dbkegley
commented
5 months ago I installed the helm chart from this branch using our local development setup for Connect and everything worked as expected 👍
david@Davids-MacBook-Pro:connect [main] » k get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
connect-rstudio-connect ClusterIP 10.109.240.7 <none> 80/TCP,9108/TCP 6sBefore:
david@Davids-MacBook-Pro:connect [main] » k get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
connect-rstudio-connect NodePort 10.103.146.3 <none> 80:30590/TCP,9108:32590/TCP 10s
tnederlof
This PR contains the following changes, following the changes made to RSPM by @atheriel in 2021 (PR here: https://github.com/rstudio/helm/pull/122) This change to RSPM was made over 2 years ago and went pretty smoothly, now bringing it to Connect.
ClusterIPservice by default instead of aNodePort.loadBalancerIPandclusterIP, which are commonly-used service features.NodePort. Otherwise, this will generate server-side validation errors.service.nodePortandservice.annotations.Since the first of these is a breaking change, I bumped the minor version for the chart.
Moving to ClusterIP
ClusterIPis the Kubernetes default, exposing the service in-cluster only. This is a secure, well-understood default. For external users, there are a few options:Ingress. We support this already and it works withClusterIP.LoadBalancer. This can be expensive so it makes a poor default.NodePortand some kind of external load balancing solution.It seems like the last route (which is the current default) is much more uncommon than the first two, so I'd advocate for this change.
In addition:
NodePortsare a very limited cluster resource, so we should avoid consuming them if we can avoid it.NodePortis a poor security choice, especially if we have users that don't understand the consequences.