Use AWS ELB Proxy Protocol #100
Comments
|
Seems like this is simply adding the annotation when CLOUD_PROVIDER = 'aws' into the Service template? Or allow for custom annotations for the Voyager Service within the Ingress. |
|
@julianvmodesto, I have filed a new issue to track the work for custom annotation #103 . One question I have, are you using CoreOS' prometheus operator to setup your exporter? We are considering running a side car container with the HAproxy to expose its metrics. I would like to hear how you see this work. |
|
The full suite of annotations available in 1.5.x are: |
|
As @sadlil mentioned in #103 (comment), users will be able to provide custom annotations as they see fit with 1.5.5 release. We are going to cut a release early next week. |
|
@tamalsaha appreciate your help here, love your project and looking forward to 1.5.5. Re: prometheus, the sidecar for haproxy stats looks like a pretty good solution to me. |
|
@tamalsaha I added the annotation below to a new Ingress, and the annotation exists for the new Ingress! Two issues, though:
|
|
We are going to look into that and get back to you. |
|
Ack, sorry, regarding the second issue I have w/ 400s, I think I just need to figure out how to configure HAProxy to accept the Proxy Protocol. |
|
How would I be able to attach I manually edited the configmap with the above, and this solved the issue with the 400s. Maybe there should be a way to add modifiers to the |
|
You can't add options to the bind https://github.com/appscode/voyager/blob/master/pkg/controller/ingress/template/template.go#L140.. We are going to push a new update this fixed this week. @sadlil , I found some more docs here: https://jve.linuxwall.info/ressources/taf/haproxy-aws/ |
|
Great, thanks in advance Tamal! |
|
Created #115. |
…165) This preserves source IP for LoadBalancer type ingresses for aws, gce, gke, azure. The actual configuration generated depends on the underlying cloud provider. - gce, gke, azure: Adds annotation service.beta.kubernetes.io/external-traffic: OnlyLocal to services used to expose HAProxy. ref: https://kubernetes.io/docs/tutorials/services/source-ip/#source-ip-for-services-with-typeloadbalancer - aws: Enforces the use of the PROXY protocol over any connection accepted by any of the sockets declared on the same line. Versions 1 and 2 of the PROXY protocol are supported and correctly detected. The PROXY protocol dictates the layer 3/4 addresses of the incoming connection to be used everywhere an address is used, with the only exception of "tcp-request connection" rules which will only see the real connection address. Logs will reflect the addresses indicated in the protocol, unless it is violated, in which case the real address will still be used. This keyword combined with support from external components can be used as an efficient and reliable alternative to the X-Forwarded-For mechanism which is not always reliable and not even always usable. See also "tcp-request connection expect-proxy" for a finer-grained setting of which client is allowed to use the protocol. ref: https://github.com/kubernetes/kubernetes/blob/release-1.5/pkg/cloudprovider/providers/aws/aws.go#L79 (this was implemented in #144) Fixes #146, #100
|
@julianvmodesto , just to clarify one thing, with 1.5.6, you only need to add |
Currently, when the CLOUD_PROVIDER is set to aws, a new Service is created for the Ingress of type LoadBalancer by default.
The behavior I desire is for the LoadBalancer Service to use the
"service.beta.kubernetes.io/aws-load-balancer-proxy-protocol": "*"annotation to enable the Proxy Protocol on the AWS ELB, so that the proper headers like X-Real-IP and X-Forwarded-For are set correctly.Here are my deployments:
The text was updated successfully, but these errors were encountered: