Skip to content

Commit

Permalink
fix(occm/loadbalancer): enable proxy-protocol only for supported list…
Browse files Browse the repository at this point in the history
…eners
  • Loading branch information
Lucasgranet authored and dulek committed Feb 9, 2024
1 parent e87f506 commit a9f932d
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 3 deletions.
1 change: 1 addition & 0 deletions pkg/openstack/events.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,5 @@ const (
eventLBExternalNetworkSearchFailed = "LoadBalancerExternalNetworkSearchFailed"
eventLBSourceRangesIgnored = "LoadBalancerSourceRangesIgnored"
eventLBAZIgnored = "LoadBalancerAvailabilityZonesIgnored"
eventLBProxyProtocolUnsupported = "LoadBalancerProxyProtocolUnsupported"
)
29 changes: 26 additions & 3 deletions pkg/openstack/loadbalancer.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"encoding/json"
"fmt"
"regexp"
"slices"
"strconv"
"strings"

Expand Down Expand Up @@ -104,7 +105,11 @@ type LbaasV2 struct {
LoadBalancer
}

var _ cloudprovider.LoadBalancer = &LbaasV2{}
var (
// List based on Octavia documentation https://docs.openstack.org/api-ref/load-balancer/v2/index.html?expanded=create-pool-detail#protocol-combinations-listener-pool
proxyProtocolSupportedListeners = []listeners.Protocol{listeners.ProtocolHTTP, listeners.ProtocolHTTPS, listeners.ProtocolTCP, listeners.ProtocolTerminatedHTTPS}
_ = &LbaasV2{}
)

// serviceConfig contains configurations for creating a Service.
type serviceConfig struct {
Expand Down Expand Up @@ -852,7 +857,12 @@ func (lbaas *LbaasV2) ensureOctaviaPool(lbID string, name string, listener *list
// By default, use the protocol of the listener
poolProto := v2pools.Protocol(listener.Protocol)
if svcConf.enableProxyProtocol {
poolProto = v2pools.ProtocolPROXY
if isProtocolProxyProtocolSupported(listener.Protocol) {
poolProto = v2pools.ProtocolPROXY
} else {
lbaas.eventRecorder.Eventf(service, corev1.EventTypeWarning, eventLBProxyProtocolUnsupported,
"PROXY protocol is not supported for %s listeners, falling back to %s", listener.Protocol, listener.Protocol)
}
} else if (svcConf.keepClientIP || svcConf.tlsContainerRef != "") && poolProto != v2pools.ProtocolHTTP {
poolProto = v2pools.ProtocolHTTP
}
Expand Down Expand Up @@ -919,7 +929,12 @@ func (lbaas *LbaasV2) buildPoolCreateOpt(listenerProtocol string, service *corev
// By default, use the protocol of the listener
poolProto := v2pools.Protocol(listenerProtocol)
if svcConf.enableProxyProtocol {
poolProto = v2pools.ProtocolPROXY
if isProtocolProxyProtocolSupported(listener.Protocol) {
poolProto = v2pools.ProtocolPROXY
} else {
lbaas.eventRecorder.Eventf(service, corev1.EventTypeWarning, eventLBProxyProtocolUnsupported,
"PROXY protocol is not supported for %s listeners, falling back to %s", listener.Protocol, listener.Protocol)
}
} else if (svcConf.keepClientIP || svcConf.tlsContainerRef != "") && poolProto != v2pools.ProtocolHTTP {
if svcConf.keepClientIP && svcConf.tlsContainerRef != "" {
klog.V(4).Infof("Forcing to use %q protocol for pool because annotations %q %q are set", v2pools.ProtocolHTTP, ServiceAnnotationLoadBalancerXForwardedFor, ServiceAnnotationTlsContainerRef)
Expand Down Expand Up @@ -2111,6 +2126,14 @@ func GetLoadBalancerSourceRanges(service *corev1.Service, preferredIPFamily core
return ipnets, nil
}

// isProtocolProxyProtocolSupported checks if the ListenProtocol can be used with the ProxyProtocol
// for the pool configuration. In the case of UDP listener, Octavia doesn't support the ProxyProtocol
// and should not be enabled to avoid 403 from Octavia API.
// https://docs.openstack.org/api-ref/load-balancer/v2/index.html?expanded=create-pool-detail#protocol-combinations-listener-pool
func isProtocolProxyProtocolSupported(protocol string) bool {
return slices.Contains(proxyProtocolSupportedListeners, listeners.Protocol(protocol))
}

// PreserveGopherError preserves the error details delivered with the response
// that are explicitly discarded by dedicated error types.
// The gopher library, because of an unknown reason, explicitly hides
Expand Down

0 comments on commit a9f932d

Please sign in to comment.