[feature request] Provide way to expose vcluster

[mtougeron]

It would be nice to be able to expose the vcluster endpoint when using the cluster-api provider. This would be similar to using the cli command vcluster create my-vcluster --expose. As it exists today the only way to expose via a LoadBalancer service is to do a multi-step process. 1) Create the VCluster resource via the cluster-api, 2) Create the LoadBalancer service outside the cluster-api, 3) Update the VCluster's spec. controlPlaneEndpoint.host with the IP address from step 2 and reapply. This makes it extremely difficult to programmatically add vclusters to systems like Argo CD that cannot go through an ingress like nginx or envoy when talking to the apiserver. As part of this, it would be nice to be able to set the loadBalancerSourceRanges that are allowed to talk to the LoadBalancer service so that security can be taken into account. Thanks!

[matskiv]

Hello @mtougeron This is currently possible using the following helm values:

service:
  type: LoadBalancer

And with the latest version of the provider - v0.1.2 (promoted from pre-release moments ago), the LoadBalancer hostname will be written back into spec.controlPlaneEndpoint.host (unless that field is not empty). Here is a log to prove it - https://gist.github.com/matskiv/d95693f65d81dcb69a562e466f095f31#file-capvc_loadbalancer_poc

However, loadBalancerSourceRanges can not be set via helm chart values, but I think we can add that to the vcluster charts. :)

[mtougeron]

Ah excellent. I was looking at the api-service.yaml not the syncer-service.yaml so I totally missed this option. I'll open a PR to update the helm values and chart for the loadBalancerSourceRanges

[matskiv]

PR would be nice, thank you :+1:

P.S: I just noticed I had a typo in the helm values in my previous comment, I was missing an r in LoadBalancer, just FYI if you copied it. :)

[mtougeron]

PR would be nice, thank you 👍

Definitely. One has been opened. :)