akeyless-gateway: add externalTrafficPolicy to SRA SSH service#377
Open
avii-wix wants to merge 4 commits into
Open
akeyless-gateway: add externalTrafficPolicy to SRA SSH service#377avii-wix wants to merge 4 commits into
avii-wix wants to merge 4 commits into
Conversation
Allow configuring the SRA SSH LoadBalancer service's externalTrafficPolicy via .Values.sra.sshConfig.service.externalTrafficPolicy. Defaults to Cluster to preserve existing behavior.
📝 WalkthroughWalkthroughThe Helm SSH Service template now conditionally emits ChangesSSH Service External Traffic Policy
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
externalTrafficPolicy is only valid on LoadBalancer and NodePort services. Default the value to "" so the field is omitted from the rendered manifest when the user does not opt in (byte-identical output to before the feature was added), and fail at template time if it is set while service.type is something other than LoadBalancer or NodePort — preventing an opaque Kubernetes API rejection on upgrade. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
charts/akeyless-gateway/values.yaml (1)
604-604: ⚡ Quick winConsider adding a brief comment explaining the field.
The new
externalTrafficPolicyfield lacks documentation. A brief comment explaining its purpose, valid values (Local/Cluster), and use case (e.g., preserving source IP for audit/allowlisting) would help users understand when and how to configure it.📝 Suggested documentation
type: LoadBalancer port: 22 + ## externalTrafficPolicy controls whether external traffic is routed to node-local or cluster-wide endpoints. + ## Valid values: "Local" (preserves source IP, requires service type LoadBalancer or NodePort) or "Cluster" (default). + ## Set to "Local" to preserve client source IP for audit/allowlisting. Leave empty to use Kubernetes default (Cluster). + ## externalTrafficPolicy: ""🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@charts/akeyless-gateway/values.yaml` at line 604, The new values.yaml entry externalTrafficPolicy is missing inline documentation; add a one-line comment above the externalTrafficPolicy key explaining its purpose (controls how Service routes external traffic and whether source IP is preserved), valid values ("Local" or "Cluster"), common use-case (use "Local" to preserve source IP for audit/allowlisting at the cost of pod availability), and the default behavior if unset (Cluster). Place the comment adjacent to the externalTrafficPolicy key so users editing values.yaml see the guidance immediately.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@charts/akeyless-gateway/values.yaml`:
- Line 604: The new values.yaml entry externalTrafficPolicy is missing inline
documentation; add a one-line comment above the externalTrafficPolicy key
explaining its purpose (controls how Service routes external traffic and whether
source IP is preserved), valid values ("Local" or "Cluster"), common use-case
(use "Local" to preserve source IP for audit/allowlisting at the cost of pod
availability), and the default behavior if unset (Cluster). Place the comment
adjacent to the externalTrafficPolicy key so users editing values.yaml see the
guidance immediately.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: fec2c4bd-7742-42b6-8573-b7fde0e5e1c5
📒 Files selected for processing (2)
charts/akeyless-gateway/templates/akeyless-secure-remote-access/service.yamlcharts/akeyless-gateway/values.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
- charts/akeyless-gateway/templates/akeyless-secure-remote-access/service.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
externalTrafficPolicyon the SRA SSHLoadBalancerservice via.Values.sra.sshConfig.service.externalTrafficPolicy.values.yamlisCluster, preserving current behavior.Why
Setting
externalTrafficPolicy: Localon the SRA SSH LoadBalancer is necessary when the source client IP must be preserved (e.g. for audit/allowlisting). Today this requires post-install patching of the Service; this change makes it a first-class chart value.Summary by CodeRabbit