Skip to content

Commit 4f32483

Browse files
gcs278claude
gcs278
and
claude
committed
OCPBUGS-63219: Support clientIPPreservationMode for AWS NLB
Consume the new clientIPPreservationMode field on AWSNetworkLoadBalancerParameters to control how client IP addresses are preserved by NLBs. When set to ProxyProtocol, the operator configures the NLB target group with preserve_client_ip.enabled=false and proxy_protocol_v2.enabled=true via the target-group-attributes Service annotation. It also sets ROUTER_USE_PROXY_PROTOCOL=true on the router deployment so HAProxy parses PROXY protocol headers. This avoids hairpin connection failures on internal NLBs. When set to Native (or omitted on existing IngressControllers), the NLB uses AWS's native client IP preservation, which is the current default behavior. New IngressControllers default to ProxyProtocol via controller-managed defaulting in setDefaultProviderParameters, gated with !alreadyAdmitted so that existing IngressControllers are not modified on upgrade. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 961ac21 commit 4f32483

60 files changed

Lines changed: 3362 additions & 1488 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

go.mod

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -225,3 +225,5 @@ replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.5
225225
// Use OSSM 3.3.1 for Sail Library integration.
226226
// Replace needed because the fork keeps upstream module name for compatibility.
227227
replace github.com/istio-ecosystem/sail-operator => github.com/openshift-service-mesh/sail-operator v0.0.0-20260327145107-d4059b965c68
228+
229+
replace github.com/openshift/api => github.com/gcs278/api v0.0.0-20260429000454-cff0427099ea

go.sum

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -179,6 +179,8 @@ github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sa
179179
github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
180180
github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0=
181181
github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk=
182+
github.com/gcs278/api v0.0.0-20260429000454-cff0427099ea h1:eFEpRHG2JZcHQZ8VpqXvnAgRaWyFWbystXFMD/m/Ckw=
183+
github.com/gcs278/api v0.0.0-20260429000454-cff0427099ea/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo=
182184
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
183185
github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk=
184186
github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
@@ -497,8 +499,6 @@ github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJw
497499
github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
498500
github.com/openshift-service-mesh/sail-operator v0.0.0-20260327145107-d4059b965c68 h1:qbJWOmvwtzZJT6u7b2HHMF3g0wWvbcYmv9keKcJlb+k=
499501
github.com/openshift-service-mesh/sail-operator v0.0.0-20260327145107-d4059b965c68/go.mod h1:l5/9fIFLMnrArPGvg49DBrWZzi8LojS5OcGe9nJeeI4=
500-
github.com/openshift/api v0.0.0-20260327065519-582dc3d316b7 h1:7AmoMSqTryaZu65nij6EACe8+DmlMlmR1giaUx5S5sQ=
501-
github.com/openshift/api v0.0.0-20260327065519-582dc3d316b7/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo=
502502
github.com/openshift/client-go v0.0.0-20260317180604-743f664b82d1 h1:Hr/R38eg5ZJXfbiaHumjJIN1buDZwhsm4ys4npVCXH0=
503503
github.com/openshift/client-go v0.0.0-20260317180604-743f664b82d1/go.mod h1:Za51LlH76ALiQ/aKGBYJXmyJNkA//IDJ+I///30CA2M=
504504
github.com/openshift/library-go v0.0.0-20251021141706-f489e811f030 h1:dbv8ZYDWIl22A5WBjQJTKeENM08f8HwMBuv8glDXO/0=

