Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support explicit target protocol annotation for load balancers #751

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Support explicit target protocol annotation for load balancers #751

wants to merge 2 commits into from

Conversation

asaha2
Copy link

@asaha2 asaha2 commented Aug 6, 2024
edited
Loading

  • introduce service.beta.kubernetes.io/do-loadbalancer-target-protocol annotation that provides explicit specifier for forwarding rules target protocols, if set correctly overrides the implicit default of http target protocol
  • default behavior in absence of this new annotation is unchanged

Fixes #367 #378

@asaha2 asaha2 linked an issue Aug 6, 2024 that may be closed by this pull request
Cannot get an HTTPS -> HTTPS Load-Balancer #367
Open
@asaha2 asaha2 changed the title Support same target protocol as HTTPx entry protocol without tls pass… Support same target protocol as HTTPx entry protocol without tls passthrough Aug 6, 2024
@asaha2 asaha2 force-pushed the asaha/lb-httpx-to-http-redirect branch from 62587f2 to 969cafd Compare August 6, 2024 20:05
@asaha2 asaha2 changed the title Support same target protocol as HTTPx entry protocol without tls passthrough Support explicit target protocol annotation for load balancers Aug 6, 2024
timoreimann
timoreimann reviewed Aug 7, 2024
View reviewed changes
cloud-controller-manager/do/loadbalancers.go Outdated Show resolved Hide resolved
CHANGELOG.md
## v0.1.55 (beta) - July 29, 2024

* When using the LoadBalancer `service.beta.kubernetes.io/do-loadbalancer-type=REGIONAL_NETWORK` (under closed beta), firewall rules
are added to open up the underlying health check port and all the defined (port, protocols) defined on the service. This is to
permit traffic to arrive directly on the underlying worker nodes.
are added to open up the underlying health check port and all the defined (port, protocols) defined on the service. This is to
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this just an extra blank now? Was it accidental?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit whitespace adjustment really, I just noticed that the last version update didn't have a tab prepended to new lines stanza as other updates. I can revert this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No this is great. Thanks for cleaning up.

cloud-controller-manager/do/lb_annotations.go Outdated Show resolved Hide resolved
cloud-controller-manager/do/loadbalancers.go Outdated Show resolved Hide resolved
cloud-controller-manager/do/loadbalancers.go Outdated Show resolved Hide resolved
@asaha2 asaha2 requested a review from timoreimann August 7, 2024 16:03
timoreimann
timoreimann reviewed Aug 20, 2024
View reviewed changes
cloud-controller-manager/do/loadbalancers.go
if targetProtocol, err = getTargetProtocol(service); err != nil {
return nil, err
}
if targetProtocol == protocolTCP || targetProtocol == protocolUDP {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this explicit check still given that getTargetProtocol() now returns an error if a protocol other than from the allowed list (which does not include TCP or UDP) is specified?

Similar question for other occurrences of this check.

cloud-controller-manager/do/loadbalancers.go
return nil, errors.New("target protocol annotation is not supported for TCP or UDP")
}
if targetProtocol == "" {
targetProtocol = protocolHTTP
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like we don't need this anymore either given that getTargetProtocol() already returns protocolHTTP if the annotation is missing.

cloud-controller-manager/do/loadbalancers.go
@@ -936,7 +962,11 @@ func buildTLSForwardingRule(forwardingRule *godo.ForwardingRule, service *v1.Ser
// to match the EntryProtocol.
} else {
forwardingRule.CertificateID = certificateID
forwardingRule.TargetProtocol = protocolHTTP
if targetProtocol != "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similarly, I don't think we need the if statement since targetProtocol is guaranteed to be populated by getTargetProtocol().

timoreimann
timoreimann reviewed Aug 21, 2024
View reviewed changes
cloud-controller-manager/do/loadbalancers.go
@@ -80,6 +81,9 @@ const (

var (
errLBNotFound = errors.New("loadbalancer not found")

supportedEntryProtocols = []string{protocolTCP, protocolHTTP, protocolHTTPS, protocolHTTP2, protocolHTTP3}
supportedTargetProtocols = []string{protocolHTTP, protocolHTTPS, protocolHTTP2, protocolHTTP3}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To confirm, are TCP->TCP and UDP->UDP not supported?

@trojanowski
Copy link

I think the approach from this PR, where the target protocol is set for all ports, could be problematic. Here's why:

  • The default http → https redirection behavior (configured via the service.beta.kubernetes.io/do-loadbalancer-redirect-http-to-https annotation) may not suit all needs. For example, you might want to configure different rules, such as returning an error instead of redirecting for API requests. With the solution implemented in this PR, we would need to configure TLS for the HTTP target port, which seems counterintuitive.
  • That annotation would make exposing additional ports for protocols other than HTTP (e.g., SMTP/MQTT/AMQP) impossible.

My recommendation would be to implement an annotation like service.beta.kubernetes.io/do-loadbalancer-target-https-ports instead. This would explicitly define which ports should use the https protocol (or http2 if used by the load balancer) as the target protocol by providing a comma-separated list as a value.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timoreimann timoreimann timoreimann left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cannot get an HTTPS -> HTTPS Load-Balancer
3 participants
@asaha2 @trojanowski @timoreimann