Support explicit target protocol annotation for load balancers

Author: asaha2

CHANGELOG.md

@@ -1,10 +1,14 @@
 ## unreleased
 
+* When using the LoadBalancer `service.beta.kubernetes.io/do-loadbalancer-target-protocol` annotation with any of `http`, 
+  `https`, `http2` or `http3` specification, the forwarding target protocol is overridden from the implicit default `http`
+  protocol.
+
 ## v0.1.55 (beta) - July 29, 2024
 
 * When using the LoadBalancer `service.beta.kubernetes.io/do-loadbalancer-type=REGIONAL_NETWORK` (under closed beta), firewall rules
-are added to open up the underlying health check port and all the defined (port, protocols) defined on the service. This is to
-permit traffic to arrive directly on the underlying worker nodes.
+  are added to open up the underlying health check port and all the defined (port, protocols) defined on the service. This is to
+  permit traffic to arrive directly on the underlying worker nodes.
 
 ## v0.1.54 (beta) - June 12, 2024
 

cloud-controller-manager/do/lb_annotations.go

@@ -32,6 +32,11 @@ const (
 	// is overwritten to https. Options are tcp, http and https. Defaults to tcp.
 	annDOProtocol = annDOLoadBalancerBase + "protocol"
 
+	// annDOTargetProtocol is the annotation used to specify the target protocol
+	// for DO load balancers. If unspecified, load balancers are configured with
+	// annDOProtocol specification. Options are http, https, http2 and  http3.
+	annDOTargetProtocol = annDOLoadBalancerBase + "target-protocol"
+
 	// annDOHealthCheckPath is the annotation used to specify the health check path
 	// for DO load balancers. Defaults to '/'.
 	annDOHealthCheckPath = annDOLoadBalancerBase + "healthcheck-path"

cloud-controller-manager/do/loadbalancers.go

@@ -733,13 +733,24 @@ func buildHTTP3ForwardingRule(ctx context.Context, service *v1.Service, godoClie
 		return nil, errors.New("certificate ID is required for HTTP3")
 	}
 
+	var targetProtocol string
+	if _, err := getProtocol(service, annDOTargetProtocol, func(protocol string) { targetProtocol = protocol }); err != nil {
+		return nil, err
+	}
+	if targetProtocol == protocolTCP || targetProtocol == protocolUDP {
+		return nil, fmt.Errorf("target protocol annotation is not supported for TCP or UDP")
+	}
+	if targetProtocol == "" {
+		targetProtocol = protocolHTTP
+	}
+
 	for _, port := range service.Spec.Ports {
 		if port.Port == int32(http3Port) {
 			return &godo.ForwardingRule{
 				EntryProtocol:  protocolHTTP3,
 				EntryPort:      http3Port,
 				CertificateID:  certificateID,
-				TargetProtocol: protocolHTTP,
+				TargetProtocol: targetProtocol,
 				TargetPort:     int(port.NodePort),
 			}, nil
 		}
@@ -753,7 +764,7 @@ func buildHTTP3ForwardingRule(ctx context.Context, service *v1.Service, godoClie
 func buildForwardingRules(ctx context.Context, service *v1.Service, godoClient *godo.Client) ([]godo.ForwardingRule, error) {
 	var forwardingRules []godo.ForwardingRule
 
-	defaultProtocol, err := getProtocol(service)
+	defaultProtocol, err := getProtocol(service, annDOProtocol)
 	if err != nil {
 		return nil, err
 	}
@@ -928,6 +939,14 @@ func buildTLSForwardingRule(forwardingRule *godo.ForwardingRule, service *v1.Ser
 		return errors.New("either certificate id should be set or tls pass through enabled, not both")
 	}
 
+	var targetProtocol string
+	if _, err := getProtocol(service, annDOTargetProtocol, func(protocol string) { targetProtocol = protocol }); err != nil {
+		return err
+	}
+	if targetProtocol == protocolTCP || targetProtocol == protocolUDP {
+		return fmt.Errorf("target protocol annotation is not supported for TCP or UDP")
+	}
+
 	if tlsPassThrough {
 		forwardingRule.TlsPassthrough = tlsPassThrough
 		// We don't explicitly set the TargetProtocol here since in buildForwardingRule
@@ -936,7 +955,11 @@ func buildTLSForwardingRule(forwardingRule *godo.ForwardingRule, service *v1.Ser
 		// to match the EntryProtocol.
 	} else {
 		forwardingRule.CertificateID = certificateID
-		forwardingRule.TargetProtocol = protocolHTTP
+		if targetProtocol != "" {
+			forwardingRule.TargetProtocol = targetProtocol
+		} else {
+			forwardingRule.TargetProtocol = protocolHTTP
+		}
 	}
 
 	return nil
@@ -968,9 +991,10 @@ func buildStickySessions(service *v1.Service) (*godo.StickySessions, error) {
 	}, nil
 }
 
