From 9c3b9ff5084414178e24c11276eba56aa661ce8b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C4=81nis=20Bebr=C4=ABtis?= <janis.bebritis@wunder.io>
Date: Fri, 8 Mar 2024 08:45:53 +0200
Subject: [PATCH] ingress-nginx on gke private clusters

---
 docs/vendor-gcs.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/docs/vendor-gcs.md b/docs/vendor-gcs.md
index 3767f1f..6104a21 100644
--- a/docs/vendor-gcs.md
+++ b/docs/vendor-gcs.md
@@ -83,3 +83,30 @@ mounts:
 ```
 
 Full example on using the provisioned storageclass in **new and existing** projects [here](gcp_filestore_migration.md)
+
+### ingress-nginx load balancer on GKE private cluster
+
+When using GKE private cluster, [ingress-nginx](https://github.com/kubernetes/ingress-nginx) requires an additional firewall rule that allows control plane connection to nodes on port 8443. 
+Example and solution is borrowed from https://github.com/kubernetes/ingress-nginx/issues/5401
+
+```
+# Control pane range (normally 172.16.0.0/28)
+# gcloud container clusters describe [CLUSTER_NAME] --region europe-north1 --format json | jq -r '.privateClusterConfig.masterIpv4CidrBlock'
+CONTROL_PLANE_RANGE=172.16.0.0/28
+
+# Get cluster tag
+NETWORK_TAGS=$(gcloud compute instances describe \
+    $(kubectl get nodes -o jsonpath='{.items[0].metadata.name}') \
+    --format="value(tags.items[0])")
+
+# Print firewall rule command
+echo gcloud compute firewall-rules create silta-nginx-lb-ingress \
+    --action ALLOW \
+    --direction INGRESS \
+    --source-ranges ${CONTROL_PLANE_RANGE} \
+    --rules tcp:8443 \
+    --target-tags ${NETWORK_TAGS}
+
+```
+Review and execute command printed above.
+