Skip to content

Commit 1fb56fc

Browse files
gcs278gcs278
committed
OCPBUGS-63219: Add clientIPPreservationMode to AWS NLB parameters
Add clientIPPreservationMode field to AWSNetworkLoadBalancerParameters to control how client IP addresses are preserved. The field accepts "Native" (uses AWS's native client IP preservation) and "ProxyProtocol" (uses PROXY protocol v2, the new default). When set to Native, the NLB target group has preserve_client_ip.enabled set to true, which may cause hairpin connection failures for internal load balancers when connections are made from pods to router pods on the same node. When set to ProxyProtocol, the NLB target group has preserve_client_ip.enabled set to false and proxy_protocol_v2.enabled set to true. This allows backends to receive the original client IP via PROXY protocol headers while avoiding hairpin connection failures. https://redhat.atlassian.net/browse/OCPBUGS-63219
1 parent 4f63a40 commit 1fb56fc

10 files changed

Lines changed: 400 additions & 3 deletions

openapi/generated_openapi/zz_generated.openapi.go

Lines changed: 7 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

operator/v1/types_ingress.go

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -898,8 +898,47 @@ type AWSNetworkLoadBalancerParameters struct {
898898
// +kubebuilder:validation:XValidation:rule=`self.all(x, self.exists_one(y, x == y))`,message="eipAllocations cannot contain duplicates"
899899
// +kubebuilder:validation:MaxItems=10
900900
EIPAllocations []EIPAllocation `json:"eipAllocations"`
901+
902+
// clientIPPreservationMode specifies how client IP addresses are
903+
// preserved by the load balancer.
904+
//
905+
// Valid values are "Native" and "ProxyProtocol".
906+
//
907+
// When set to "Native", the NLB uses AWS's native client IP preservation,
908+
// which may cause hairpin connection failures for internal load balancers when
909+
// connections are made from pods to router pods on the same node.
910+
//
911+
// When set to "ProxyProtocol", the NLB uses PROXY protocol v2 to preserve
912+
// client IP addresses. This avoids hairpin connection failures.
913+
//
914+
// When omitted, this means the user has no opinion and the value is left
915+
// to the platform to choose a good default, which is subject to change
916+
// over time. The current default is "ProxyProtocol".
917+
//
918+
// Note that changing this field may cause brief connection failures during
919+
// the transition as the NLB attribute change and router rollout occur
920+
// independently.
921+
//
922+
// +optional
923+
ClientIPPreservationMode ClientIPPreservationMode `json:"clientIPPreservationMode,omitempty"`
901924
}
902925

926+
// ClientIPPreservationMode specifies how client IP addresses should be
927+
// preserved by the Network Load Balancer.
928+
// +kubebuilder:validation:Enum=Native;ProxyProtocol
929+
type ClientIPPreservationMode string
930+
931+
const (
932+
// ClientIPPreservationNative uses AWS's native client IP preservation,
933+
// which may cause hairpin connection failures for internal load balancers when
934+
// connections are made from pods to router pods on the same node.
935+
ClientIPPreservationNative ClientIPPreservationMode = "Native"
936+
937+
// ClientIPPreservationProxyProtocol uses PROXY protocol v2 to preserve
938+
// client IP addresses. This avoids hairpin connection failures.
939+
ClientIPPreservationProxyProtocol ClientIPPreservationMode = "ProxyProtocol"
940+
)
941+
903942
// EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment.
904943
// Values must begin with `eipalloc-` followed by exactly 17 hexadecimal (`[0-9a-fA-F]`) characters.
905944
// + Explanation of the regex `^eipalloc-[0-9a-fA-F]{17}$` for validating value of the EIPAllocation:

operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -477,6 +477,31 @@ spec:
477477
networkLoadBalancerParameters holds configuration parameters for an AWS
478478
network load balancer. Present only if type is NLB.
479479
properties:
480+
clientIPPreservationMode:
481+
description: |-
482+
clientIPPreservationMode specifies how client IP addresses are
483+
preserved by the load balancer.
484+
485+
Valid values are "Native" and "ProxyProtocol".
486+
487+
When set to "Native", the NLB uses AWS's native client IP preservation,
488+
which may cause hairpin connection failures for internal load balancers when
489+
connections are made from pods to router pods on the same node.
490+
491+
When set to "ProxyProtocol", the NLB uses PROXY protocol v2 to preserve
492+
client IP addresses. This avoids hairpin connection failures.
493+
494+
When omitted, this means the user has no opinion and the value is left
495+
to the platform to choose a good default, which is subject to change
496+
over time. The current default is "ProxyProtocol".
497+
498+
Note that changing this field may cause brief connection failures during
499+
the transition as the NLB attribute change and router rollout occur
500+
independently.
501+
enum:
502+
- Native
503+
- ProxyProtocol
504+
type: string
480505
eipAllocations:
481506
description: |-
482507
eipAllocations is a list of IDs for Elastic IP (EIP) addresses that
@@ -2749,6 +2774,31 @@ spec:
27492774
networkLoadBalancerParameters holds configuration parameters for an AWS
27502775
network load balancer. Present only if type is NLB.
27512776
properties:
2777+
clientIPPreservationMode:
2778+
description: |-
2779+
clientIPPreservationMode specifies how client IP addresses are
2780+
preserved by the load balancer.
2781+
2782+
Valid values are "Native" and "ProxyProtocol".
2783+
2784+
When set to "Native", the NLB uses AWS's native client IP preservation,
2785+
which may cause hairpin connection failures for internal load balancers when
2786+
connections are made from pods to router pods on the same node.
2787+
2788+
When set to "ProxyProtocol", the NLB uses PROXY protocol v2 to preserve
2789+
client IP addresses. This avoids hairpin connection failures.
2790+
2791+
When omitted, this means the user has no opinion and the value is left
2792+
to the platform to choose a good default, which is subject to change
2793+
over time. The current default is "ProxyProtocol".
2794+
2795+
Note that changing this field may cause brief connection failures during
2796+
the transition as the NLB attribute change and router rollout occur
2797+
independently.
2798+
enum:
2799+
- Native
2800+
- ProxyProtocol
2801+
type: string
27522802
eipAllocations:
27532803
description: |-
27542804
eipAllocations is a list of IDs for Elastic IP (EIP) addresses that

operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -477,6 +477,31 @@ spec:
477477
networkLoadBalancerParameters holds configuration parameters for an AWS
478478
network load balancer. Present only if type is NLB.
479479
properties:
480+
clientIPPreservationMode:
481+
description: |-
482+
clientIPPreservationMode specifies how client IP addresses are
483+
preserved by the load balancer.
484+
485+
Valid values are "Native" and "ProxyProtocol".
486+
487+
When set to "Native", the NLB uses AWS's native client IP preservation,
488+
which may cause hairpin connection failures for internal load balancers when
489+
connections are made from pods to router pods on the same node.
490+
491+
When set to "ProxyProtocol", the NLB uses PROXY protocol v2 to preserve
492+
client IP addresses. This avoids hairpin connection failures.
493+
494+
When omitted, this means the user has no opinion and the value is left
495+
to the platform to choose a good default, which is subject to change
496+
over time. The current default is "ProxyProtocol".
497+
498+
Note that changing this field may cause brief connection failures during
499+
the transition as the NLB attribute change and router rollout occur
500+
independently.
501+
enum:
502+
- Native
503+
- ProxyProtocol
504+
type: string
480505
eipAllocations:
481506
description: |-
482507
eipAllocations is a list of IDs for Elastic IP (EIP) addresses that
@@ -2718,6 +2743,31 @@ spec:
27182743
networkLoadBalancerParameters holds configuration parameters for an AWS
27192744
network load balancer. Present only if type is NLB.
27202745
properties:
2746+
clientIPPreservationMode:
2747+
description: |-
2748+
clientIPPreservationMode specifies how client IP addresses are
2749+
preserved by the load balancer.
2750+
2751+
Valid values are "Native" and "ProxyProtocol".
2752+
2753+
When set to "Native", the NLB uses AWS's native client IP preservation,
2754+
which may cause hairpin connection failures for internal load balancers when
2755+
connections are made from pods to router pods on the same node.
2756+
2757+
When set to "ProxyProtocol", the NLB uses PROXY protocol v2 to preserve
2758+
client IP addresses. This avoids hairpin connection failures.
2759+
2760+
When omitted, this means the user has no opinion and the value is left
2761+
to the platform to choose a good default, which is subject to change
2762+
over time. The current default is "ProxyProtocol".
2763+
2764+
Note that changing this field may cause brief connection failures during
2765+
the transition as the NLB attribute change and router rollout occur
2766+
independently.
2767+
enum:
2768+
- Native
2769+
- ProxyProtocol
2770+
type: string
27212771
eipAllocations:
27222772
description: |-
27232773
eipAllocations is a list of IDs for Elastic IP (EIP) addresses that

operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -477,6 +477,31 @@ spec:
477477
networkLoadBalancerParameters holds configuration parameters for an AWS
478478
network load balancer. Present only if type is NLB.
479479
properties:
480+
clientIPPreservationMode:
481+
description: |-
482+
clientIPPreservationMode specifies how client IP addresses are
483+
preserved by the load balancer.
484+
485+
Valid values are "Native" and "ProxyProtocol".
486+
487+
When set to "Native", the NLB uses AWS's native client IP preservation,
488+
which may cause hairpin connection failures for internal load balancers when
489+
connections are made from pods to router pods on the same node.
490+
491+
When set to "ProxyProtocol", the NLB uses PROXY protocol v2 to preserve
492+
client IP addresses. This avoids hairpin connection failures.
493+
494+
When omitted, this means the user has no opinion and the value is left
495+
to the platform to choose a good default, which is subject to change
496+
over time. The current default is "ProxyProtocol".
497+
498+
Note that changing this field may cause brief connection failures during
499+
the transition as the NLB attribute change and router rollout occur
500+
independently.
501+
enum:
502+
- Native
503+
- ProxyProtocol
504+
type: string
480505
eipAllocations:
481506
description: |-
482507
eipAllocations is a list of IDs for Elastic IP (EIP) addresses that
@@ -2749,6 +2774,31 @@ spec:
27492774
networkLoadBalancerParameters holds configuration parameters for an AWS
27502775
network load balancer. Present only if type is NLB.
27512776
properties:
2777+
clientIPPreservationMode:
2778+
description: |-
2779+
clientIPPreservationMode specifies how client IP addresses are
2780+
preserved by the load balancer.
2781+
2782+
Valid values are "Native" and "ProxyProtocol".
2783+
2784+
When set to "Native", the NLB uses AWS's native client IP preservation,
2785+
which may cause hairpin connection failures for internal load balancers when
2786+
connections are made from pods to router pods on the same node.
2787+
2788+
When set to "ProxyProtocol", the NLB uses PROXY protocol v2 to preserve
2789+
client IP addresses. This avoids hairpin connection failures.
2790+
2791+
When omitted, this means the user has no opinion and the value is left
2792+
to the platform to choose a good default, which is subject to change
2793+
over time. The current default is "ProxyProtocol".
2794+
2795+
Note that changing this field may cause brief connection failures during
2796+
the transition as the NLB attribute change and router rollout occur
2797+
independently.
2798+
enum:
2799+
- Native
2800+
- ProxyProtocol
2801+
type: string
27522802
eipAllocations:
27532803
description: |-
27542804
eipAllocations is a list of IDs for Elastic IP (EIP) addresses that

0 commit comments

Comments
 (0)