spike/aws-nlb/internal/proxy: enforce proxy proto on internal NLB IC

Author: mtulio

pkg/operator/controller/ingress/controller.go

@@ -1230,13 +1230,25 @@ func IsProxyProtocolNeeded(ic *operatorv1.IngressController, platform *configv1.
 		// This can really be done for for any external [cloud] LBs that support the proxy protocol.
 		switch platform.Type {
 		case configv1.AWSPlatformType:
+			// Handle nil cases - default to Classic Load Balancer behavior (uses PROXY)
+			// TODO: validate if this won't generate false positives
 			if ic.Status.EndpointPublishingStrategy.LoadBalancer == nil ||
 				ic.Status.EndpointPublishingStrategy.LoadBalancer.ProviderParameters == nil ||
-				ic.Status.EndpointPublishingStrategy.LoadBalancer.ProviderParameters.AWS == nil ||
-				ic.Status.EndpointPublishingStrategy.LoadBalancer.ProviderParameters.Type == operatorv1.AWSLoadBalancerProvider &&
-					ic.Status.EndpointPublishingStrategy.LoadBalancer.ProviderParameters.AWS.Type == operatorv1.AWSClassicLoadBalancer {
+				ic.Status.EndpointPublishingStrategy.LoadBalancer.ProviderParameters.AWS == nil {
 				return true, nil
 			}
+
+			// Only check specific AWS provider configurations if everything is properly set
+			if ic.Status.EndpointPublishingStrategy.LoadBalancer.ProviderParameters.Type == operatorv1.AWSLoadBalancerProvider {
+				// Classic Load Balancer uses PROXY protocol
+				if ic.Status.EndpointPublishingStrategy.LoadBalancer.ProviderParameters.AWS.Type == operatorv1.AWSClassicLoadBalancer {
+					return true, nil
+				}
+				// Network Load Balancer uses PROXY protocol only when internal
+				if ic.Status.EndpointPublishingStrategy.LoadBalancer.ProviderParameters.AWS.Type == operatorv1.AWSNetworkLoadBalancer {
+					return ic.Status.EndpointPublishingStrategy.LoadBalancer.Scope == operatorv1.InternalLoadBalancer, nil
+				}
+			}
 		case configv1.IBMCloudPlatformType:
 			if ic.Status.EndpointPublishingStrategy.LoadBalancer != nil &&
 				ic.Status.EndpointPublishingStrategy.LoadBalancer.ProviderParameters != nil &&

pkg/operator/controller/ingress/load_balancer_service.go

@@ -64,6 +64,9 @@ const (
 	// See https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-health-checks.html
 	awsLBHealthCheckIntervalNLB = "10"
 
+	// awsTargetGroupAttributesInternalProxyProtocolEnabled is the value of the awsTargetGroupAttributesAnnotation for internal load balancers that need to enable proxy protocol.
+	awsTargetGroupAttributesInternalProxyProtocolEnabled = "preserve_client_ip.enabled=false,proxy_protocol_v2.enabled=true"
+
 	// awsLBHealthCheckTimeoutAnnotation is the amount of time, in seconds, during which no response
 	// means a failed AWS load balancer health check. The value must be less than the value of
 	// awsLBHealthCheckIntervalAnnotation. Defaults to 4, must be between 2 and 60.
@@ -92,6 +95,9 @@ const (
 	// awsEIPAllocationsAnnotation specifies a list of eips for NLBs.
 	awsEIPAllocationsAnnotation = "service.beta.kubernetes.io/aws-load-balancer-eip-allocations"
 
+	// awsTargetGroupAttributesAnnotation is the annotation used on a service to specify target group attributes for an AWS load balancer.
+	awsTargetGroupAttributesAnnotation = "service.beta.kubernetes.io/aws-load-balancer-target-group-attributes"
+
 	// iksLBScopeAnnotation is the annotation used on a service to specify an IBM
 	// load balancer IP type.
 	iksLBScopeAnnotation = "service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type"
@@ -422,6 +428,11 @@ func desiredLoadBalancerService(ci *operatorv1.IngressController, deploymentRef
 							}
 						}
 
+						// Configure the target group attributes for internal load balancers that need to enable proxy protocol and support hairpinning traffic.
+						if proxyNeeded && isInternal {
+							service.Annotations[awsTargetGroupAttributesAnnotation] = awsTargetGroupAttributesInternalProxyProtocolEnabled
+						}
+
 					case operatorv1.AWSClassicLoadBalancer:
 						if aws.ClassicLoadBalancerParameters != nil {
 							if v := aws.ClassicLoadBalancerParameters.ConnectionIdleTimeout; v.Duration > 0 {