [0.45.0] - 2023-10-04
 

helm/cluster-aws/README.md

@@ -100,6 +100,8 @@ Properties within the `.controlPlane` top-level object
 | `controlPlane.etcdVolumeSizeGB` | **Etcd volume size (GB)**|**Type:** `integer`<br/>**Default:** `100`|
 | `controlPlane.instanceType` | **EC2 instance type**|**Type:** `string`<br/>**Default:** `"r6i.xlarge"`|
 | `controlPlane.kubeletVolumeSizeGB` | **Kubelet volume size (GB)**|**Type:** `integer`<br/>**Default:** `100`|
+| `controlPlane.loadBalancerIngressAllowCidrBlocks` | **Load balancer allow list** - IPv4 address ranges that are allowed to connect to the control plane load balancer, in CIDR notation. When setting this field, remember to add the Management cluster Nat Gateway IPs provided by Giant Swarm so that the cluster can still be managed.|**Type:** `array`<br/>**Default:** `["0.0.0.0/0"]`|
+| `controlPlane.loadBalancerIngressAllowCidrBlocks[*]` | **Address range**|**Type:** `string`<br/>|
 | `controlPlane.machineHealthCheck` | **Machine health check**|**Type:** `object`<br/>|
 | `controlPlane.machineHealthCheck.enabled` | **Enable**|**Type:** `boolean`<br/>**Default:** `true`|
 | `controlPlane.machineHealthCheck.maxUnhealthy` | **Maximum unhealthy nodes**|**Type:** `string`<br/>**Example:** `"40%"`<br/>**Default:** `"40%"`|

helm/cluster-aws/templates/_aws_cluster.tpl

@@ -32,6 +32,15 @@ spec:
     {{- end }}
   controlPlaneLoadBalancer:
     scheme: {{ if (eq .Values.controlPlane.apiMode "public") }}internet-facing{{ else }}internal{{ end }}
+    {{- if .Values.controlPlane.loadBalancerIngressAllowCidrBlocks }}
+    ingressRules:
+    - description: "Kubernetes API"
+      protocol: tcp
+      fromPort: 6443
+      toPort: 6443
+      cidrBlocks:
+      {{- toYaml .Values.controlPlane.loadBalancerIngressAllowCidrBlocks | nindent 6 }}
+    {{- end }}
   network:
     cni:
       cniIngressRules:

helm/cluster-aws/values.schema.json

@@ -585,6 +585,18 @@
                     "title": "Kubelet volume size (GB)",
                     "default": 100
                 },
+                "loadBalancerIngressAllowCidrBlocks": {
+                    "type": "array",
+                    "title": "Load balancer allow list",
+                    "description": "IPv4 address ranges that are allowed to connect to the control plane load balancer, in CIDR notation. When setting this field, remember to add the Management cluster Nat Gateway IPs provided by Giant Swarm so that the cluster can still be managed.",
+                    "items": {
+                        "type": "string",
+                        "title": "Address range"
+                    },
+                    "default": [
+                        "0.0.0.0/0"
+                    ]
+                },
                 "machineHealthCheck": {
                     "type": "object",
                     "title": "Machine health check",

helm/cluster-aws/values.yaml

@@ -48,6 +48,8 @@ controlPlane:
   etcdVolumeSizeGB: 100
   instanceType: r6i.xlarge
   kubeletVolumeSizeGB: 100
+  loadBalancerIngressAllowCidrBlocks:
+    - 0.0.0.0/0
   machineHealthCheck:
     enabled: true
     maxUnhealthy: 40%