feat(occm/lb): octavia proxy protocol v2 support (#2635)

Author: Lucasgranet

docs/openstack-cloud-controller-manager/expose-applications-using-loadbalancer-type-service.md

@@ -136,7 +136,11 @@ Request Body:
 
 - `loadbalancer.openstack.org/proxy-protocol`
 
-  If 'true', the loadbalancer pool protocol will be set as `PROXY`. Default is 'false'.
+  Enable the ProxyProtocol on all listeners. Default is 'false'.
+
+  Values:
+  - `v1`, `true`: enable the ProxyProtocol version 1
+  - `v2`: enable the ProxyProtocol version 2
 
   Not supported when `lb-provider=ovn` is configured in openstack-cloud-controller-manager.
 
@@ -402,6 +406,8 @@ To enable PROXY protocol support, the either the openstack-cloud-controller-mana
        app: nginx-ingress
    ```
 
+> To use the ProxyProtocol's version 2, set the annotation's value to `v2`. By default, ProxyProtocol's version 1 is used.
+
    Wait until the service gets an external IP.
 
    ```bash
@@ -500,6 +506,8 @@ To enable PROXY protocol support, the either the openstack-cloud-controller-mana
            -no body in request-
    ```
 
+> Note: the Proxy Protocol is only available with TCP services.
+
 ### Sharing load balancer with multiple Services
 
 By default, different Services of LoadBalancer type should have different corresponding cloud load balancers, however, openstack-cloud-controller-manager allows multiple Services to share a single load balancer if the Octavia service supports the tag feature (since API version 2.5).

pkg/openstack/loadbalancer.go

@@ -124,7 +124,7 @@ type serviceConfig struct {
 	lbPublicSubnetSpec          *floatingSubnetSpec
 	nodeSelectors               map[string]string
 	keepClientIP                bool
-	enableProxyProtocol         bool
+	proxyProtocolVersion        *v2pools.Protocol
 	timeoutClientData           int
 	timeoutMemberConnect        int
 	timeoutMemberData           int
@@ -474,6 +474,21 @@ func getBoolFromServiceAnnotation(service *corev1.Service, annotationKey string,
 	return defaultSetting
 }
 
+// getProxyProtocolFromServiceAnnotation searches a given v1.Service the ServiceAnnotationLoadBalancerProxyEnabled to guess if the proxyProtocol needs to be
+// enabled and return the ProxyProtocol's version which is need to be applied
+func getProxyProtocolFromServiceAnnotation(service *corev1.Service) *v2pools.Protocol {
+	switch getStringFromServiceAnnotation(service, ServiceAnnotationLoadBalancerProxyEnabled, "false") {
+	case "true":
+		return ptr.To(v2pools.ProtocolPROXY)
+	case "v1":
+		return ptr.To(v2pools.ProtocolPROXY)
+	case "v2":
+		return ptr.To(v2pools.ProtocolPROXYV2)
+	default:
+		return nil
+	}
+}
+
 // getSubnetIDForLB returns subnet-id for a specific node
 func getSubnetIDForLB(network *gophercloud.ServiceClient, node corev1.Node, preferredIPFamily corev1.IPFamily) (string, error) {
 	ipAddress, err := nodeAddressForLB(&node, preferredIPFamily)
@@ -868,8 +883,8 @@ func (lbaas *LbaasV2) ensureOctaviaPool(lbID string, name string, listener *list
 
