docs: add steps for configuring trusted headers & origins in Helm chart (coder#8031)

ericpaulsen · web-flow · commit 977e9ef5057d · 2023-06-14T16:20:40.000-04:00
diff --git a/docs/install/kubernetes.md b/docs/install/kubernetes.md
@@ -121,17 +121,34 @@ to log in and manage templates.
        sessionAffinity: None
    ```
 
-   AWS however recommends a Network load balancer in lieu of the Classic load balancer. Use the following `values.yaml` settings to request a Network load balancer:
+### Load balancing considerations
+
+AWS however recommends a Network load balancer in lieu of the Classic load balancer. Use the following `values.yaml` settings to request a Network load balancer:
+
+```yaml
+coder:
+   service:
+   externalTrafficPolicy: Local
+   sessionAffinity: None
+   annotations: {
+      service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
+ }
+```
 
-   ```yaml
-   coder:
-      service:
-      externalTrafficPolicy: Local
-      sessionAffinity: None
-      annotations: {
-         service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
-    }
-   ```
+By default, Coder will set the `externalTrafficPolicy` to `Cluster` which will
+mask client IP addresses in the Audit log. To preserve the source IP, you can either
+set this value to `Local`, or pass through the client IP via the X-Forwarded-For
+header. To configure the latter, set the following environment
+variables:
+
+```yaml
+coder:
+  env:
+    - name: CODER_PROXY_TRUSTED_HEADERS
+      value: X-Forwarded-For
+    - name: CODER_PROXY_TRUSTED_ORIGINS
+      value: 10.0.0.1/8 # this will be the CIDR range of your Load Balancer IP address
+```
 
 1. Run the following command to install the chart in your cluster.
 
