ingress: Add proxy-protocol enhancement #664
Conversation
| When OpenShift is configured with an external load-balancer in front of an | ||
| IngressController, the connections that the IngressController receives have the | ||
| load balancer's address (instead of the original client addresses) as the source | ||
| address. PROXY protocol enables the external load-balancer to preserve the |
There was a problem hiding this comment.
Would it be worth mentioning that PROXY protocol is already enabled for Ingress Controller's with an endpoint publishing strategy of LoadBalancerService on AWS by default?
There was a problem hiding this comment.
I've rewritten this section to describe service load-balancers versus external load-balancers and the various endpoint publishing strategies.
|
|
||
| ### Non-Goal | ||
|
|
||
| 1. Enabling PROXY protocol to be configured on individual Routes. |
There was a problem hiding this comment.
Would a non-goal be allowing PROXY protocol to be configured when using the LoadBalancerService endpoint publishing strategy? (I guess mentioning this here would be slightly redundant but can't hurt to be explicit, considering our current usage of PROXY protocol on default ingress controllers on AWS)
There was a problem hiding this comment.
It would. I added a non-goal as you suggested. Thanks!
|
|
||
| ### User Stories | ||
|
|
||
| #### As a cluster administrator, I need my IngressController to use PROXY protocol to communicate with my external load-balancer. |
There was a problem hiding this comment.
I think you may need to drop the period at the end of this line to satisfy the new lint rules.
Miciah
force-pushed
the
ingress-add-proxy-connection-enhancement
branch
from
aabd06b
to
328c3b9
Compare
Miciah
changed the title
I copied and pasted the summary from the enhancement. I hope that is sufficient. |
| ### Non-Goals | ||
|
|
||
| 1. Enabling PROXY protocol to be configured on individual Routes. | ||
| 1. Enable cluster administrators to enable PROXY protocol on IngressControllers that use the "LoadBalancerService" or "Private" endpoint publishing strategies. |
There was a problem hiding this comment.
nit: The non-goals list has 2 items with numbering 1 (yet it renders with the correct numbering 🤔 )
There was a problem hiding this comment.
It's a markdown thing. If each item is numbered with 1, the generator converts it into a properly numbered list. That's especially nice when dealing with diffs.
|
/lgtm |
openshift-ci-robot
added
the
do-not-merge/hold
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: knobunc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
Miciah
force-pushed
the
ingress-add-proxy-connection-enhancement
branch
from
328c3b9
to
fdd0d19
Compare
|
Latest push updates the API definitions with the revised ones from openshift/api#871. |
/lgtm |
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
This enhancement enables cluster administrators to enable PROXY protocol on IngressControllers.