feat: svc enable proxy protocol on specified ports

arnaud-dezandee · arnaud-dezandee · commit abd690dbce20 · 2024-07-05T21:25:05.000+02:00
diff --git a/docs/guide/service/annotations.md b/docs/guide/service/annotations.md
@@ -22,7 +22,7 @@
 | [service.beta.kubernetes.io/aws-load-balancer-name](#load-balancer-name)                         | string                  |                           |                                                        |
 | [service.beta.kubernetes.io/aws-load-balancer-internal](#lb-internal)                            | boolean                 | false                     | deprecated, in favor of [aws-load-balancer-scheme](#lb-scheme)|
 | [service.beta.kubernetes.io/aws-load-balancer-scheme](#lb-scheme)                                | string                  | internal                  |                                                        |
-| [service.beta.kubernetes.io/aws-load-balancer-proxy-protocol](#proxy-protocol-v2)                | string                  |                           | Set to `"*"` to enable                                 |
+| [service.beta.kubernetes.io/aws-load-balancer-proxy-protocol](#proxy-protocol-v2)                | string                  |                           | Set to `"*"` to enable for all service ports           |
 | [service.beta.kubernetes.io/aws-load-balancer-ip-address-type](#ip-address-type)                 | string                  | ipv4                      | ipv4 \| dualstack                                      |
 | [service.beta.kubernetes.io/aws-load-balancer-access-log-enabled](#deprecated-attributes)        | boolean                 | false                     | deprecated, in favor of [aws-load-balancer-attributes](#load-balancer-attributes)|
 | [service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name](#deprecated-attributes) | string                  |                           | deprecated, in favor of [aws-load-balancer-attributes](#load-balancer-attributes)|
@@ -201,11 +201,17 @@ Traffic Listening can be controlled with following annotations:
 NLB resource attributes can be controlled via the following annotations:
 
 - <a name="proxy-protocol-v2">service.beta.kubernetes.io/aws-load-balancer-proxy-protocol</a> specifies whether to enable proxy protocol v2 on the target group.
-Set to '*' to enable proxy protocol v2. This annotation takes precedence over the annotation `service.beta.kubernetes.io/aws-load-balancer-target-group-attributes`
-for proxy protocol v2 configuration.
+This annotation takes precedence over the annotation `service.beta.kubernetes.io/aws-load-balancer-target-group-attributes` for proxy protocol v2 configuration.
 
-    !!!note ""
-        The only valid value for this annotation is `*`.
+    !!!example
+        - enable proxy protocol for all ports
+        ```
+        service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: *
+        ```
+        - enable proxy protocol for ports 80 and 443
+        ```
+        service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: 80, 443
+        ```
 
 - <a name="target-group-attributes">`service.beta.kubernetes.io/aws-load-balancer-target-group-attributes`</a> specifies the
 [Target Group Attributes](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-group-attributes) to be configured.
diff --git a/pkg/service/model_build_target_group.go b/pkg/service/model_build_target_group.go
@@ -44,7 +44,7 @@ func (t *defaultModelBuildTask) buildTargetGroup(ctx context.Context, port corev
 	if err != nil {
 		return nil, err
 	}
-	tgAttrs, err := t.buildTargetGroupAttributes(ctx)
+	tgAttrs, err := t.buildTargetGroupAttributes(ctx, port)
 	if err != nil {
 		return nil, err
 	}
@@ -204,7 +204,7 @@ func (t *defaultModelBuildTask) buildTargetGroupName(_ context.Context, svcPort
 	return fmt.Sprintf("k8s-%.8s-%.8s-%.10s", sanitizedNamespace, sanitizedName, uuid)
 }
 
-func (t *defaultModelBuildTask) buildTargetGroupAttributes(_ context.Context) ([]elbv2model.TargetGroupAttribute, error) {
+func (t *defaultModelBuildTask) buildTargetGroupAttributes(_ context.Context, port corev1.ServicePort) ([]elbv2model.TargetGroupAttribute, error) {
 	var rawAttributes map[string]string
 	if _, err := t.annotationParser.ParseStringMapAnnotation(annotations.SvcLBSuffixTargetGroupAttributes, &rawAttributes, t.service.Annotations); err != nil {
 		return nil, err
@@ -215,12 +215,18 @@ func (t *defaultModelBuildTask) buildTargetGroupAttributes(_ context.Context) ([
 	if _, ok := rawAttributes[tgAttrsProxyProtocolV2Enabled]; !ok {
 		rawAttributes[tgAttrsProxyProtocolV2Enabled] = strconv.FormatBool(t.defaultProxyProtocolV2Enabled)
 	}
-	proxyV2Annotation := ""
-	if exists := t.annotationParser.ParseStringAnnotation(annotations.SvcLBSuffixProxyProtocol, &proxyV2Annotation, t.service.Annotations); exists {
-		if proxyV2Annotation != "*" {
-			return []elbv2model.TargetGroupAttribute{}, errors.Errorf("invalid value %v for Load Balancer proxy protocol v2 annotation, only value currently supported is *", proxyV2Annotation)
+	var proxyV2Annotations []string
+	if exists := t.annotationParser.ParseStringSliceAnnotation(annotations.SvcLBSuffixProxyProtocol, &proxyV2Annotations, t.service.Annotations); exists {
+		for _, proxySelector := range proxyV2Annotations {
+			if proxySelector == "*" {
+				rawAttributes[tgAttrsProxyProtocolV2Enabled] = "true"
+				break
+			}
+			if proxySelector == strconv.Itoa(int(port.Port)) {
+				rawAttributes[tgAttrsProxyProtocolV2Enabled] = "true"
+				break
+			}
 		}
-		rawAttributes[tgAttrsProxyProtocolV2Enabled] = "true"
 	}
 	if rawPreserveIPEnabled, ok := rawAttributes[tgAttrsPreserveClientIPEnabled]; ok {
 		_, err := strconv.ParseBool(rawPreserveIPEnabled)
diff --git a/pkg/service/model_build_target_group_test.go b/pkg/service/model_build_target_group_test.go
@@ -3,13 +3,14 @@ package service
 import (
 	"context"
 	"errors"
-	"github.com/golang/mock/gomock"
-	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
-	"sigs.k8s.io/aws-load-balancer-controller/pkg/networking"
 	"sort"
 	"strconv"
 	"testing"
 
