spike/aws-nlb/internal/proxy: enforce proxy proto on internal NLB IC

Author: mtulio

pkg/operator/controller/ingress/controller.go

@@ -1233,9 +1233,14 @@ func IsProxyProtocolNeeded(ic *operatorv1.IngressController, platform *configv1.
 			if ic.Status.EndpointPublishingStrategy.LoadBalancer == nil ||
 				ic.Status.EndpointPublishingStrategy.LoadBalancer.ProviderParameters == nil ||
 				ic.Status.EndpointPublishingStrategy.LoadBalancer.ProviderParameters.AWS == nil ||
-				ic.Status.EndpointPublishingStrategy.LoadBalancer.ProviderParameters.Type == operatorv1.AWSLoadBalancerProvider &&
-					ic.Status.EndpointPublishingStrategy.LoadBalancer.ProviderParameters.AWS.Type == operatorv1.AWSClassicLoadBalancer {
-				return true, nil
+				ic.Status.EndpointPublishingStrategy.LoadBalancer.ProviderParameters.Type == operatorv1.AWSLoadBalancerProvider {
+				if ic.Status.EndpointPublishingStrategy.LoadBalancer.ProviderParameters.AWS.Type == operatorv1.AWSClassicLoadBalancer {
+					return true, nil
+				}
+				if ic.Status.EndpointPublishingStrategy.LoadBalancer.Scope == operatorv1.InternalLoadBalancer &&
+					ic.Status.EndpointPublishingStrategy.LoadBalancer.ProviderParameters.AWS.Type == operatorv1.AWSNetworkLoadBalancer {
+					return true, nil
+				}
 			}
 		case configv1.IBMCloudPlatformType:
 			if ic.Status.EndpointPublishingStrategy.LoadBalancer != nil &&

pkg/operator/controller/ingress/load_balancer_service.go

@@ -64,6 +64,9 @@ const (
 	// See https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-health-checks.html
 	awsLBHealthCheckIntervalNLB = "10"
 
+	// awsTargetGroupAttributesInternalProxyProtocolEnabled is the value of the awsTargetGroupAttributesAnnotation for internal load balancers that need to enable proxy protocol.
+	awsTargetGroupAttributesInternalProxyProtocolEnabled = "preserve_client_ip.enabled=false,proxy_protocol_v2.enabled=true"
+
 	// awsLBHealthCheckTimeoutAnnotation is the amount of time, in seconds, during which no response
 	// means a failed AWS load balancer health check. The value must be less than the value of
 	// awsLBHealthCheckIntervalAnnotation. Defaults to 4, must be between 2 and 60.
@@ -92,6 +95,9 @@ const (
 	// awsEIPAllocationsAnnotation specifies a list of eips for NLBs.
 	awsEIPAllocationsAnnotation = "service.beta.kubernetes.io/aws-load-balancer-eip-allocations"
 
+	// awsTargetGroupAttributesAnnotation is the annotation used on a service to specify target group attributes for an AWS load balancer.
+	awsTargetGroupAttributesAnnotation = "service.beta.kubernetes.io/aws-load-balancer-target-group-attributes"
+
 	// iksLBScopeAnnotation is the annotation used on a service to specify an IBM
 	// load balancer IP type.
 	iksLBScopeAnnotation = "service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type"
@@ -422,6 +428,11 @@ func desiredLoadBalancerService(ci *operatorv1.IngressController, deploymentRef
 							}
 						}
 
+						// Configure the target group attributes for internal load balancers that need to enable proxy protocol and support hairpinning traffic.
+						if proxyNeeded && isInternal {
+							service.Annotations[awsTargetGroupAttributesAnnotation] = awsTargetGroupAttributesInternalProxyProtocolEnabled
+						}
+
 					case operatorv1.AWSClassicLoadBalancer:
 						if aws.ClassicLoadBalancerParameters != nil {
 							if v := aws.ClassicLoadBalancerParameters.ConnectionIdleTimeout; v.Duration > 0 {