support internal IP address range configuration for api-server

Arvados-DCO-1.1-Signed-off-by: Michael Ludwig <michael.david.ludwig@gmail.com>

diff --git a/charts/arvados/templates/api-server-configmap.yaml b/charts/arvados/templates/api-server-configmap.yaml
index 3de99744c26de2d399570c8cf2afc2405e1f61ee..80e3f7e866860bcda1f77418b8b57f90449da290 100644 (file)
--- a/charts/arvados/templates/api-server-configmap.yaml
+++ b/charts/arvados/templates/api-server-configmap.yaml
@@ -43,7 +43,9 @@ data:
     # direct access to Keep storage daemons to set this header value to 0.
     geo $external_client {
       default     1;
-      10.0.0.0/8  0;
+      {{- range .Values.internalIPs }}
+      {{ . }} 0;
+      {{- end }}
     }
 
     server {

diff --git a/charts/arvados/values.yaml b/charts/arvados/values.yaml
index 569eb9521f974a5b98374868b5f0cb3f0e0bebfc..b84eb8ecb677c45a342427e7b182c9fee33dc044 100644 (file)
--- a/charts/arvados/values.yaml
+++ b/charts/arvados/values.yaml
@@ -13,6 +13,14 @@ image:
 # Must be set to a valid IP address, e.g. by using --set when invoking helm
 externalIP: ~
 
+# A list of CIDRs that have direct access to the Keep store service. All other
+# IP addresses will use the Keep proxy.
+# If hosts outside your cluster are in the default range (10.0.0.0/8), change
+# this to the exact CIDR of your cluster.
+# If using MetaLB with apiServerExternalTrafficPolicy set to Cluster, set this
+# to an empty list, since the source IP will be obscured.
+internalIPs: [10.0.0.0/8]
+
 loadBalancer:
   # Annotations to add to all LoadBalancer Services.
   # This is required for MetalLB, since the same externalIP is reused for all