From 41c0c547a54091b33d61056eeca9de7f47fc40e6 Mon Sep 17 00:00:00 2001
From: Sergey Dudoladov <sergey.dudoladov@zalando.de>
Date: Fri, 21 Sep 2018 10:21:23 +0200
Subject: [PATCH] Properly overwrite empty allowed source ranges for load
 balancers

---
 docs/administrator.md | 4 +++-
 pkg/cluster/k8sres.go | 8 +++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/docs/administrator.md b/docs/administrator.md
index 1b360cd00..6f044073c 100644
--- a/docs/administrator.md
+++ b/docs/administrator.md
@@ -198,7 +198,9 @@ services to an outer network, one can attach load balancers to them by setting
 cluster manifest. In the case any of these variables are omitted from the
 manifest, the operator configmap's settings `enable_master_load_balancer` and
 `enable_replica_load_balancer` apply. Note that the operator settings affect
-all Postgresql services running in a namespace watched by the operator.
+all Postgresql services running in all namespaces watched by the operator.
+
+To limit the range of IP adresses that can reach a load balancer, speficy the desired ranges in the `allowedSourceRanges` field (applies to both master and replica LBs). To prevent exposing LBs to the entire Internet, this field is set by default to `127.0.0.1/32`. To return to this default, explicitly set the field to the empty sequence `[]`; setting it to `null` or omitting entirely may not work due to [k8s handling of null fields](https://kubernetes.io/docs/concepts/overview/object-management-kubectl/declarative-config/#how-apply-calculates-differences-and-merges-changes).
 
 ## Running periodic 'autorepair' scans of Kubernetes objects
 
diff --git a/pkg/cluster/k8sres.go b/pkg/cluster/k8sres.go
index 195d1c76d..de94a416a 100644
--- a/pkg/cluster/k8sres.go
+++ b/pkg/cluster/k8sres.go
@@ -961,13 +961,15 @@ func (c *Cluster) generateService(role PostgresRole, spec *acidv1.PostgresSpec)
 		// safe default value: lock load balancer to only local address unless overridden explicitly.
 		sourceRanges := []string{localHost}
 
-		allowedSourceRanges := spec.AllowedSourceRanges
-		if len(allowedSourceRanges) >= 0 {
-			sourceRanges = allowedSourceRanges
+		// spec.AllowedSourceRanges evaluates to the empty slice of zero length
+		// when omitted or set to 'null'/empty sequence in the PG manifest
+		if len(spec.AllowedSourceRanges) > 0 {
+			sourceRanges = spec.AllowedSourceRanges
 		}
 
 		serviceSpec.Type = v1.ServiceTypeLoadBalancer
 		serviceSpec.LoadBalancerSourceRanges = sourceRanges
+		c.logger.Debugf("final load balancer source ranges as seen in a service spec (not necessarily applied): %q", serviceSpec.LoadBalancerSourceRanges)
 
 		annotations = map[string]string{
 			constants.ZalandoDNSNameAnnotation: dnsName,