NE-1091: Add proxy protocol support to IBMLoadBalancerParameters

[SzucsAti]

On IBMCloud users can set a loadbalancer annotation to enable proxy protocol on the loadbalancer:
service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: "proxy-protocol"
https://cloud.ibm.com/docs/containers?topic=containers-vpc-lbaas

With this PR users can configure proxy protocol on the ingresscontroller custom resource. Cluster-ingress-operator will read the value of this field and configure the loadbalancer accordingly.

  endpointPublishingStrategy:
    loadBalancer:
      providerParameters:
        type: IBM
        ibm:
          protocol: PROXY
      scope: External
    type: LoadBalancerService

This PR is based on an other PR which is not yet merged, it implements IBMLoadBalancerParameters:
#1208

[openshift-ci]

Hello @SzucsAti! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

For merging purposes, this repository follows the no-Feature-Freeze process which means that in addition to the standard lgtm and approved labels this repository requires either:

bugzilla/valid-bug - applied if your PR references a valid bugzilla bug

OR

qe-approved, docs-approved, and px-approved - these labels can be applied by anyone in the openshift org via the /label command.

Who should apply these qe/docs/px labels?

• For a no-Feature-Freeze team who is merging a feature before code freeze, they need to get those labels applied to their api repo PR by the appropriate teams (i.e. qe, docs, px)
• For a Feature Freeze (traditional) team who is merging a feature before FF, they can self-apply the labels (via /label commands), they are basically irrelevant for those teams
• For a Feature Freeze team who is merging a feature after FF, the PR should be rejected barring an exception

[SzucsAti]

/test verify

[SzucsAti]

/assign

[SzucsAti]

/assign @deads2k @soltysh

[JoelSpeed]

Where is the change to the discriminator enum to allow this? Can't see a change to LoadBalancerProviderType included here

[SzucsAti]

It was already changed here: https://github.com/openshift/api/blob/master/operator/v1/types_ingress.go#L473-#L490. Comment was not up to date.

[JoelSpeed]

Is this blank line expected?

[SzucsAti]

Not expected, fixed.

[JoelSpeed]

The changes to the API look good here but, given the proximity to branch cuts, I'd like to see a QE approval of the feature before we merge this

/hold

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[SzucsAti]

/remove-lifecycle stale

[JoelSpeed]

Just want to update the wording to be consistent with our standard wording on other APIs

Suggested change

	// The following values are valid for this field:
	//
	// * The empty string.
	// * "TCP".
	// * "PROXY".
	//
	// The empty string specifies the default, which is TCP without PROXY
	// protocol. Note that the default is subject to change.
	// Valid values for protocol and TCP, PROXY and omitted.
	// When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.
	// The current default is TCP, without the proxy protocol enabled.

[SzucsAti]

Thank you, applied your suggestion.

[Miciah]

@JoelSpeed, should we update the godoc on the other protocol fields likewise? I can get that in a follow-up if you like.

[JoelSpeed]

Yeah a follow up would be great if you can, thanks

[JoelSpeed]

You don't need both versions of this, just +optional will suffice

[SzucsAti]

Removed // +kubebuilder:validation:Optional.

[JoelSpeed]

API looks good, have you run through any pre-merge validation with the QE team? Could we look to get their ack on this feature?

[candita]

/assign @Miciah
/assign @gcs278

[lihongan]

For pre-merge validation, I think we have no chance to test the api directly.
Can anyone help to create PR to cluster-ingress-operator with the API bump? then QE can do pre-merge validation with the two PRs.
cc @SzucsAti @Miciah

[candita]

For pre-merge validation, I think we have no chance to test the api directly. Can anyone help to create PR to cluster-ingress-operator with the API bump? then QE can do pre-merge validation with the two PRs. cc @SzucsAti @Miciah

@SzucsAti can you confirm that openshift/cluster-ingress-operator#812 is a PR that can be used to do pre-merge validation?

[attiss]

Hi @lihongan @candita,

Yes, openshift/cluster-ingress-operator#812 is the correct PR for pre-merge validations.

[lihongan]

@attiss thanks for confirming. Looks openshift/cluster-ingress-operator#812 needs rebase and some checks were failed.
Anyway, I'll have a try to see if I can build payload with the two PRs.

[lihongan]

Oops, cannot build the payload with cluster-bot and it reports:

pull request openshift/cluster-ingress-operator#812 needs to be rebased to branch master

so the rebase is mandatory

[SzucsAti]

Rebased openshift/cluster-ingress-operator#812.

[lihongan]

tested with pre-merge validation and passed

$ oc get clusterversion
NAME      VERSION                                                   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.13.0-0.ci.test-2023-02-07-013419-ci-ln-k91zc62-latest   True        False         139m    Cluster version is 4.13.0-0.ci.test-2023-02-07-013419-ci-ln-k91zc62-latest

### after updating the ingresscontroller/default and got 
$ oc -n openshift-ingress-operator get ingresscontroller/default -oyaml
<---snip-->
spec:
  endpointPublishingStrategy:
    loadBalancer:
      dnsManagementPolicy: Managed
      providerParameters:
        ibm:
          protocol: PROXY
        type: IBM
      scope: External
    type: LoadBalancerService
<------>
status:
  domain: apps.hongli-ibm.ibmcloud.qe.devcluster.openshift.com
  endpointPublishingStrategy:
    loadBalancer:
      dnsManagementPolicy: Managed
      providerParameters:
        ibm:
          protocol: PROXY
        type: IBM
      scope: External
    type: LoadBalancerService
<------>

### ensure router pods use PROXY protocol
$ oc -n openshift-ingress get deployment/router-default -oyaml
<---snip--->
        - name: ROUTER_USE_PROXY_PROTOCOL
          value: "true"

### ensure the proxy-protocol annotation is added to the LB service 
$ oc -n openshift-ingress get svc/router-default -oyaml
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.kubernetes.io/ibm-load-balancer-cloud-provider-enable-features: proxy-protocol
    service.kubernetes.io/ibm-load-balancer-cloud-provider-ip-type: public
<---snip--->

### ensure routes and ingress operator work well
$ curl https://canary-openshift-ingress-canary.apps.hongli-ibm.ibmcloud.qe.devcluster.openshift.com -k
Healthcheck requested
 
$ oc get co/ingress
NAME      VERSION                                                   AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
ingress   4.13.0-0.ci.test-2023-02-07-013419-ci-ln-k91zc62-latest   True        False         False      153m    

[lihongan]

/label qe-approved

[Miciah]

/lgtm
/hold cancel
@JoelSpeed, are you ready to approve the API change?

[ahardin-rh]

/label docs-approved

[CFields651]

/label px-approved

[gcs278]

/lgtm

[JoelSpeed]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gcs278, JoelSpeed, Miciah, SzucsAti

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [JoelSpeed]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@SzucsAti: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.