+	"github.com/golang/mock/gomock"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/networking"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/stretchr/testify/assert"
@@ -26,6 +27,7 @@ func Test_defaultModelBuilderTask_targetGroupAttrs(t *testing.T) {
 	tests := []struct {
 		testName  string
 		svc       *corev1.Service
+		svcPort   corev1.ServicePort
 		wantError bool
 		wantValue []elbv2.TargetGroupAttribute
 	}{
@@ -36,6 +38,12 @@ func Test_defaultModelBuilderTask_targetGroupAttrs(t *testing.T) {
 					Annotations: map[string]string{},
 				},
 			},
+			svcPort: corev1.ServicePort{
+				Name:       "http",
+				Port:       80,
+				TargetPort: intstr.FromInt(8080),
+				NodePort:   32768,
+			},
 			wantError: false,
 			wantValue: []elbv2.TargetGroupAttribute{
 				{
@@ -53,6 +61,12 @@ func Test_defaultModelBuilderTask_targetGroupAttrs(t *testing.T) {
 					},
 				},
 			},
+			svcPort: corev1.ServicePort{
+				Name:       "http",
+				Port:       80,
+				TargetPort: intstr.FromInt(8080),
+				NodePort:   32768,
+			},
 			wantError: false,
 			wantValue: []elbv2.TargetGroupAttribute{
 				{
@@ -62,15 +76,73 @@ func Test_defaultModelBuilderTask_targetGroupAttrs(t *testing.T) {
 			},
 		},
 		{
-			testName: "Invalid value",
+			testName: "no matching value",
 			svc: &corev1.Service{
 				ObjectMeta: metav1.ObjectMeta{
 					Annotations: map[string]string{
 						"service.beta.kubernetes.io/aws-load-balancer-proxy-protocol": "v2",
 					},
 				},
 			},
-			wantError: true,
+			svcPort: corev1.ServicePort{
+				Name:       "http",
+				Port:       80,
+				TargetPort: intstr.FromInt(8080),
+				NodePort:   32768,
+			},
+			wantValue: []elbv2.TargetGroupAttribute{
+				{
+					Key:   tgAttrsProxyProtocolV2Enabled,
+					Value: "false",
+				},
+			},
+			wantError: false,
+		},
+		{
+			testName: "matching value",
+			svc: &corev1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"service.beta.kubernetes.io/aws-load-balancer-proxy-protocol": "80",
+					},
+				},
+			},
+			svcPort: corev1.ServicePort{
+				Name:       "http",
+				Port:       80,
+				TargetPort: intstr.FromInt(8080),
+				NodePort:   32768,
+			},
+			wantValue: []elbv2.TargetGroupAttribute{
+				{
+					Key:   tgAttrsProxyProtocolV2Enabled,
+					Value: "true",
+				},
+			},
+			wantError: false,
+		},
+		{
+			testName: "multiple values",
+			svc: &corev1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"service.beta.kubernetes.io/aws-load-balancer-proxy-protocol": "443, 80, 9090",
+					},
+				},
+			},
+			svcPort: corev1.ServicePort{
+				Name:       "http",
+				Port:       80,
+				TargetPort: intstr.FromInt(8080),
+				NodePort:   32768,
+			},
+			wantValue: []elbv2.TargetGroupAttribute{
+				{
+					Key:   tgAttrsProxyProtocolV2Enabled,
+					Value: "true",
+				},
+			},
+			wantError: false,
 		},
 		{
 			testName: "target group attributes",
@@ -81,6 +153,12 @@ func Test_defaultModelBuilderTask_targetGroupAttrs(t *testing.T) {
 					},
 				},
 			},
+			svcPort: corev1.ServicePort{
+				Name:       "http",
+				Port:       80,
+				TargetPort: intstr.FromInt(8080),
+				NodePort:   32768,
+			},
 			wantValue: []elbv2.TargetGroupAttribute{
 				{
 					Key:   tgAttrsProxyProtocolV2Enabled,
@@ -111,6 +189,12 @@ func Test_defaultModelBuilderTask_targetGroupAttrs(t *testing.T) {
 					},
 				},
 			},
+			svcPort: corev1.ServicePort{
+				Name:       "http",
+				Port:       80,
+				TargetPort: intstr.FromInt(8080),
+				NodePort:   32768,
+			},
 			wantValue: []elbv2.TargetGroupAttribute{
 				{
 					Key:   tgAttrsProxyProtocolV2Enabled,
@@ -127,6 +211,12 @@ func Test_defaultModelBuilderTask_targetGroupAttrs(t *testing.T) {
 					},
 				},
 			},
+			svcPort: corev1.ServicePort{
+				Name:       "http",
+				Port:       80,
+				TargetPort: intstr.FromInt(8080),
+				NodePort:   32768,
+			},
 			wantError: true,
 		},
 		{
@@ -138,6 +228,12 @@ func Test_defaultModelBuilderTask_targetGroupAttrs(t *testing.T) {
 					},
 				},
 			},
+			svcPort: corev1.ServicePort{
+				Name:       "http",
+				Port:       80,
+				TargetPort: intstr.FromInt(8080),
+				NodePort:   32768,
+			},
 			wantError: true,
 		},
 	}
@@ -148,7 +244,7 @@ func Test_defaultModelBuilderTask_targetGroupAttrs(t *testing.T) {
 				service:          tt.svc,
 				annotationParser: parser,
 			}
-			tgAttrs, err := builder.buildTargetGroupAttributes(context.Background())
+			tgAttrs, err := builder.buildTargetGroupAttributes(context.Background(), tt.svcPort)
 			if tt.wantError {
 				assert.Error(t, err)
 			} else {
