diff --git a/openapi/generated_openapi/zz_generated.openapi.go b/openapi/generated_openapi/zz_generated.openapi.go index b7baccfd0d2..a76f1ad42d8 100644 --- a/openapi/generated_openapi/zz_generated.openapi.go +++ b/openapi/generated_openapi/zz_generated.openapi.go @@ -51777,6 +51777,13 @@ func schema_openshift_api_operator_v1_AWSNetworkLoadBalancerParameters(ref commo }, }, }, + "protocol": { + SchemaProps: spec.SchemaProps{ + Description: "protocol specifies whether the Network Load Balancer uses PROXY protocol to forward connections to the IngressController.\n\nWhen set to \"TCP\", the NLB uses AWS's native client IP preservation. This may cause hairpin connection failures for internal load balancers when connections are made from pods to router pods on the same node.\n\nWhen set to \"PROXY\", the NLB disables native client IP preservation and uses PROXY protocol v2. The IngressController enables PROXY protocol on HAProxy so that it can parse PROXY protocol headers to obtain the original client IP. This avoids hairpin connection failures.\n\nThe following values are valid for this field:\n\n* The empty string. * \"TCP\". * \"PROXY\".\n\nWhen omitted, this means the user has no opinion and the value is left to the platform to choose a default, which is subject to change over time. The current default is \"PROXY\".\n\nNote that changing this field may cause brief connection failures during the transition as the NLB attribute change and router rollout occur independently.", + Type: []string{"string"}, + Format: "", + }, + }, }, }, }, diff --git a/operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml b/operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml index 8ebe48b6de6..ee2c09923af 100644 --- a/operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml +++ b/operator/v1/tests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml @@ -738,6 +738,138 @@ tests: spec: domain: "this-domain.has-208-characters.which-on.its-own-would-not-exceed.the-limit-of-253-chars.but-combined-with-the-ingress-controller-name.with-40-chars.and-the-router-prefix.ends-up-as-a-too-long.canonical-domain" expectedError: "The combined 'router-' + metadata.name + '.' + .spec.domain cannot exceed 253 characters" + - name: Should be able to create an NLB IngressController with PROXY protocol + initial: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: nlb-proxy + namespace: openshift-ingress-operator + spec: + endpointPublishingStrategy: + type: LoadBalancerService + loadBalancer: + scope: External + providerParameters: + type: AWS + aws: + type: NLB + networkLoadBalancer: + protocol: PROXY + expected: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: nlb-proxy + namespace: openshift-ingress-operator + spec: + httpEmptyRequestsPolicy: Respond + idleConnectionTerminationPolicy: Immediate + closedClientConnectionPolicy: Continue + endpointPublishingStrategy: + type: LoadBalancerService + loadBalancer: + dnsManagementPolicy: Managed + scope: External + providerParameters: + type: AWS + aws: + type: NLB + networkLoadBalancer: + protocol: PROXY + - name: Should be able to create an NLB IngressController with TCP protocol + initial: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: nlb-tcp + namespace: openshift-ingress-operator + spec: + endpointPublishingStrategy: + type: LoadBalancerService + loadBalancer: + scope: External + providerParameters: + type: AWS + aws: + type: NLB + networkLoadBalancer: + protocol: TCP + expected: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: nlb-tcp + namespace: openshift-ingress-operator + spec: + httpEmptyRequestsPolicy: Respond + idleConnectionTerminationPolicy: Immediate + closedClientConnectionPolicy: Continue + endpointPublishingStrategy: + type: LoadBalancerService + loadBalancer: + dnsManagementPolicy: Managed + scope: External + providerParameters: + type: AWS + aws: + type: NLB + networkLoadBalancer: + protocol: TCP + - name: Should be able to create an NLB IngressController without protocol + initial: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: nlb-no-protocol + namespace: openshift-ingress-operator + spec: + endpointPublishingStrategy: + type: LoadBalancerService + loadBalancer: + scope: External + providerParameters: + type: AWS + aws: + type: NLB + expected: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: nlb-no-protocol + namespace: openshift-ingress-operator + spec: + httpEmptyRequestsPolicy: Respond + idleConnectionTerminationPolicy: Immediate + closedClientConnectionPolicy: Continue + endpointPublishingStrategy: + type: LoadBalancerService + loadBalancer: + dnsManagementPolicy: Managed + scope: External + providerParameters: + type: AWS + aws: + type: NLB + - name: Should not allow an invalid protocol value on NLB + initial: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: nlb-invalid + namespace: openshift-ingress-operator + spec: + endpointPublishingStrategy: + type: LoadBalancerService + loadBalancer: + scope: External + providerParameters: + type: AWS + aws: + type: NLB + networkLoadBalancer: + protocol: Invalid + expectedError: "Unsupported value: \"Invalid\": supported values: \"\", \"TCP\", \"PROXY\"" onUpdate: - name: Should be able to update invalid domain to a valid domain initialCRDPatches: @@ -830,3 +962,63 @@ tests: closedClientConnectionPolicy: Continue domain: "*.foo.com" replicas: 3 + - name: NLB protocol should be mutable + initial: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: nlb-mutable + namespace: openshift-ingress-operator + spec: + endpointPublishingStrategy: + type: LoadBalancerService + loadBalancer: + scope: External + providerParameters: + type: AWS + aws: + type: NLB + networkLoadBalancer: + protocol: TCP + updated: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: nlb-mutable + namespace: openshift-ingress-operator + spec: + httpEmptyRequestsPolicy: Respond + idleConnectionTerminationPolicy: Immediate + closedClientConnectionPolicy: Continue + endpointPublishingStrategy: + type: LoadBalancerService + loadBalancer: + dnsManagementPolicy: Managed + scope: External + providerParameters: + type: AWS + aws: + type: NLB + networkLoadBalancer: + protocol: PROXY + expected: | + apiVersion: operator.openshift.io/v1 + kind: IngressController + metadata: + name: nlb-mutable + namespace: openshift-ingress-operator + spec: + httpEmptyRequestsPolicy: Respond + idleConnectionTerminationPolicy: Immediate + closedClientConnectionPolicy: Continue + endpointPublishingStrategy: + type: LoadBalancerService + loadBalancer: + dnsManagementPolicy: Managed + scope: External + providerParameters: + type: AWS + aws: + type: NLB + networkLoadBalancer: + protocol: PROXY diff --git a/operator/v1/types_ingress.go b/operator/v1/types_ingress.go index 0c5cf919e15..cb373a99ffc 100644 --- a/operator/v1/types_ingress.go +++ b/operator/v1/types_ingress.go @@ -898,6 +898,37 @@ type AWSNetworkLoadBalancerParameters struct { // +kubebuilder:validation:XValidation:rule=`self.all(x, self.exists_one(y, x == y))`,message="eipAllocations cannot contain duplicates" // +kubebuilder:validation:MaxItems=10 EIPAllocations []EIPAllocation `json:"eipAllocations"` + + // protocol specifies whether the Network Load Balancer uses PROXY + // protocol to forward connections to the IngressController. + // + // When set to "TCP", the NLB uses AWS's native client IP preservation. + // This may cause hairpin connection failures for internal load + // balancers when connections are made from pods to router pods on + // the same node. + // + // When set to "PROXY", the NLB disables native client IP preservation + // and uses PROXY protocol v2. The IngressController enables PROXY + // protocol on HAProxy so that it can parse PROXY protocol headers to + // obtain the original client IP. This avoids hairpin connection + // failures. + // + // The following values are valid for this field: + // + // * The empty string. + // * "TCP". + // * "PROXY". + // + // When omitted, this means the user has no opinion and the value is + // left to the platform to choose a default, which is subject to + // change over time. The current default is "PROXY". + // + // Note that changing this field may cause brief connection failures + // during the transition as the NLB attribute change and router rollout + // occur independently. + // + // +optional + Protocol *IngressControllerProtocol `json:"protocol,omitempty"` } // EIPAllocation is an ID for an Elastic IP (EIP) address that can be allocated to an ELB in the AWS environment. diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml index fdf10772dd8..63592b77af4 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-CustomNoUpgrade.crd.yaml @@ -512,6 +512,40 @@ spec: x-kubernetes-validations: - message: eipAllocations cannot contain duplicates rule: self.all(x, self.exists_one(y, x == y)) + protocol: + description: |- + protocol specifies whether the Network Load Balancer uses PROXY + protocol to forward connections to the IngressController. + + When set to "TCP", the NLB uses AWS's native client IP preservation. + This may cause hairpin connection failures for internal load + balancers when connections are made from pods to router pods on + the same node. + + When set to "PROXY", the NLB disables native client IP preservation + and uses PROXY protocol v2. The IngressController enables PROXY + protocol on HAProxy so that it can parse PROXY protocol headers to + obtain the original client IP. This avoids hairpin connection + failures. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + When omitted, this means the user has no opinion and the value is + left to the platform to choose a default, which is subject to + change over time. The current default is "PROXY". + + Note that changing this field may cause brief connection failures + during the transition as the NLB attribute change and router rollout + occur independently. + enum: + - "" + - TCP + - PROXY + type: string subnets: description: |- subnets specifies the subnets to which the load balancer will @@ -2784,6 +2818,40 @@ spec: x-kubernetes-validations: - message: eipAllocations cannot contain duplicates rule: self.all(x, self.exists_one(y, x == y)) + protocol: + description: |- + protocol specifies whether the Network Load Balancer uses PROXY + protocol to forward connections to the IngressController. + + When set to "TCP", the NLB uses AWS's native client IP preservation. + This may cause hairpin connection failures for internal load + balancers when connections are made from pods to router pods on + the same node. + + When set to "PROXY", the NLB disables native client IP preservation + and uses PROXY protocol v2. The IngressController enables PROXY + protocol on HAProxy so that it can parse PROXY protocol headers to + obtain the original client IP. This avoids hairpin connection + failures. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + When omitted, this means the user has no opinion and the value is + left to the platform to choose a default, which is subject to + change over time. The current default is "PROXY". + + Note that changing this field may cause brief connection failures + during the transition as the NLB attribute change and router rollout + occur independently. + enum: + - "" + - TCP + - PROXY + type: string subnets: description: |- subnets specifies the subnets to which the load balancer will diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml index 97c3ca8c401..416bae41ca5 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-Default.crd.yaml @@ -512,6 +512,40 @@ spec: x-kubernetes-validations: - message: eipAllocations cannot contain duplicates rule: self.all(x, self.exists_one(y, x == y)) + protocol: + description: |- + protocol specifies whether the Network Load Balancer uses PROXY + protocol to forward connections to the IngressController. + + When set to "TCP", the NLB uses AWS's native client IP preservation. + This may cause hairpin connection failures for internal load + balancers when connections are made from pods to router pods on + the same node. + + When set to "PROXY", the NLB disables native client IP preservation + and uses PROXY protocol v2. The IngressController enables PROXY + protocol on HAProxy so that it can parse PROXY protocol headers to + obtain the original client IP. This avoids hairpin connection + failures. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + When omitted, this means the user has no opinion and the value is + left to the platform to choose a default, which is subject to + change over time. The current default is "PROXY". + + Note that changing this field may cause brief connection failures + during the transition as the NLB attribute change and router rollout + occur independently. + enum: + - "" + - TCP + - PROXY + type: string subnets: description: |- subnets specifies the subnets to which the load balancer will @@ -2753,6 +2787,40 @@ spec: x-kubernetes-validations: - message: eipAllocations cannot contain duplicates rule: self.all(x, self.exists_one(y, x == y)) + protocol: + description: |- + protocol specifies whether the Network Load Balancer uses PROXY + protocol to forward connections to the IngressController. + + When set to "TCP", the NLB uses AWS's native client IP preservation. + This may cause hairpin connection failures for internal load + balancers when connections are made from pods to router pods on + the same node. + + When set to "PROXY", the NLB disables native client IP preservation + and uses PROXY protocol v2. The IngressController enables PROXY + protocol on HAProxy so that it can parse PROXY protocol headers to + obtain the original client IP. This avoids hairpin connection + failures. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + When omitted, this means the user has no opinion and the value is + left to the platform to choose a default, which is subject to + change over time. The current default is "PROXY". + + Note that changing this field may cause brief connection failures + during the transition as the NLB attribute change and router rollout + occur independently. + enum: + - "" + - TCP + - PROXY + type: string subnets: description: |- subnets specifies the subnets to which the load balancer will diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml index 89c366cda45..48ba4ddb59b 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-DevPreviewNoUpgrade.crd.yaml @@ -512,6 +512,40 @@ spec: x-kubernetes-validations: - message: eipAllocations cannot contain duplicates rule: self.all(x, self.exists_one(y, x == y)) + protocol: + description: |- + protocol specifies whether the Network Load Balancer uses PROXY + protocol to forward connections to the IngressController. + + When set to "TCP", the NLB uses AWS's native client IP preservation. + This may cause hairpin connection failures for internal load + balancers when connections are made from pods to router pods on + the same node. + + When set to "PROXY", the NLB disables native client IP preservation + and uses PROXY protocol v2. The IngressController enables PROXY + protocol on HAProxy so that it can parse PROXY protocol headers to + obtain the original client IP. This avoids hairpin connection + failures. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + When omitted, this means the user has no opinion and the value is + left to the platform to choose a default, which is subject to + change over time. The current default is "PROXY". + + Note that changing this field may cause brief connection failures + during the transition as the NLB attribute change and router rollout + occur independently. + enum: + - "" + - TCP + - PROXY + type: string subnets: description: |- subnets specifies the subnets to which the load balancer will @@ -2784,6 +2818,40 @@ spec: x-kubernetes-validations: - message: eipAllocations cannot contain duplicates rule: self.all(x, self.exists_one(y, x == y)) + protocol: + description: |- + protocol specifies whether the Network Load Balancer uses PROXY + protocol to forward connections to the IngressController. + + When set to "TCP", the NLB uses AWS's native client IP preservation. + This may cause hairpin connection failures for internal load + balancers when connections are made from pods to router pods on + the same node. + + When set to "PROXY", the NLB disables native client IP preservation + and uses PROXY protocol v2. The IngressController enables PROXY + protocol on HAProxy so that it can parse PROXY protocol headers to + obtain the original client IP. This avoids hairpin connection + failures. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + When omitted, this means the user has no opinion and the value is + left to the platform to choose a default, which is subject to + change over time. The current default is "PROXY". + + Note that changing this field may cause brief connection failures + during the transition as the NLB attribute change and router rollout + occur independently. + enum: + - "" + - TCP + - PROXY + type: string subnets: description: |- subnets specifies the subnets to which the load balancer will diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml index 535ddf0bc87..de3be8f2f3b 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-OKD.crd.yaml @@ -512,6 +512,40 @@ spec: x-kubernetes-validations: - message: eipAllocations cannot contain duplicates rule: self.all(x, self.exists_one(y, x == y)) + protocol: + description: |- + protocol specifies whether the Network Load Balancer uses PROXY + protocol to forward connections to the IngressController. + + When set to "TCP", the NLB uses AWS's native client IP preservation. + This may cause hairpin connection failures for internal load + balancers when connections are made from pods to router pods on + the same node. + + When set to "PROXY", the NLB disables native client IP preservation + and uses PROXY protocol v2. The IngressController enables PROXY + protocol on HAProxy so that it can parse PROXY protocol headers to + obtain the original client IP. This avoids hairpin connection + failures. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + When omitted, this means the user has no opinion and the value is + left to the platform to choose a default, which is subject to + change over time. The current default is "PROXY". + + Note that changing this field may cause brief connection failures + during the transition as the NLB attribute change and router rollout + occur independently. + enum: + - "" + - TCP + - PROXY + type: string subnets: description: |- subnets specifies the subnets to which the load balancer will @@ -2753,6 +2787,40 @@ spec: x-kubernetes-validations: - message: eipAllocations cannot contain duplicates rule: self.all(x, self.exists_one(y, x == y)) + protocol: + description: |- + protocol specifies whether the Network Load Balancer uses PROXY + protocol to forward connections to the IngressController. + + When set to "TCP", the NLB uses AWS's native client IP preservation. + This may cause hairpin connection failures for internal load + balancers when connections are made from pods to router pods on + the same node. + + When set to "PROXY", the NLB disables native client IP preservation + and uses PROXY protocol v2. The IngressController enables PROXY + protocol on HAProxy so that it can parse PROXY protocol headers to + obtain the original client IP. This avoids hairpin connection + failures. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + When omitted, this means the user has no opinion and the value is + left to the platform to choose a default, which is subject to + change over time. The current default is "PROXY". + + Note that changing this field may cause brief connection failures + during the transition as the NLB attribute change and router rollout + occur independently. + enum: + - "" + - TCP + - PROXY + type: string subnets: description: |- subnets specifies the subnets to which the load balancer will diff --git a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml index 2fbc3cd4e39..c287279d585 100644 --- a/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml +++ b/operator/v1/zz_generated.crd-manifests/0000_50_ingress_00_ingresscontrollers-TechPreviewNoUpgrade.crd.yaml @@ -512,6 +512,40 @@ spec: x-kubernetes-validations: - message: eipAllocations cannot contain duplicates rule: self.all(x, self.exists_one(y, x == y)) + protocol: + description: |- + protocol specifies whether the Network Load Balancer uses PROXY + protocol to forward connections to the IngressController. + + When set to "TCP", the NLB uses AWS's native client IP preservation. + This may cause hairpin connection failures for internal load + balancers when connections are made from pods to router pods on + the same node. + + When set to "PROXY", the NLB disables native client IP preservation + and uses PROXY protocol v2. The IngressController enables PROXY + protocol on HAProxy so that it can parse PROXY protocol headers to + obtain the original client IP. This avoids hairpin connection + failures. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + When omitted, this means the user has no opinion and the value is + left to the platform to choose a default, which is subject to + change over time. The current default is "PROXY". + + Note that changing this field may cause brief connection failures + during the transition as the NLB attribute change and router rollout + occur independently. + enum: + - "" + - TCP + - PROXY + type: string subnets: description: |- subnets specifies the subnets to which the load balancer will @@ -2784,6 +2818,40 @@ spec: x-kubernetes-validations: - message: eipAllocations cannot contain duplicates rule: self.all(x, self.exists_one(y, x == y)) + protocol: + description: |- + protocol specifies whether the Network Load Balancer uses PROXY + protocol to forward connections to the IngressController. + + When set to "TCP", the NLB uses AWS's native client IP preservation. + This may cause hairpin connection failures for internal load + balancers when connections are made from pods to router pods on + the same node. + + When set to "PROXY", the NLB disables native client IP preservation + and uses PROXY protocol v2. The IngressController enables PROXY + protocol on HAProxy so that it can parse PROXY protocol headers to + obtain the original client IP. This avoids hairpin connection + failures. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + When omitted, this means the user has no opinion and the value is + left to the platform to choose a default, which is subject to + change over time. The current default is "PROXY". + + Note that changing this field may cause brief connection failures + during the transition as the NLB attribute change and router rollout + occur independently. + enum: + - "" + - TCP + - PROXY + type: string subnets: description: |- subnets specifies the subnets to which the load balancer will diff --git a/operator/v1/zz_generated.deepcopy.go b/operator/v1/zz_generated.deepcopy.go index 3d3c8f4f825..0deb4fe6fff 100644 --- a/operator/v1/zz_generated.deepcopy.go +++ b/operator/v1/zz_generated.deepcopy.go @@ -132,6 +132,11 @@ func (in *AWSNetworkLoadBalancerParameters) DeepCopyInto(out *AWSNetworkLoadBala *out = make([]EIPAllocation, len(*in)) copy(*out, *in) } + if in.Protocol != nil { + in, out := &in.Protocol, &out.Protocol + *out = new(IngressControllerProtocol) + **out = **in + } return } diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml index db97e59b3f6..a4053c7622f 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/AAA_ungated.yaml @@ -512,6 +512,40 @@ spec: x-kubernetes-validations: - message: eipAllocations cannot contain duplicates rule: self.all(x, self.exists_one(y, x == y)) + protocol: + description: |- + protocol specifies whether the Network Load Balancer uses PROXY + protocol to forward connections to the IngressController. + + When set to "TCP", the NLB uses AWS's native client IP preservation. + This may cause hairpin connection failures for internal load + balancers when connections are made from pods to router pods on + the same node. + + When set to "PROXY", the NLB disables native client IP preservation + and uses PROXY protocol v2. The IngressController enables PROXY + protocol on HAProxy so that it can parse PROXY protocol headers to + obtain the original client IP. This avoids hairpin connection + failures. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + When omitted, this means the user has no opinion and the value is + left to the platform to choose a default, which is subject to + change over time. The current default is "PROXY". + + Note that changing this field may cause brief connection failures + during the transition as the NLB attribute change and router rollout + occur independently. + enum: + - "" + - TCP + - PROXY + type: string subnets: description: |- subnets specifies the subnets to which the load balancer will @@ -2735,6 +2769,40 @@ spec: x-kubernetes-validations: - message: eipAllocations cannot contain duplicates rule: self.all(x, self.exists_one(y, x == y)) + protocol: + description: |- + protocol specifies whether the Network Load Balancer uses PROXY + protocol to forward connections to the IngressController. + + When set to "TCP", the NLB uses AWS's native client IP preservation. + This may cause hairpin connection failures for internal load + balancers when connections are made from pods to router pods on + the same node. + + When set to "PROXY", the NLB disables native client IP preservation + and uses PROXY protocol v2. The IngressController enables PROXY + protocol on HAProxy so that it can parse PROXY protocol headers to + obtain the original client IP. This avoids hairpin connection + failures. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + When omitted, this means the user has no opinion and the value is + left to the platform to choose a default, which is subject to + change over time. The current default is "PROXY". + + Note that changing this field may cause brief connection failures + during the transition as the NLB attribute change and router rollout + occur independently. + enum: + - "" + - TCP + - PROXY + type: string subnets: description: |- subnets specifies the subnets to which the load balancer will diff --git a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/IngressControllerDynamicConfigurationManager.yaml b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/IngressControllerDynamicConfigurationManager.yaml index 883dd6d1ecb..d47238daa0b 100644 --- a/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/IngressControllerDynamicConfigurationManager.yaml +++ b/operator/v1/zz_generated.featuregated-crd-manifests/ingresscontrollers.operator.openshift.io/IngressControllerDynamicConfigurationManager.yaml @@ -512,6 +512,40 @@ spec: x-kubernetes-validations: - message: eipAllocations cannot contain duplicates rule: self.all(x, self.exists_one(y, x == y)) + protocol: + description: |- + protocol specifies whether the Network Load Balancer uses PROXY + protocol to forward connections to the IngressController. + + When set to "TCP", the NLB uses AWS's native client IP preservation. + This may cause hairpin connection failures for internal load + balancers when connections are made from pods to router pods on + the same node. + + When set to "PROXY", the NLB disables native client IP preservation + and uses PROXY protocol v2. The IngressController enables PROXY + protocol on HAProxy so that it can parse PROXY protocol headers to + obtain the original client IP. This avoids hairpin connection + failures. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + When omitted, this means the user has no opinion and the value is + left to the platform to choose a default, which is subject to + change over time. The current default is "PROXY". + + Note that changing this field may cause brief connection failures + during the transition as the NLB attribute change and router rollout + occur independently. + enum: + - "" + - TCP + - PROXY + type: string subnets: description: |- subnets specifies the subnets to which the load balancer will @@ -2766,6 +2800,40 @@ spec: x-kubernetes-validations: - message: eipAllocations cannot contain duplicates rule: self.all(x, self.exists_one(y, x == y)) + protocol: + description: |- + protocol specifies whether the Network Load Balancer uses PROXY + protocol to forward connections to the IngressController. + + When set to "TCP", the NLB uses AWS's native client IP preservation. + This may cause hairpin connection failures for internal load + balancers when connections are made from pods to router pods on + the same node. + + When set to "PROXY", the NLB disables native client IP preservation + and uses PROXY protocol v2. The IngressController enables PROXY + protocol on HAProxy so that it can parse PROXY protocol headers to + obtain the original client IP. This avoids hairpin connection + failures. + + The following values are valid for this field: + + * The empty string. + * "TCP". + * "PROXY". + + When omitted, this means the user has no opinion and the value is + left to the platform to choose a default, which is subject to + change over time. The current default is "PROXY". + + Note that changing this field may cause brief connection failures + during the transition as the NLB attribute change and router rollout + occur independently. + enum: + - "" + - TCP + - PROXY + type: string subnets: description: |- subnets specifies the subnets to which the load balancer will diff --git a/operator/v1/zz_generated.swagger_doc_generated.go b/operator/v1/zz_generated.swagger_doc_generated.go index c3ed726028d..5d1ea0bc692 100644 --- a/operator/v1/zz_generated.swagger_doc_generated.go +++ b/operator/v1/zz_generated.swagger_doc_generated.go @@ -830,6 +830,7 @@ var map_AWSNetworkLoadBalancerParameters = map[string]string{ "": "AWSNetworkLoadBalancerParameters holds configuration parameters for an AWS Network load balancer. For Example: Setting AWS EIPs https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html", "subnets": "subnets specifies the subnets to which the load balancer will attach. The subnets may be specified by either their ID or name. The total number of subnets is limited to 10.\n\nIn order for the load balancer to be provisioned with subnets, each subnet must exist, each subnet must be from a different availability zone, and the load balancer service must be recreated to pick up new values.\n\nWhen omitted from the spec, the subnets will be auto-discovered for each availability zone. Auto-discovered subnets are not reported in the status of the IngressController object.", "eipAllocations": "eipAllocations is a list of IDs for Elastic IP (EIP) addresses that are assigned to the Network Load Balancer. The following restrictions apply:\n\neipAllocations can only be used with external scope, not internal. An EIP can be allocated to only a single IngressController. The number of EIP allocations must match the number of subnets that are used for the load balancer. Each EIP allocation must be unique. A maximum of 10 EIP allocations are permitted.\n\nSee https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html for general information about configuration, characteristics, and limitations of Elastic IP addresses.", + "protocol": "protocol specifies whether the Network Load Balancer uses PROXY protocol to forward connections to the IngressController.\n\nWhen set to \"TCP\", the NLB uses AWS's native client IP preservation. This may cause hairpin connection failures for internal load balancers when connections are made from pods to router pods on the same node.\n\nWhen set to \"PROXY\", the NLB disables native client IP preservation and uses PROXY protocol v2. The IngressController enables PROXY protocol on HAProxy so that it can parse PROXY protocol headers to obtain the original client IP. This avoids hairpin connection failures.\n\nThe following values are valid for this field:\n\n* The empty string. * \"TCP\". * \"PROXY\".\n\nWhen omitted, this means the user has no opinion and the value is left to the platform to choose a default, which is subject to change over time. The current default is \"PROXY\".\n\nNote that changing this field may cause brief connection failures during the transition as the NLB attribute change and router rollout occur independently.", } func (AWSNetworkLoadBalancerParameters) SwaggerDoc() map[string]string {