search

vitobotta / hetzner-k3s

The easiest and fastest way to create and manage Kubernetes clusters in Hetzner Cloud using the lightweight distribution k3s by Rancher.
MIT License
1.91k stars 143 forks source link

Selectively enable PROXY Protocol for certain Load Balancer Ports #362

Closed jampy closed 6 months ago

jampy commented 6 months ago

I use a ingress-nginx config like the following:

ingress-nginx:
  controller:
    kind: DaemonSet
    service:
      annotations:
        load-balancer.hetzner.cloud/location: nbg1
        load-balancer.hetzner.cloud/name: my-cluster-worker-lb
        load-balancer.hetzner.cloud/use-private-ip: "true"
        load-balancer.hetzner.cloud/uses-proxyprotocol: 'true'      # <------
        load-balancer.hetzner.cloud/hostname: redacted-host-name
        load-balancer.hetzner.cloud/http-redirect-https: 'false'

  tcp:
    1194: "openvpn/openvpn-service:1194"

As you can see, I enable the PROXY Protocol to reveal the external IP of HTTP/S connections. That works.

At the same time I use the same Nginx Ingress to forward TCP traffic to a OpenVPN server.

This basically works in that the OpenVPN port reaches the pods. The problem is that there is the PROXY Protocol header in the TCP data stream (which OpenVPN does not support).

I think this is because the port is configured on the Hetzner LB to use the PROXY PROTOCOL, just like the HTTP and HTTPS ports. Manually disabling the PROXY PROTOCOL for that port in the Hetzner Cloud Console solves the problem, but of course manually configuring things in the Console is not a solution.

Is it possible to configure this so that just the 1194 port is not configured to use the PROXY PROTOCOL?