Add nginx-status-allow-cidrs and service externalIPs to Helm chart (#398)

Dean-Coakley · web-flow · commit 372abc4c73b1 · 2018-10-24T17:53:56.000+01:00
* Add missing options to helm chart templates
* Add nginxStatusAllowCidrs cli argument to deployment template
* Add externalIPs to service template
* Update helm chart with new config options
* Add Note about nginxStatusAllowCidrs cli argument
* Add Note about service externalIPs
* Bump helm chart version
diff --git a/deployments/helm-chart/Chart.yaml b/deployments/helm-chart/Chart.yaml
@@ -1,5 +1,5 @@
 name: nginx-ingress
-version: 0.1.3
+version: 0.1.4
 appVersion: edge
 description: NGINX Ingress Controller
 sources:
diff --git a/deployments/helm-chart/README.md b/deployments/helm-chart/README.md
@@ -77,13 +77,15 @@ Parameter | Description | Default
 `controller.service.externalTrafficPolicy` | The externalTrafficPolicy of the service. The value Local preserves the client source IP. | Local
 `controller.service.annotations` | The annotations of the Ingress controller service. | { }
 `controller.service.loadBalancerIP` | The static IP address for the load balancer. Requires `controller.service.type` set to `LoadBalancer`.  | None
+`controller.service.externalIPs` | The list of external IPs for the Ingress controller service. | []
 `controller.serviceAccountName` | The serviceAccountName of the Ingress controller pods. Used for RBAC. | nginx-ingress
 `controller.ingressClass` | A class of the Ingress controller. The Ingress controller only processes Ingress resources that belong to its class - i.e. have the annotation `"kubernetes.io/ingress.class"` equal to the class. Additionally, the Ingress controller processes Ingress resources that do not have that annotation which can be disabled by setting the "-use-ingress-class-only" flag. | nginx
 `controller.useIngressClassOnly` | Ignore Ingress resources without the `"kubernetes.io/ingress.class"` annotation. | false
 `controller.watchNamespace` | Namespace to watch for Ingress resources. By default the Ingress controller watches all namespaces. | ""
 `controller.healthStatus` | Add a location "/nginx-health" to the default server. The location responds with the 200 status code for any request. Useful for external health-checking of the Ingress controller. | false
-`controller.nginxStatus.enable` | Enable the NGINX stub_status, or the NGINX Plus API. | true 
+`controller.nginxStatus.enable` | Enable the NGINX stub_status, or the NGINX Plus API. | true
 `controller.nginxStatus.port` | Set the port where the NGINX stub_status or the NGINX Plus API is exposed. | 8080
+`controller.nginxStatus.allowCidrs` | Whitelist IPv4 IP/CIDR blocks to allow access to NGINX stub_status or the NGINX Plus API. Separate multiple IP/CIDR by commas. | 127.0.0.1
 `controller.reportIngressStatus.enable` | Update the address field in the status of Ingresses resources with an external address of the Ingress controller. You must also specify the source of the external address either through an external service via `controller.reportIngressStatus.externalService` or the `external-status-address` entry in the ConfigMap via `controller.config.entries`. **Note:** `controller.config.entries.external-status-address` takes precedence if both are set. | true
 `controller.reportIngressStatus.externalService` | Specifies the name of the service with the type LoadBalancer through which the Ingress controller is exposed externally. The external address of the service is used when reporting the status of Ingress resources. `controller.reportIngressStatus.enable` must be set to `true`. | nginx-ingress
 `controller.reportIngressStatus.enableLeaderElection` | Enable Leader election to avoid multiple replicas of the controller reporting the status of Ingress resources. `controller.reportIngressStatus.enable` must be set to `true`. | true
diff --git a/deployments/helm-chart/templates/controller-daemonset.yaml b/deployments/helm-chart/templates/controller-daemonset.yaml
@@ -74,6 +74,7 @@ spec:
 {{- if .Values.controller.nginxStatus.enable }}
           - -nginx-status
           - -nginx-status-port={{ .Values.controller.nginxStatus.port }}
+          - -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }}
 {{- end }}
 {{- if .Values.controller.reportIngressStatus.enable }}
           - -report-ingress-status
diff --git a/deployments/helm-chart/templates/controller-deployment.yaml b/deployments/helm-chart/templates/controller-deployment.yaml
@@ -60,6 +60,7 @@ spec:
 {{- if .Values.controller.nginxStatus.enable }}
           - -nginx-status
           - -nginx-status-port={{ .Values.controller.nginxStatus.port }}
+          - -nginx-status-allow-cidrs={{ .Values.controller.nginxStatus.allowCidrs }}
 {{- end }}
 {{- if .Values.controller.reportIngressStatus.enable }}
           - -report-ingress-status
diff --git a/deployments/helm-chart/templates/controller-service.yaml b/deployments/helm-chart/templates/controller-service.yaml
@@ -33,4 +33,8 @@ spec:
     name: https
   selector:
     app: {{ .Values.controller.name | trunc 63 }}
+  {{- if .Values.controller.service.externalIPs }}
+  externalIPs:
+{{ toYaml .Values.controller.service.externalIPs | indent 4 }}
+  {{- end }}
 {{- end }}
diff --git a/deployments/helm-chart/values.yaml b/deployments/helm-chart/values.yaml
@@ -25,12 +25,14 @@ controller:
   nginxStatus:
     enable: true
     port: 8080
+    allowCidrs: "127.0.0.1"
   service:
     create: true
     type: LoadBalancer
     externalTrafficPolicy: Local
     annotations: {}
     loadBalancerIP: ""
+    externalIPs: []
   serviceAccountName: nginx-ingress
   reportIngressStatus:
     enable: true
