Merge pull request openshift#581 from Miciah/NE-553-implement-PROXY-p…

…rotocol-API

NE-553: Implement the PROXY protocol API

go.mod

@@ -18,7 +18,7 @@ require (
 	github.com/imdario/mergo v0.3.10 // indirect
 	github.com/kevinburke/go-bindata v3.11.0+incompatible
 	github.com/onsi/ginkgo v1.14.0 // indirect
-	github.com/openshift/api v0.0.0-20210319173601-ab6d2da2c3ef
+	github.com/openshift/api v0.0.0-20210325163602-e37aaed4c278
 	github.com/openshift/library-go v0.0.0-20200423123937-d1360419413d
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.7.1

go.sum

@@ -473,8 +473,8 @@ github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zM
 github.com/opencontainers/runc v0.0.0-20191031171055-b133feaeeb2e/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
 github.com/openshift/api v0.0.0-20200326152221-912866ddb162/go.mod h1:RKMJ5CBnljLfnej+BJ/xnOWc3kZDvJUaIAEq2oKSPtE=
 github.com/openshift/api v0.0.0-20200326160804-ecb9283fe820/go.mod h1:RKMJ5CBnljLfnej+BJ/xnOWc3kZDvJUaIAEq2oKSPtE=
-github.com/openshift/api v0.0.0-20210319173601-ab6d2da2c3ef h1:vPNGjH9vmJJZYitIwpnJS6hHHb+lMCB3af+miA68y6I=
-github.com/openshift/api v0.0.0-20210319173601-ab6d2da2c3ef/go.mod h1:aqU5Cq+kqKKPbDMqxo9FojgDeSpNJI7iuskjXjtojDg=
+github.com/openshift/api v0.0.0-20210325163602-e37aaed4c278 h1:v36R7Yzq/CvWnYaPM+eh09ffZtmURq0k6gLmyhxOc3c=
+github.com/openshift/api v0.0.0-20210325163602-e37aaed4c278/go.mod h1:aqU5Cq+kqKKPbDMqxo9FojgDeSpNJI7iuskjXjtojDg=
 github.com/openshift/build-machinery-go v0.0.0-20200211121458-5e3d6e570160/go.mod h1:1CkcsT3aVebzRBzVTSbiKSkJMsC/CASqxesfqEMfJEc=
 github.com/openshift/build-machinery-go v0.0.0-20200917070002-f171684f77ab/go.mod h1:b1BuldmJlbA/xYtdZvKi+7j5YGB44qJUJDZ9zwiNCfE=
 github.com/openshift/client-go v0.0.0-20200326155132-2a6cd50aedd0/go.mod h1:uUQ4LClRO+fg5MF/P6QxjMCb1C9f7Oh4RKepftDnEJE=

