Restrict CIDR ip addresses for a LoadBalancer type service

[asproul]

What was changed

Restrict IP addresses for load balancers created for the frontend service by adding the spec.loadBalancerSourceRanges for the LoadBalancer type.

Why?

I am self-hosting temporal on a Google Kubernetes Engine (GKE) cluster running temporal workflows. I have exposed the frontend service as an internal load balancer to my Cloud Run service (which initiates the temporal workflows) but, by default, the firewall rule created by the GKE service sets a source as "0.0.0.0/0". I am required to further restrict the allowed source ip range to specific subnets.

GCP guide about restricting ip addresses based on CIDRs in spec.loadBalancerSourceRanges[]. Additionally, AWS documentation states that spec.loadBalancerSourceRanges[] is used to restrict IP addresses.

Checklist

1. How was this tested:

cd charts/temporal

helm template render \
-f values.yaml \
--set "server.frontend.service.loadBalancerSourceRanges={1.1.1.1/8,2.2.2.2/8}" ./ \
| grep loadBalancerSourceRanges -A 3 -B 3

output is

    app.kubernetes.io/part-of: temporal
spec:
  type: ClusterIP
  loadBalancerSourceRanges:
    - 1.1.1.1/8
    - 2.2.2.2/8
  ports:

• Rendered the template locally.
• Deployed the changes to my development google kubernetes engine cluster.
• Verified that the firewall rules concerning this frontend service changed the sourceIP from 0.0.0.0/0 to the ip range I specified in the server.frontend.service.loadBalancerSourceRanges from my helm values.yaml file.

1. Any docs updates needed?
   No

[CLAassistant]

All committers have signed the CLA.