From c0b37c2dd657b379f2311ce2b09c77972bac2807 Mon Sep 17 00:00:00 2001
From: acarranoqovery <105300721+acarranoqovery@users.noreply.github.com>
Date: Tue, 8 Oct 2024 15:02:19 +0200
Subject: [PATCH] feat: added kubernetes api public endpoint whitelist (#475)
---
website/docs/using-qovery/configuration.md | 2 +-
.../cluster-advanced-settings.md | 42 ++++++++++++++++---
.../cluster-advanced-settings.md.erb | 39 +++++++++++++++--
3 files changed, 73 insertions(+), 10 deletions(-)
diff --git a/website/docs/using-qovery/configuration.md b/website/docs/using-qovery/configuration.md
index 44070052e2..484fc2ffdc 100644
--- a/website/docs/using-qovery/configuration.md
+++ b/website/docs/using-qovery/configuration.md
@@ -1,5 +1,5 @@
---
-last_modified_on: "2024-01-22"
+last_modified_on: "2024-09-28"
title: Configuration
description: "Everything you need to know to configure and deploy your applications on Qovery"
sidebar_label: hidden
diff --git a/website/docs/using-qovery/configuration/cluster-advanced-settings.md b/website/docs/using-qovery/configuration/cluster-advanced-settings.md
index a68eb46628..9a796ff148 100644
--- a/website/docs/using-qovery/configuration/cluster-advanced-settings.md
+++ b/website/docs/using-qovery/configuration/cluster-advanced-settings.md
@@ -1,5 +1,5 @@
---
-last_modified_on: "2024-08-02"
+last_modified_on: "2024-10-08"
title: "Cluster Advanced Settings"
description: "Learn how to set advanced settings on your infrastructure with Qovery"
---
@@ -189,7 +189,7 @@ Enabling this feature will create a 10 min max downtime on your application's pu
| Type | Description | Default Value |
|---------|------------------------------------------------------------------------------------------------|-----------------|
-| boolean | List of allowed CIDRS. Valid only when [`database.postgresql.deny_public_access`](#databasepostgresqldeny_public_access) is set to true | `["0.0.0.0/0"]` |
+| string | List of allowed CIDRS. Valid only when [`database.postgresql.deny_public_access`](#databasepostgresqldeny_public_access) is set to true | `["0.0.0.0/0"]` |
#### database.mysql.deny_public_access ![](/img/advanced_settings/aws.svg) ![](/img/advanced_settings/database-container.svg) ![](/img/advanced_settings/database-managed.svg)
@@ -201,7 +201,7 @@ Enabling this feature will create a 10 min max downtime on your application's pu
| Type | Description | Default Value |
|---------|------------------------------------------------------------------------------------------------|-----------------|
-| boolean | List of allowed CIDRS. Valid only when [`database.mysql.deny_public_access`](#databasemysqldeny_public_access) is set to true | `["0.0.0.0/0"]` |
+| string | List of allowed CIDRS. Valid only when [`database.mysql.deny_public_access`](#databasemysqldeny_public_access) is set to true | `["0.0.0.0/0"]` |
#### database.mongodb.deny_public_access ![](/img/advanced_settings/aws.svg) ![](/img/advanced_settings/database-container.svg) ![](/img/advanced_settings/database-managed.svg)
@@ -213,7 +213,7 @@ Enabling this feature will create a 10 min max downtime on your application's pu
| Type | Description | Default Value |
|---------|------------------------------------------------------------------------------------------------|-----------------|
-| boolean | List of allowed CIDRS. Valid only when [`database.mongodb.deny_public_access`](#databasemongodbdeny_public_access) is set to true | `["0.0.0.0/0"]` |
+| string | List of allowed CIDRS. Valid only when [`database.mongodb.deny_public_access`](#databasemongodbdeny_public_access) is set to true | `["0.0.0.0/0"]` |
#### database.redis.deny_public_access ![](/img/advanced_settings/aws.svg) ![](/img/advanced_settings/database-container.svg) ![](/img/advanced_settings/database-managed.svg)
@@ -225,7 +225,7 @@ Enabling this feature will create a 10 min max downtime on your application's pu
| Type | Description | Default Value |
|---------|------------------------------------------------------------------------------------------------|-----------------|
-| boolean | List of allowed CIDRS. Valid only when [`database.redis.deny_public_access`](#databaseredisdeny_public_access) is set to true | `["0.0.0.0/0"]` |
+| string | List of allowed CIDRS. Valid only when [`database.redis.deny_public_access`](#databaseredisdeny_public_access) is set to true | `["0.0.0.0/0"]` |
## Service
@@ -303,6 +303,37 @@ It won't be possible to go back once this feature is activated.
