search

kubernetes-sigs / aws-load-balancer-controller

A Kubernetes controller for Elastic Load Balancers
https://kubernetes-sigs.github.io/aws-load-balancer-controller/
Apache License 2.0
3.96k stars 1.47k forks source link

Disable proxy protocol for TCP/UDP ports in NLB #3877

Open sknmi opened 1 month ago

sknmi commented 1 month ago

I'm using nginx-ingress and want to expose gitlab-shell service on TCP port 22. 

defaultBackend:
  enabled: false

tcp:
  22: gitlab/gitlab-gitlab-shell:22

  config:
    server-tokens: false
    use-proxy-protocol: true
  service:
    type: "LoadBalancer"
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-type: "external"
      service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
      service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: true
      service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: "proxy_protocol_v2.enabled=true,preserve_client_ip.enabled=true,deregistration_delay.timeout_seconds=180,deregistration_delay.connection_termination.enabled=false"

So for 443/80 ports I need proxy protocol and it works as expected, but for port 22 I don't need it. If I disabled it in target group by hands aws-load-balancer-controler sets proxy protocol for that tcp 22 port back after some time.

I know it is also possible to set something like this fornginx-ingress:

  22: gitlab/gitlab-gitlab-shell:22:PROXY:PROXY
  22: gitlab/gitlab-gitlab-shell:22:PROXY
  22: gitlab/gitlab-gitlab-shell:22::PROXY

But none of them works.

Describe the solution you'd like Ability to disable proxy-protocol for specific ports.

Describe alternatives you've considered Using https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.9/guide/targetgroupbinding/targetgroupbinding/ this maybe.

wweiwei-li commented 1 month ago

We don't have the ability to disable it for specific ports. We add it as feature. Any community contributes are welcome

sknmi commented 1 month ago

TargetGroupBinding feature also doesn't work, since alb-controller removes all manually added listeners from NLB :/

aburan28 commented 5 days ago

@wweiwei-li What would be the ideal way to implement this? Would a target group override annotation for the service port name be reasonable? for example below this would disable proxy_protocol_v2 for port 443.

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-target-group-overrides-https: "proxy_protocol_v2.enabled=false"
    service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: "proxy_protocol_v2.enabled=true"

Another possibility is to use the existing annotation but create a field in the attributes that can map overrides to port names. 

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: "overrides.http.proxy_protocol_v2.enabled=false,overrides.http.proxy_protocol_v2.enabled=true"
spec:
  ports:
    - name: http
       port: 80
       targetPort: 8080
       protocol: TCP
    - name: https
       port: 443
       targetPort: 8443
       protocol: TCP

I may have some time to work on this feature