Fixes helm#1341 -- update Jenkins chart documentation (helm#10290)

* Fixes helm#1341 -- update Jenkins chart documentation Update `values.yml` documentation on using 'LoadBalancer' type of Service in a secure way by adding required annotations. This creates an internal LoadBalancer with locked down rules on allowed CIDR ranges via annotations. Signed-off-by: Dan Alvizu <dalvizu@pingidentity.com> * bump version, per pull request comments Signed-off-by: Dan Alvizu <dalvizu@pingidentity.com> * fix whitespace lint errors Signed-off-by: Dan Alvizu <dalvizu@pingidentity.com>
wmcdona89 · Jan 28, 2019 · 939ba03 · 939ba03
1 parent fa8d61a
commit 939ba03
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/charts/jenkins/Chart.yaml b/charts/jenkins/Chart.yaml
@@ -1,6 +1,6 @@
 name: jenkins
 home: https://jenkins.io/
-version: 0.28.9
+version: 0.28.10
 appVersion: lts
 description: Open source continuous integration server. It supports multiple SCM tools
   including CVS, Subversion and Git. It can execute Apache Ant and Apache Maven-based

diff --git a/charts/jenkins/values.yaml b/charts/jenkins/values.yaml
@@ -85,9 +85,22 @@ Master:
       ProxyCompatability: true
   CLI: false
   # Kubernetes service type for the JNLP slave service
-  # SETTING THIS TO "LoadBalancer" IS A HUGE SECURITY RISK: https://github.com/kubernetes/charts/issues/1341
+  # SlaveListenerServiceType is the Kubernetes Service type for the JNLP slave service,
+  # either 'LoadBalancer', 'NodePort', or 'ClusterIP'
+  # Note if you set this to 'LoadBalancer', you *must* define annotations to secure it. By default
+  # this will be an external load balancer and allowing inbound 0.0.0.0/0, a HUGE
+  # security risk:  https://github.com/kubernetes/charts/issues/1341
   SlaveListenerServiceType: ClusterIP
   SlaveListenerServiceAnnotations: {}
+
+  # Example of 'LoadBalancer' type of slave listener with annotations securing it
+  # SlaveListenerServiceType: LoadBalancer
+  # SlaveListenerServiceAnnotations:
+  #   service.beta.kubernetes.io/aws-load-balancer-internal: "True"
+  #   service.beta.kubernetes.io/load-balancer-source-ranges: "172.0.0.0/8, 10.0.0.0/8"
+
+  # LoadBalancerSourcesRange is a list of allowed CIDR values, which are combined with ServicePort to
+  # set allowed inbound rules on the security group assigned to the master load balancer
   LoadBalancerSourceRanges:
   - 0.0.0.0/0
   # Optionally assign a known public LB IP