| string | Allows you to activate KMS encryption of your Kubernetes secrets. Specify the [key ARN](https://docs.aws.amazon.com/kms/latest/developerguide/find-cmk-id-arn.html) of your AWS KMS key. | |
+#### qovery.static_ip_mode ![](/img/advanced_settings/aws.svg)
+
+
+| Type | Description | Default Value |
+|---------|-----------------------------------------------------------------------------|---------------|
+| boolean | Enable the static ip mode for the qovery control plane and automatically 1) activate the private endpoint on the Kubernetes API 2) add the Qovery IP to the CIDR whitelist. | `false` |
+
+
+
+Dockerhub credentials are necessary to activate this feature.
+
+
+
+Before setting this advanced settings to true, go through the [Organization settings > Container registry][docs.using-qovery.configuration.organization.container-registry] and make sure that your Dockerhub registry has some credentials set.
+
+Why? Dockerhub has a [rate limit system by IP](https://docs.docker.com/docker-hub/download-rate-limit/) when pulling from their registry. Since the Qovery control plane will be seen as a single IP, we will quickly reach the limit. This limit can be increased if you are a logged-in user and thus, if you put your credentials in the Dockerhub registry configuration of your organization, you should not encounter any rate limit issue during the deployment.
+
+#### k8s.api.allowed_public_access_cidrs ![](/img/advanced_settings/aws.svg)
+
+
+
+`qovery.static_ip_mode` should be set to `true` to make this advanced settings effective
+
+
+
+| Type | Description | Default Value |
+|---------|-----------------------------------------------------------------------------|---------------|
+| string | It contains any additional CIDR that should be whitelisted to access the Kubernetes API (Example:`["100.100.100.0/32","200.200.200.0/24"]` ) | `[]` |
+
+
+
#### storageclass.fast_ssd
| Type | Description | Default Value |
@@ -312,5 +343,6 @@ It won't be possible to go back once this feature is activated.
[docs.getting-started.install-qovery.aws.cluster-managed-by-qovery.quickstart#attach-aws-credentials]: /docs/getting-started/install-qovery/aws/cluster-managed-by-qovery/quickstart/#attach-aws-credentials
[docs.using-qovery.configuration.advanced-settings#resources]: /docs/using-qovery/configuration/advanced-settings/#resources
+[docs.using-qovery.configuration.organization.container-registry]: /docs/using-qovery/configuration/organization/container-registry/
[docs.using-qovery.deployment.image-mirroring]: /docs/using-qovery/deployment/image-mirroring/
[guides.tutorial.how-to-activate-sso-to-connect-to-your-eks-cluster]: /guides/tutorial/how-to-activate-sso-to-connect-to-your-eks-cluster/
diff --git a/website/docs/using-qovery/configuration/cluster-advanced-settings.md.erb b/website/docs/using-qovery/configuration/cluster-advanced-settings.md.erb
index 14c0c3a506..fce9e9583b 100644
--- a/website/docs/using-qovery/configuration/cluster-advanced-settings.md.erb
+++ b/website/docs/using-qovery/configuration/cluster-advanced-settings.md.erb
@@ -180,7 +180,7 @@ Enabling this feature will create a 10 min max downtime on your application's pu
| Type | Description | Default Value |
|---------|------------------------------------------------------------------------------------------------|-----------------|
-| boolean | List of allowed CIDRS. Valid only when `database.postgresql.deny_public_access` is set to true | `["0.0.0.0/0"]` |
+| string | List of allowed CIDRS. Valid only when `database.postgresql.deny_public_access` is set to true | `["0.0.0.0/0"]` |
#### database.mysql.deny_public_access ![](/img/advanced_settings/aws.svg) ![](/img/advanced_settings/database-container.svg) ![](/img/advanced_settings/database-managed.svg)
@@ -192,7 +192,7 @@ Enabling this feature will create a 10 min max downtime on your application's pu