manifests/00-custom-resource-definition-CustomNoUpgrade.yaml

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -477,6 +477,31 @@ spec:
477477
networkLoadBalancerParameters holds configuration parameters for an AWS
478478
network load balancer. Present only if type is NLB.
479479
properties:
480+
clientIPPreservationMode:
481+
description: |-
482+
clientIPPreservationMode specifies how client IP addresses are
483+
preserved by the load balancer.
484+
485+
Valid values are "Native" and "ProxyProtocol".
486+
487+
When set to "Native", the NLB uses AWS's native client IP preservation,
488+
which may cause hairpin connection failures for internal load balancers when
489+
connections are made from pods to router pods on the same node.
490+
491+
When set to "ProxyProtocol", the NLB uses PROXY protocol v2 to preserve
492+
client IP addresses. This avoids hairpin connection failures.
493+
494+
When omitted, this means the user has no opinion and the value is left
495+
to the platform to choose a good default, which is subject to change
496+
over time. The current default is "ProxyProtocol".
497+
498+
Note that changing this field may cause brief connection failures during
499+
the transition as the NLB attribute change and router rollout occur
500+
independently.
501+
enum:
502+
- Native
503+
- ProxyProtocol
504+
type: string
480505
eipAllocations:
481506
description: |-
482507
eipAllocations is a list of IDs for Elastic IP (EIP) addresses that
@@ -2749,6 +2774,31 @@ spec:
27492774
networkLoadBalancerParameters holds configuration parameters for an AWS
27502775
network load balancer. Present only if type is NLB.
27512776
properties:
2777+
clientIPPreservationMode:
2778+
description: |-
2779+
clientIPPreservationMode specifies how client IP addresses are
2780+
preserved by the load balancer.
2781+
2782+
Valid values are "Native" and "ProxyProtocol".
2783+
2784+
When set to "Native", the NLB uses AWS's native client IP preservation,
2785+
which may cause hairpin connection failures for internal load balancers when
2786+
connections are made from pods to router pods on the same node.
2787+
2788+
When set to "ProxyProtocol", the NLB uses PROXY protocol v2 to preserve
2789+
client IP addresses. This avoids hairpin connection failures.
2790+
2791+
When omitted, this means the user has no opinion and the value is left
2792+
to the platform to choose a good default, which is subject to change
2793+
over time. The current default is "ProxyProtocol".
2794+
2795+
Note that changing this field may cause brief connection failures during
2796+
the transition as the NLB attribute change and router rollout occur
2797+
independently.
2798+
enum:
2799+
- Native
2800+
- ProxyProtocol
2801+
type: string
27522802
eipAllocations:
27532803
description: |-
27542804
eipAllocations is a list of IDs for Elastic IP (EIP) addresses that

manifests/00-custom-resource-definition-DevPreviewNoUpgrade.yaml

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -477,6 +477,31 @@ spec:
477477
networkLoadBalancerParameters holds configuration parameters for an AWS
478478
network load balancer. Present only if type is NLB.
479479
properties:
480+
clientIPPreservationMode:
481+
description: |-
482+
clientIPPreservationMode specifies how client IP addresses are
483+
preserved by the load balancer.
484+
485+
Valid values are "Native" and "ProxyProtocol".
486+
487+
When set to "Native", the NLB uses AWS's native client IP preservation,
488+
which may cause hairpin connection failures for internal load balancers when
489+
connections are made from pods to router pods on the same node.
490+
491+
When set to "ProxyProtocol", the NLB uses PROXY protocol v2 to preserve
492+
client IP addresses. This avoids hairpin connection failures.
493+
494+
When omitted, this means the user has no opinion and the value is left
495+
to the platform to choose a good default, which is subject to change
496+
over time. The current default is "ProxyProtocol".
497+
498+
Note that changing this field may cause brief connection failures during
499+
the transition as the NLB attribute change and router rollout occur
500+
independently.
501+
enum:
502+
- Native
503+
- ProxyProtocol
504+
type: string
480505
eipAllocations:
481506
description: |-
482507
eipAllocations is a list of IDs for Elastic IP (EIP) addresses that
@@ -2749,6 +2774,31 @@ spec:
27492774
networkLoadBalancerParameters holds configuration parameters for an AWS
27502775
network load balancer. Present only if type is NLB.
27512776
properties:
2777+
clientIPPreservationMode:
2778+
description: |-
2779+
clientIPPreservationMode specifies how client IP addresses are
2780+
preserved by the load balancer.
2781+
2782+
Valid values are "Native" and "ProxyProtocol".
2783+
2784+
When set to "Native", the NLB uses AWS's native client IP preservation,
2785+
which may cause hairpin connection failures for internal load balancers when
2786+
connections are made from pods to router pods on the same node.
2787+
2788+
When set to "ProxyProtocol", the NLB uses PROXY protocol v2 to preserve
2789+
client IP addresses. This avoids hairpin connection failures.
2790+
2791+
When omitted, this means the user has no opinion and the value is left
2792+
to the platform to choose a good default, which is subject to change
2793+
over time. The current default is "ProxyProtocol".
2794+
2795+
Note that changing this field may cause brief connection failures during
2796+
the transition as the NLB attribute change and router rollout occur
2797+
independently.
2798+
enum:
2799+
- Native
2800+
- ProxyProtocol
2801+
type: string
27522802
eipAllocations:
27532803
description: |-
27542804
eipAllocations is a list of IDs for Elastic IP (EIP) addresses that