manifests/00-custom-resource-definition.yaml

@@ -93,6 +93,30 @@ spec:
                   hostNetwork:
                     description: hostNetwork holds parameters for the HostNetwork
                       endpoint publishing strategy. Present only if type is HostNetwork.
+                    properties:
+                      protocol:
+                        description: "protocol specifies whether the IngressController
+                          expects incoming connections to use plain TCP or whether
+                          the IngressController expects PROXY protocol. \n PROXY protocol
+                          can be used with load balancers that support it to communicate
+                          the source addresses of client connections when forwarding
+                          those connections to the IngressController.  Using PROXY
+                          protocol enables the IngressController to report those source
+                          addresses instead of reporting the load balancer's address
+                          in HTTP headers and logs.  Note that enabling PROXY protocol
+                          on the IngressController will cause connections to fail
+                          if you are not using a load balancer that uses PROXY protocol
+                          to forward connections to the IngressController.  See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt
+                          for information about PROXY protocol. \n The following values
+                          are valid for this field: \n * The empty string. * \"TCP\".
+                          * \"PROXY\". \n The empty string specifies the default,
+                          which is TCP without PROXY protocol.  Note that the default
+                          is subject to change."
+                        enum:
+                        - ""
+                        - TCP
+                        - PROXY
+                        type: string
                     type: object
                   loadBalancer:
                     description: loadBalancer holds parameters for the load balancer.
@@ -189,6 +213,30 @@ spec:
                   nodePort:
                     description: nodePort holds parameters for the NodePortService
                       endpoint publishing strategy. Present only if type is NodePortService.
+                    properties:
+                      protocol:
+                        description: "protocol specifies whether the IngressController
+                          expects incoming connections to use plain TCP or whether
+                          the IngressController expects PROXY protocol. \n PROXY protocol
+                          can be used with load balancers that support it to communicate
+                          the source addresses of client connections when forwarding
+                          those connections to the IngressController.  Using PROXY
+                          protocol enables the IngressController to report those source
+                          addresses instead of reporting the load balancer's address
+                          in HTTP headers and logs.  Note that enabling PROXY protocol
+                          on the IngressController will cause connections to fail
+                          if you are not using a load balancer that uses PROXY protocol
+                          to forward connections to the IngressController.  See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt
+                          for information about PROXY protocol. \n The following values
+                          are valid for this field: \n * The empty string. * \"TCP\".
+                          * \"PROXY\". \n The empty string specifies the default,
+                          which is TCP without PROXY protocol.  Note that the default
+                          is subject to change."
+                        enum:
+                        - ""
+                        - TCP
+                        - PROXY
+                        type: string
                     type: object
                   private:
                     description: private holds parameters for the Private endpoint
@@ -958,6 +1006,30 @@ spec:
                   hostNetwork:
                     description: hostNetwork holds parameters for the HostNetwork
                       endpoint publishing strategy. Present only if type is HostNetwork.
+                    properties:
+                      protocol:
+                        description: "protocol specifies whether the IngressController
+                          expects incoming connections to use plain TCP or whether
+                          the IngressController expects PROXY protocol. \n PROXY protocol
+                          can be used with load balancers that support it to communicate
+                          the source addresses of client connections when forwarding
+                          those connections to the IngressController.  Using PROXY
+                          protocol enables the IngressController to report those source
+                          addresses instead of reporting the load balancer's address
+                          in HTTP headers and logs.  Note that enabling PROXY protocol
+                          on the IngressController will cause connections to fail
+                          if you are not using a load balancer that uses PROXY protocol
+                          to forward connections to the IngressController.  See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt
+                          for information about PROXY protocol. \n The following values
+                          are valid for this field: \n * The empty string. * \"TCP\".
+                          * \"PROXY\". \n The empty string specifies the default,
+                          which is TCP without PROXY protocol.  Note that the default
+                          is subject to change."
+                        enum:
+                        - ""
+                        - TCP
+                        - PROXY
+                        type: string
                     type: object
                   loadBalancer:
                     description: loadBalancer holds parameters for the load balancer.
@@ -1054,6 +1126,30 @@ spec:
                   nodePort:
                     description: nodePort holds parameters for the NodePortService
                       endpoint publishing strategy. Present only if type is NodePortService.
+                    properties:
+                      protocol:
+                        description: "protocol specifies whether the IngressController
+                          expects incoming connections to use plain TCP or whether
+                          the IngressController expects PROXY protocol. \n PROXY protocol
+                          can be used with load balancers that support it to communicate
+                          the source addresses of client connections when forwarding
+                          those connections to the IngressController.  Using PROXY
+                          protocol enables the IngressController to report those source
+                          addresses instead of reporting the load balancer's address
+                          in HTTP headers and logs.  Note that enabling PROXY protocol
+                          on the IngressController will cause connections to fail
+                          if you are not using a load balancer that uses PROXY protocol
+                          to forward connections to the IngressController.  See http://www.haproxy.org/download/2.2/doc/proxy-protocol.txt
+                          for information about PROXY protocol. \n The following values
+                          are valid for this field: \n * The empty string. * \"TCP\".
+                          * \"PROXY\". \n The empty string specifies the default,
+                          which is TCP without PROXY protocol.  Note that the default
+                          is subject to change."
+                        enum:
+                        - ""
+                        - TCP
+                        - PROXY
+                        type: string
                     type: object
                   private:
                     description: private holds parameters for the Private endpoint

