Modify LB IP with dns suffix when the proxy protocol is used #323
Conversation
Related to SovereignCloudStack/issues#250 and #184 See also https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/openstack-cloud-controller-manager/expose-applications-using-loadbalancer-type-service.md#use-proxy-protocol-to-preserve-client-ip Signed-off-by: Roman Hros <[email protected]>
| @@ -7,3 +7,4 @@ application-credential-secret="${appcredsecret}" | |||
| [LoadBalancer] | |||
| manage-security-groups=true | |||
| use-octavia=true | |||
| enable-ingress-hostname=true | |||
There was a problem hiding this comment.
You have probably seen the logic in apply_nginx_ingress.sh to use kustomize to patch in the openstack annotations to enable the health monitor and the proxy protocol if NGINX_INGRESS_PROXY is set.
I would prefer to implement the hostname setting also via a conditional kustomization, so we only enable it when we need it. Looks like the annotation approach requires an explicit hostname though (and I don't know what it should be set to ...).
Are you sure this setting is harmless when the proxy-protocol is not enabled?
There was a problem hiding this comment.
Does anyone know the answer to the "Are you sure this is harmless ... ?" question?
There was a problem hiding this comment.
Hmm, reading up kubernetes/ingress-nginx#3996, it would seem that an annotation loadbalancer.openstack.org/hostname: nip.io or the default setting you suggest would be needed until (KEP-1860)[https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/1860-kube-proxy-IP-node-binding] gets implemented.
Any information on what enable-ingress-hostname=true would do when the proxy protocol is not enabled?
There was a problem hiding this comment.
OK, looks like a safe choice then, thanks!
garloff
added
bug
Related to SovereignCloudStack/issues#250 and #184 See also https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/openstack-cloud-controller-manager/expose-applications-using-loadbalancer-type-service.md#use-proxy-protocol-to-preserve-client-ip Signed-off-by: Roman Hros <[email protected]> Co-authored-by: Kurt Garloff <[email protected]>
|
It seems that the enhancement KEP-1860 will be included in K8s 1.29: kubernetes/enhancements#4114. |
|
Yeah, it will be in the alpha stage. But still, probably OCCM will need to adapt to that. |
Related to SovereignCloudStack/issues#250 and #184
See also https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/openstack-cloud-controller-manager/expose-applications-using-loadbalancer-type-service.md#use-proxy-protocol-to-preserve-client-ip
Signed-off-by: Roman Hros [email protected]