This PR contains the following changes, following the changes made to RSPM by @atheriel in 2021 (PR here: https://github.com/rstudio/helm/pull/122) This change to RSPM was made over 2 years ago and went pretty smoothly, now bringing it to Workbench.
Use a ClusterIP service by default instead of a NodePort.
Add support for controlling loadBalancerIP and clusterIP, which are commonly-used service features.
Ignore nodePort settings when the service type is not NodePort. Otherwise, this will generate server-side validation errors.
Simplify handling of Service annotations by removing the existing YAML helper is not actually necessary and has a confusing name.
Tweak documentation for service.nodePort and service.annotations.
Since the first of these is a breaking change, I bumped the minor version for the chart.
Moving to ClusterIP
ClusterIP is the Kubernetes default, exposing the service in-cluster only. This is a secure, well-understood default. For external users, there are a few options:
Use an Ingress. We support this already and it works with ClusterIP.
Use a LoadBalancer. This can be expensive so it makes a poor default.
Use a NodePort and some kind of external load balancing solution.
It seems like the last route (which is the current default) is much more uncommon than the first two, so I'd advocate for this change.
In addition:
NodePorts are a very limited cluster resource, so we should avoid consuming them if we can avoid it.
Defaulting to NodePort is a poor security choice, especially if we have users that don't understand the consequences.
Testing
Service comes up as ClusterIP by default as expected
Setting service.clusterIP also takes effect
Service comes up as NodePort when service.type: "NodePort"
Annotations flow through under service.annotations for all types of services
This PR contains the following changes, following the changes made to RSPM by @atheriel in 2021 (PR here: https://github.com/rstudio/helm/pull/122) This change to RSPM was made over 2 years ago and went pretty smoothly, now bringing it to Workbench.
ClusterIPservice by default instead of aNodePort.loadBalancerIPandclusterIP, which are commonly-used service features.NodePort. Otherwise, this will generate server-side validation errors.service.nodePortandservice.annotations.Since the first of these is a breaking change, I bumped the minor version for the chart.
Moving to ClusterIP
ClusterIPis the Kubernetes default, exposing the service in-cluster only. This is a secure, well-understood default. For external users, there are a few options:Ingress. We support this already and it works withClusterIP.LoadBalancer. This can be expensive so it makes a poor default.NodePortand some kind of external load balancing solution.It seems like the last route (which is the current default) is much more uncommon than the first two, so I'd advocate for this change.
In addition:
NodePortsare a very limited cluster resource, so we should avoid consuming them if we can avoid it.NodePortis a poor security choice, especially if we have users that don't understand the consequences.Testing
service.clusterIPalso takes effectservice.type: "NodePort"service.annotationsfor all types of services