manifests/00-custom-resource-definition-OKD.yaml

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -477,6 +477,31 @@ spec:
477477
networkLoadBalancerParameters holds configuration parameters for an AWS
478478
network load balancer. Present only if type is NLB.
479479
properties:
480+
clientIPPreservationMode:
481+
description: |-
482+
clientIPPreservationMode specifies how client IP addresses are
483+
preserved by the load balancer.
484+
485+
Valid values are "Native" and "ProxyProtocol".
486+
487+
When set to "Native", the NLB uses AWS's native client IP preservation,
488+
which may cause hairpin connection failures for internal load balancers when
489+
connections are made from pods to router pods on the same node.
490+
491+
When set to "ProxyProtocol", the NLB uses PROXY protocol v2 to preserve
492+
client IP addresses. This avoids hairpin connection failures.
493+
494+
When omitted, this means the user has no opinion and the value is left
495+
to the platform to choose a good default, which is subject to change
496+
over time. The current default is "ProxyProtocol".
497+
498+
Note that changing this field may cause brief connection failures during
499+
the transition as the NLB attribute change and router rollout occur
500+
independently.
501+
enum:
502+
- Native
503+
- ProxyProtocol
504+
type: string
480505
eipAllocations:
481506
description: |-
482507
eipAllocations is a list of IDs for Elastic IP (EIP) addresses that
@@ -2718,6 +2743,31 @@ spec:
27182743
networkLoadBalancerParameters holds configuration parameters for an AWS
27192744
network load balancer. Present only if type is NLB.
27202745
properties:
2746+
clientIPPreservationMode:
2747+
description: |-
2748+
clientIPPreservationMode specifies how client IP addresses are
2749+
preserved by the load balancer.
2750+
2751+
Valid values are "Native" and "ProxyProtocol".
2752+
2753+
When set to "Native", the NLB uses AWS's native client IP preservation,
2754+
which may cause hairpin connection failures for internal load balancers when
2755+
connections are made from pods to router pods on the same node.
2756+
2757+
When set to "ProxyProtocol", the NLB uses PROXY protocol v2 to preserve
2758+
client IP addresses. This avoids hairpin connection failures.
2759+
2760+
When omitted, this means the user has no opinion and the value is left
2761+
to the platform to choose a good default, which is subject to change
2762+
over time. The current default is "ProxyProtocol".
2763+
2764+
Note that changing this field may cause brief connection failures during
2765+
the transition as the NLB attribute change and router rollout occur
2766+
independently.
2767+
enum:
2768+
- Native
2769+
- ProxyProtocol
2770+
type: string
27212771
eipAllocations:
27222772
description: |-
27232773
eipAllocations is a list of IDs for Elastic IP (EIP) addresses that

manifests/00-custom-resource-definition-TechPreviewNoUpgrade.yaml

Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -477,6 +477,31 @@ spec:
477477
networkLoadBalancerParameters holds configuration parameters for an AWS
478478
network load balancer. Present only if type is NLB.
479479
properties:
480+
clientIPPreservationMode:
481+
description: |-
482+
clientIPPreservationMode specifies how client IP addresses are
483+
preserved by the load balancer.
484+
485+
Valid values are "Native" and "ProxyProtocol".
486+
487+
When set to "Native", the NLB uses AWS's native client IP preservation,
488+
which may cause hairpin connection failures for internal load balancers when
489+
connections are made from pods to router pods on the same node.
490+
491+
When set to "ProxyProtocol", the NLB uses PROXY protocol v2 to preserve
492+
client IP addresses. This avoids hairpin connection failures.
493+
494+
When omitted, this means the user has no opinion and the value is left
495+
to the platform to choose a good default, which is subject to change
496+
over time. The current default is "ProxyProtocol".
497+
498+
Note that changing this field may cause brief connection failures during
499+
the transition as the NLB attribute change and router rollout occur
500+
independently.
501+
enum:
502+
- Native
503+
- ProxyProtocol
504+
type: string
480505
eipAllocations:
481506
description: |-
482507
eipAllocations is a list of IDs for Elastic IP (EIP) addresses that
@@ -2749,6 +2774,31 @@ spec:
27492774
networkLoadBalancerParameters holds configuration parameters for an AWS
27502775
network load balancer. Present only if type is NLB.
27512776
properties:
2777+
clientIPPreservationMode:
2778+
description: |-
2779+
clientIPPreservationMode specifies how client IP addresses are
2780+
preserved by the load balancer.
2781+
2782+
Valid values are "Native" and "ProxyProtocol".
2783+
2784+
When set to "Native", the NLB uses AWS's native client IP preservation,
2785+
which may cause hairpin connection failures for internal load balancers when
2786+
connections are made from pods to router pods on the same node.
2787+
2788+
When set to "ProxyProtocol", the NLB uses PROXY protocol v2 to preserve
2789+
client IP addresses. This avoids hairpin connection failures.
2790+
2791+
When omitted, this means the user has no opinion and the value is left
2792+
to the platform to choose a good default, which is subject to change
2793+
over time. The current default is "ProxyProtocol".
2794+
2795+
Note that changing this field may cause brief connection failures during
2796+
the transition as the NLB attribute change and router rollout occur
2797+
independently.
2798+
enum:
2799+
- Native
2800+
- ProxyProtocol
2801+
type: string
27522802
eipAllocations:
27532803
description: |-
27542804
eipAllocations is a list of IDs for Elastic IP (EIP) addresses that

0 commit comments

Comments
 (0)