 	// By default, use the protocol of the listener
 	poolProto := v2pools.Protocol(listener.Protocol)
-	if svcConf.enableProxyProtocol {
-		poolProto = v2pools.ProtocolPROXY
+	if svcConf.proxyProtocolVersion != nil {
+		poolProto = *svcConf.proxyProtocolVersion
 	} else if (svcConf.keepClientIP || svcConf.tlsContainerRef != "") && poolProto != v2pools.ProtocolHTTP {
 		poolProto = v2pools.ProtocolHTTP
 	}
@@ -935,8 +950,8 @@ func (lbaas *LbaasV2) ensureOctaviaPool(lbID string, name string, listener *list
 func (lbaas *LbaasV2) buildPoolCreateOpt(listenerProtocol string, service *corev1.Service, svcConf *serviceConfig, name string) v2pools.CreateOpts {
 	// By default, use the protocol of the listener
 	poolProto := v2pools.Protocol(listenerProtocol)
-	if svcConf.enableProxyProtocol {
-		poolProto = v2pools.ProtocolPROXY
+	if svcConf.proxyProtocolVersion != nil {
+		poolProto = *svcConf.proxyProtocolVersion
 	} else if (svcConf.keepClientIP || svcConf.tlsContainerRef != "") && poolProto != v2pools.ProtocolHTTP {
 		if svcConf.keepClientIP && svcConf.tlsContainerRef != "" {
 			klog.V(4).Infof("Forcing to use %q protocol for pool because annotations %q %q are set", v2pools.ProtocolHTTP, ServiceAnnotationLoadBalancerXForwardedFor, ServiceAnnotationTlsContainerRef)
@@ -1310,12 +1325,11 @@ func (lbaas *LbaasV2) checkServiceUpdate(service *corev1.Service, nodes []*corev
 
 	// This affects the protocol of listener and pool
 	keepClientIP := getBoolFromServiceAnnotation(service, ServiceAnnotationLoadBalancerXForwardedFor, false)
-	useProxyProtocol := getBoolFromServiceAnnotation(service, ServiceAnnotationLoadBalancerProxyEnabled, false)
-	if useProxyProtocol && keepClientIP {
+	svcConf.proxyProtocolVersion = getProxyProtocolFromServiceAnnotation(service)
+	if svcConf.proxyProtocolVersion != nil && keepClientIP {
 		return fmt.Errorf("annotation %s and %s cannot be used together", ServiceAnnotationLoadBalancerProxyEnabled, ServiceAnnotationLoadBalancerXForwardedFor)
 	}
 	svcConf.keepClientIP = keepClientIP
-	svcConf.enableProxyProtocol = useProxyProtocol
 
 	svcConf.tlsContainerRef = getStringFromServiceAnnotation(service, ServiceAnnotationTlsContainerRef, lbaas.opts.TlsContainerRef)
 	svcConf.enableMonitor = getBoolFromServiceAnnotation(service, ServiceAnnotationLoadBalancerEnableHealthMonitor, lbaas.opts.CreateMonitor)
@@ -1335,7 +1349,7 @@ func (lbaas *LbaasV2) checkServiceDelete(service *corev1.Service, svcConf *servi
 
 	// This affects the protocol of listener and pool
 	svcConf.keepClientIP = getBoolFromServiceAnnotation(service, ServiceAnnotationLoadBalancerXForwardedFor, false)
-	svcConf.enableProxyProtocol = getBoolFromServiceAnnotation(service, ServiceAnnotationLoadBalancerProxyEnabled, false)
+	svcConf.proxyProtocolVersion = getProxyProtocolFromServiceAnnotation(service)
 	svcConf.tlsContainerRef = getStringFromServiceAnnotation(service, ServiceAnnotationTlsContainerRef, lbaas.opts.TlsContainerRef)
 
 	return nil
@@ -1537,12 +1551,11 @@ func (lbaas *LbaasV2) checkService(service *corev1.Service, nodes []*corev1.Node
 	}
 
 	keepClientIP := getBoolFromServiceAnnotation(service, ServiceAnnotationLoadBalancerXForwardedFor, false)
-	useProxyProtocol := getBoolFromServiceAnnotation(service, ServiceAnnotationLoadBalancerProxyEnabled, false)
-	if useProxyProtocol && keepClientIP {
+	svcConf.proxyProtocolVersion = getProxyProtocolFromServiceAnnotation(service)
+	if svcConf.proxyProtocolVersion != nil && keepClientIP {
 		return fmt.Errorf("annotation %s and %s cannot be used together", ServiceAnnotationLoadBalancerProxyEnabled, ServiceAnnotationLoadBalancerXForwardedFor)
 	}
 	svcConf.keepClientIP = keepClientIP
-	svcConf.enableProxyProtocol = useProxyProtocol
 
 	if openstackutil.IsOctaviaFeatureSupported(lbaas.lb, openstackutil.OctaviaFeatureTimeout, lbaas.opts.LBProvider) {
 		svcConf.timeoutClientData = getIntFromServiceAnnotation(service, ServiceAnnotationLoadBalancerTimeoutClientData, 50000)
@@ -1627,7 +1640,7 @@ func (lbaas *LbaasV2) createLoadBalancerStatus(service *corev1.Service, svcConf
 	}
 
 	ipMode := corev1.LoadBalancerIPModeVIP
-	if svcConf.enableProxyProtocol {
+	if svcConf.proxyProtocolVersion != nil {
 		// If the load balancer is using the PROXY protocol, expose its IP address via
 		// the Hostname field to prevent kube-proxy from injecting an iptables bypass.
 		// Setting must be removed by the user to allow the use of the LoadBalancerIPModeProxy.

pkg/openstack/loadbalancer_test.go

@@ -3,6 +3,7 @@ package openstack
 import (
 	"context"
 	"fmt"
+	"k8s.io/utils/ptr"
 	"reflect"
 	"sort"
 	"testing"
@@ -747,7 +748,7 @@ func TestLbaasV2_createLoadBalancerStatus(t *testing.T) {
 					},
 				},
 				svcConf: &serviceConfig{
-					enableProxyProtocol: false,
+					proxyProtocolVersion: nil,
 				},
 				addr: "10.10.0.6",
 			},
@@ -772,7 +773,7 @@ func TestLbaasV2_createLoadBalancerStatus(t *testing.T) {
 					},
 				},
 				svcConf: &serviceConfig{
-					enableProxyProtocol: true,
+					proxyProtocolVersion: ptr.To(pools.ProtocolPROXY),
 				},
 				addr: "10.10.0.6",
 			},
@@ -797,7 +798,7 @@ func TestLbaasV2_createLoadBalancerStatus(t *testing.T) {
 					},
 				},
 				svcConf: &serviceConfig{
-					enableProxyProtocol: false,
+					proxyProtocolVersion: nil,
 				},
 				addr: "10.10.0.6",
 			},
@@ -823,7 +824,7 @@ func TestLbaasV2_createLoadBalancerStatus(t *testing.T) {
 					},
 				},
 				svcConf: &serviceConfig{
-					enableProxyProtocol: true,
+					proxyProtocolVersion: ptr.To(pools.ProtocolPROXY),
 				},
 				addr: "10.10.0.6",
 			},
@@ -981,9 +982,9 @@ func Test_buildPoolCreateOpt(t *testing.T) {
 			args: args{
 				protocol: "TCP",
 				svcConf: &serviceConfig{
-					keepClientIP:        true,
-					tlsContainerRef:     "tls-container-ref",
-					enableProxyProtocol: true,
+					keepClientIP:         true,
+					tlsContainerRef:      "tls-container-ref",
+					proxyProtocolVersion: ptr.To(pools.ProtocolPROXY),
 				},
 				lbaasV2: &LbaasV2{
 					LoadBalancer{
@@ -1011,9 +1012,9 @@ func Test_buildPoolCreateOpt(t *testing.T) {
 			args: args{
 				protocol: "HTTP",
 				svcConf: &serviceConfig{
-					keepClientIP:        true,
-					tlsContainerRef:     "tls-container-ref",
-					enableProxyProtocol: false,
+					keepClientIP:         true,
+					tlsContainerRef:      "tls-container-ref",
+					proxyProtocolVersion: nil,
 				},
 				lbaasV2: &LbaasV2{
 					LoadBalancer{
@@ -1041,9 +1042,9 @@ func Test_buildPoolCreateOpt(t *testing.T) {
 			args: args{
 				protocol: "UDP",
 				svcConf: &serviceConfig{
-					keepClientIP:        true,
-					tlsContainerRef:     "tls-container-ref",
-					enableProxyProtocol: false,
+					keepClientIP:         true,
+					tlsContainerRef:      "tls-container-ref",
+					proxyProtocolVersion: nil,
 				},
 				lbaasV2: &LbaasV2{
 					LoadBalancer{
@@ -1124,6 +1125,36 @@ func Test_buildPoolCreateOpt(t *testing.T) {
 				Persistence: &pools.SessionPersistence{Type: "SOURCE_IP"},
 			},
 		},
+		{
+			name: "test for proxy protocol v2 enabled",
+			args: args{
+				protocol: "TCP",
+				svcConf: &serviceConfig{
+					keepClientIP:         true,
+					tlsContainerRef:      "tls-container-ref",
+					proxyProtocolVersion: ptr.To(pools.ProtocolPROXYV2),
+				},
+				lbaasV2: &LbaasV2{
+					LoadBalancer{
+						opts: LoadBalancerOpts{
+							LBProvider: "ovn",
+							LBMethod:   "SOURCE_IP_PORT",
+						},
+					},
+				},
+				service: &corev1.Service{
+					Spec: corev1.ServiceSpec{
+						SessionAffinity: corev1.ServiceAffinityClientIP,
+					},
+				},
+			},
+			want: pools.CreateOpts{
+				Name:        "test for proxy protocol v2 enabled",
+				Protocol:    pools.ProtocolPROXYV2,
+				LBMethod:    "SOURCE_IP_PORT",
+				Persistence: &pools.SessionPersistence{Type: "SOURCE_IP"},
+			},
+		},
 	}
 
