# GCP GKE — External passthrough Network Load Balancer
service:
  annotations:
    cloud.google.com/l4-rbs: "enabled"
ports:
  web:
    proxyProtocol:
      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"   # <- subnet CIDR + GCP health checks
    forwardedHeaders:
      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"
  websecure:
    proxyProtocol:
      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"
    forwardedHeaders:
      trustedIPs: "10.0.0.0/8,35.191.0.0/16,130.211.0.0/22"