pkg/operator/controller/ingress/controller.go

@@ -366,9 +366,19 @@ func setDefaultPublishingStrategy(ic *operatorv1.IngressController, infraConfig
 			}
 		}
 	case operatorv1.NodePortServiceStrategyType:
-		// No parameters.
+		if effectiveStrategy.NodePort == nil {
+			effectiveStrategy.NodePort = &operatorv1.NodePortStrategy{}
+		}
+		if effectiveStrategy.NodePort.Protocol == operatorv1.DefaultProtocol {
+			effectiveStrategy.NodePort.Protocol = operatorv1.TCPProtocol
+		}
 	case operatorv1.HostNetworkStrategyType:
-		// No parameters.
+		if effectiveStrategy.HostNetwork == nil {
+			effectiveStrategy.HostNetwork = &operatorv1.HostNetworkStrategy{}
+		}
+		if effectiveStrategy.HostNetwork.Protocol == operatorv1.DefaultProtocol {
+			effectiveStrategy.HostNetwork.Protocol = operatorv1.TCPProtocol
+		}
 	case operatorv1.PrivateStrategyType:
 		// No parameters.
 	}
@@ -386,6 +396,20 @@ func setDefaultPublishingStrategy(ic *operatorv1.IngressController, infraConfig
 		return true
 	}
 
+	// Update if PROXY protocol is turned on or off.
+	statusNP := ic.Status.EndpointPublishingStrategy.NodePort
+	specNP := effectiveStrategy.NodePort
+	if specNP != nil && statusNP != nil && specNP.Protocol != statusNP.Protocol {
+		statusNP.Protocol = specNP.Protocol
+		return true
+	}
+	statusHN := ic.Status.EndpointPublishingStrategy.HostNetwork
+	specHN := effectiveStrategy.HostNetwork
+	if specHN != nil && statusHN != nil && specHN.Protocol != statusHN.Protocol {
+		statusHN.Protocol = specHN.Protocol
+		return true
+	}
+
 	return false
 }
 
@@ -757,10 +781,11 @@ func IsProxyProtocolNeeded(ic *operatorv1.IngressController, platform *configv1.
 		return false, fmt.Errorf("platform status is missing; failed to determine if proxy protocol is needed for %s/%s",
 			ic.Namespace, ic.Name)
 	}
-	// For now, check if we are on AWS. This can really be done for for any external
-	// [cloud] LBs that support the proxy protocol.
-	if platform.Type == configv1.AWSPlatformType {
-		if ic.Status.EndpointPublishingStrategy.Type == operatorv1.LoadBalancerServiceStrategyType {
+	switch ic.Status.EndpointPublishingStrategy.Type {
+	case operatorv1.LoadBalancerServiceStrategyType:
+		// For now, check if we are on AWS. This can really be done for for any external
+		// [cloud] LBs that support the proxy protocol.
+		if platform.Type == configv1.AWSPlatformType {
 			if ic.Status.EndpointPublishingStrategy.LoadBalancer == nil ||
 				ic.Status.EndpointPublishingStrategy.LoadBalancer.ProviderParameters == nil ||
 				ic.Status.EndpointPublishingStrategy.LoadBalancer.ProviderParameters.AWS == nil ||
@@ -769,6 +794,14 @@ func IsProxyProtocolNeeded(ic *operatorv1.IngressController, platform *configv1.
 				return true, nil
 			}
 		}
+	case operatorv1.HostNetworkStrategyType:
+		if ic.Status.EndpointPublishingStrategy.HostNetwork != nil {
+			return ic.Status.EndpointPublishingStrategy.HostNetwork.Protocol == operatorv1.ProxyProtocol, nil
+		}
+	case operatorv1.NodePortServiceStrategyType:
+		if ic.Status.EndpointPublishingStrategy.NodePort != nil {
+			return ic.Status.EndpointPublishingStrategy.NodePort.Protocol == operatorv1.ProxyProtocol, nil
+		}
 	}
 	return false, nil
 }