| Type | Description | Default Value |
|---------|------------------------------------------------------------------------------------------------|-----------------|
-| boolean | List of allowed CIDRS. Valid only when `database.mysql.deny_public_access` is set to true | `["0.0.0.0/0"]` |
+| string | List of allowed CIDRS. Valid only when `database.mysql.deny_public_access` is set to true | `["0.0.0.0/0"]` |
#### database.mongodb.deny_public_access ![](/img/advanced_settings/aws.svg) ![](/img/advanced_settings/database-container.svg) ![](/img/advanced_settings/database-managed.svg)
@@ -204,7 +204,7 @@ Enabling this feature will create a 10 min max downtime on your application's pu
| Type | Description | Default Value |
|---------|------------------------------------------------------------------------------------------------|-----------------|
-| boolean | List of allowed CIDRS. Valid only when `database.mongodb.deny_public_access` is set to true | `["0.0.0.0/0"]` |
+| string | List of allowed CIDRS. Valid only when `database.mongodb.deny_public_access` is set to true | `["0.0.0.0/0"]` |
#### database.redis.deny_public_access ![](/img/advanced_settings/aws.svg) ![](/img/advanced_settings/database-container.svg) ![](/img/advanced_settings/database-managed.svg)
@@ -216,7 +216,7 @@ Enabling this feature will create a 10 min max downtime on your application's pu
| Type | Description | Default Value |
|---------|------------------------------------------------------------------------------------------------|-----------------|
-| boolean | List of allowed CIDRS. Valid only when `database.redis.deny_public_access` is set to true | `["0.0.0.0/0"]` |
+| string | List of allowed CIDRS. Valid only when `database.redis.deny_public_access` is set to true | `["0.0.0.0/0"]` |
## Service
@@ -294,6 +294,37 @@ It won't be possible to go back once this feature is activated.
| string | Allows you to activate KMS encryption of your Kubernetes secrets. Specify the [key ARN](https://docs.aws.amazon.com/kms/latest/developerguide/find-cmk-id-arn.html) of your AWS KMS key. | |
+#### qovery.static_ip_mode ![](/img/advanced_settings/aws.svg)
+
+
+| Type | Description | Default Value |
+|---------|-----------------------------------------------------------------------------|---------------|
+| boolean | Enable the static ip mode for the qovery control plane and automatically 1) activate the private endpoint on the Kubernetes API 2) add the Qovery IP to the CIDR whitelist. | `false` |
+
+
+
+Dockerhub credentials are necessary to activate this feature.
+
+
+
+Before setting this advanced settings to true, go through the [Organization settings > Container registry][docs.using-qovery.configuration.organization.container-registry] and make sure that your Dockerhub registry has some credentials set.
+
+Why? Dockerhub has a [rate limit system by IP](https://docs.docker.com/docker-hub/download-rate-limit/) when pulling from their registry. Since the Qovery control plane will be seen as a single IP, we will quickly reach the limit. This limit can be increased if you are a logged-in user and thus, if you put your credentials in the Dockerhub registry configuration of your organization, you should not encounter any rate limit issue during the deployment.
+
+#### k8s.api.allowed_public_access_cidrs ![](/img/advanced_settings/aws.svg)
+
+
+
+`qovery.static_ip_mode` should be set to `true` to make this advanced settings effective
+
+
+
+| Type | Description | Default Value |
+|---------|-----------------------------------------------------------------------------|---------------|
+| string | It contains any additional CIDR that should be whitelisted to access the Kubernetes API (Example:`["100.100.100.0/32","200.200.200.0/24"]` ) | `[]` |
+
+
+
#### storageclass.fast_ssd
| Type | Description | Default Value |