 	for _, tt := range tests {
@@ -2553,3 +2584,71 @@ func TestFilterNodes(t *testing.T) {
 		})
 	}
 }
+
+func Test_getProxyProtocolFromServiceAnnotation(t *testing.T) {
+	type args struct {
+		service *corev1.Service
+	}
+	tests := []struct {
+		name string
+		args args
+		want *pools.Protocol
+	}{
+		{
+			name: "no proxy protocol",
+			args: args{service: &corev1.Service{
+				ObjectMeta: v1.ObjectMeta{
+					Annotations: map[string]string{ServiceAnnotationLoadBalancerProxyEnabled: "false"},
+				},
+			}},
+			want: nil,
+		},
+		{
+			name: "proxy protocol true",
+			args: args{service: &corev1.Service{
+				ObjectMeta: v1.ObjectMeta{
+					Annotations: map[string]string{ServiceAnnotationLoadBalancerProxyEnabled: "true"},
+				},
+			}},
+			want: ptr.To(pools.ProtocolPROXY),
+		},
+		{
+			name: "proxy protocol v1",
+			args: args{service: &corev1.Service{
+				ObjectMeta: v1.ObjectMeta{
+					Annotations: map[string]string{ServiceAnnotationLoadBalancerProxyEnabled: "v1"},
+				},
+			}},
+			want: ptr.To(pools.ProtocolPROXY),
+		},
+		{
+			name: "proxy protocol v2",
+			args: args{service: &corev1.Service{
+				ObjectMeta: v1.ObjectMeta{
+					Annotations: map[string]string{ServiceAnnotationLoadBalancerProxyEnabled: "v2"},
+				},
+			}},
+			want: ptr.To(pools.ProtocolPROXYV2),
+		},
+		{
+			name: "no proxy protocol annotation",
+			args: args{service: &corev1.Service{}},
+			want: nil,
+		},
+		{
+			name: "unknown proxy protocol annotation's value",
+			args: args{service: &corev1.Service{
+				ObjectMeta: v1.ObjectMeta{
+					Annotations: map[string]string{ServiceAnnotationLoadBalancerProxyEnabled: "not valid value"},
+				},
+			}},
+			want: nil,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := getProxyProtocolFromServiceAnnotation(tt.args.service)
+			assert.Equalf(t, tt.want, got, "getProxyProtocolFromServiceAnnotation(%v)", tt.args.service)
+		})
+	}
+}