-// getProtocol returns the desired protocol of service.
-func getProtocol(service *v1.Service) (string, error) {
-	protocol, ok := service.Annotations[annDOProtocol]
+// getProtocol returns the service protocol as per the passed annotation,
+// additionally invokes list of callback functions if provided.
+func getProtocol(service *v1.Service, annotation string, opts ...func(protocol string)) (string, error) {
+	protocol, ok := service.Annotations[annotation]
 	if !ok {
 		return protocolTCP, nil
 	}
@@ -981,6 +1005,10 @@ func getProtocol(service *v1.Service) (string, error) {
 		return "", fmt.Errorf("invalid protocol %q specified in annotation %q", protocol, annDOProtocol)
 	}
 
+	for _, opt := range opts {
+		opt(protocol)
+	}
+
 	return protocol, nil
 }
 

cloud-controller-manager/do/loadbalancers_test.go

@@ -915,7 +915,7 @@ func Test_getProtocol(t *testing.T) {
 
 	for _, test := range testcases {
 		t.Run(test.name, func(t *testing.T) {
-			protocol, err := getProtocol(test.service)
+			protocol, err := getProtocol(test.service, annDOProtocol)
 			if protocol != test.protocol {
 				t.Error("unexpected protocol")
 				t.Logf("expected: %q", test.protocol)
@@ -2161,6 +2161,128 @@ func Test_buildForwardingRules(t *testing.T) {
 			},
 			nil,
 		},
+		{
+			"invalid target protocol annotation returns error",
+			&v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test",
+					UID:  "abc123",
+					Annotations: map[string]string{
+						annDOHTTP2Ports:     "443",
+						annDOTargetProtocol: "abcd",
+						annDOCertificateID:  "test-certificate",
+					},
+				},
+				Spec: v1.ServiceSpec{
+					Ports: []v1.ServicePort{
+						{
+							Name:     "test",
+							Protocol: "TCP",
+							Port:     int32(443),
+							NodePort: int32(18080),
+						},
+					},
+				},
+			},
+			nil,
+			errors.New("failed to build TLS part(s) of forwarding rule: invalid protocol \"abcd\" specified in annotation \"service.beta.kubernetes.io/do-loadbalancer-protocol\""),
+		},
+		{
+			"unsupported target protocol annotation value returns error",
+			&v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test",
+					UID:  "abc123",
+					Annotations: map[string]string{
+						annDOHTTP2Ports:     "443",
+						annDOTargetProtocol: "tcp",
+						annDOCertificateID:  "test-certificate",
+					},
+				},
+				Spec: v1.ServiceSpec{
+					Ports: []v1.ServicePort{
+						{
+							Name:     "test",
+							Protocol: "TCP",
+							Port:     int32(443),
+							NodePort: int32(18080),
+						},
+					},
+				},
+			},
+			nil,
+			errors.New("failed to build TLS part(s) of forwarding rule: target protocol annotation is not supported for TCP or UDP"),
+		},
+		{
+			"support same SSL terminated forwarding protocols (http2 -> http2)",
+			&v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test",
+					UID:  "abc123",
+					Annotations: map[string]string{
+						annDOHTTP2Ports:     "443",
+						annDOTargetProtocol: "http2",
+						annDOCertificateID:  "test-certificate",
+					},
+				},
+				Spec: v1.ServiceSpec{
+					Ports: []v1.ServicePort{
+						{
+							Name:     "test",
+							Protocol: "TCP",
+							Port:     int32(443),
+							NodePort: int32(18080),
+						},
+					},
+				},
+			},
+			[]godo.ForwardingRule{
+				{
+					EntryProtocol:  "http2",
+					EntryPort:      443,
+					TargetProtocol: "http2",
+					TargetPort:     18080,
+					CertificateID:  "test-certificate",
+					TlsPassthrough: false,
+				},
+			},
+			nil,
+		},
+		{
+			"support different SSL terminated forwarding protocols (http2 -> https)",
+			&v1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test",
+					UID:  "abc123",
+					Annotations: map[string]string{
+						annDOHTTP2Ports:     "443",
+						annDOTargetProtocol: "https",
+						annDOCertificateID:  "test-certificate",
+					},
+				},
+				Spec: v1.ServiceSpec{
+					Ports: []v1.ServicePort{
+						{
+							Name:     "test",
+							Protocol: "TCP",
+							Port:     int32(443),
+							NodePort: int32(18080),
+						},
+					},
+				},
+			},
+			[]godo.ForwardingRule{
+				{
+					EntryProtocol:  "http2",
+					EntryPort:      443,
+					TargetProtocol: "https",
+					TargetPort:     18080,
+					CertificateID:  "test-certificate",
+					TlsPassthrough: false,
+				},
+			},
+			nil,
+		},
 	}
 
 	for _, test := range testcases {