From c924fe1dded54726cc3fffa2b85b8ed1922b1ea4 Mon Sep 17 00:00:00 2001 From: Steve Tran Date: Thu, 30 Jan 2020 17:49:05 -0800 Subject: [PATCH] Add ProxyProtocol flag to enable PROXY_PROTOCOl on ingress routers This is enabled by default when the platform is AWS, but there is no reason why it should not be available for others, or configurable by admins. --- manifests/00-custom-resource-definition.yaml | 6 ++++++ pkg/operator/controller/ingress/deployment.go | 8 +++++++- .../github.com/openshift/api/operator/v1/types_ingress.go | 7 +++++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/manifests/00-custom-resource-definition.yaml b/manifests/00-custom-resource-definition.yaml index f22847d498..ab2fa636b0 100644 --- a/manifests/00-custom-resource-definition.yaml +++ b/manifests/00-custom-resource-definition.yaml @@ -616,6 +616,12 @@ spec: type: object type: array type: object + proxyprotocol: + description: proxyprotocol is a flag used to indicate whether the ingress + routers should be configured to accept the PROXY Protocol or not. + If unset, defaults to false, unless the Infrastructure platform is + of type AWS, which it is enabled by default. + type: boolean replicas: description: replicas is the desired number of ingress controller replicas. If unset, defaults to 2. diff --git a/pkg/operator/controller/ingress/deployment.go b/pkg/operator/controller/ingress/deployment.go index 5670cc4e5e..666c157295 100644 --- a/pkg/operator/controller/ingress/deployment.go +++ b/pkg/operator/controller/ingress/deployment.go @@ -167,10 +167,16 @@ func desiredRouterDeployment(ci *operatorv1.IngressController, ingressController env = append(env, corev1.EnvVar{Name: "ROUTER_CANONICAL_HOSTNAME", Value: ci.Status.Domain}) } - if ci.Status.EndpointPublishingStrategy.Type == operatorv1.LoadBalancerServiceStrategyType { + // Check if ProxyProtocol is enabled - not the most efficient if/elseif, but someone else can + // clean it up when they make this more robust to handle more flags, or ask me to do it. + if ci.Spec.ProxyProtocolEnabled == true { + log.Info("ProxyProtocol flag was set - using PROXY PROTOCOL") + env = append(env, corev1.EnvVar{Name: "ROUTER_USE_PROXY_PROTOCOL", Value: "true"}) + } else if ci.Status.EndpointPublishingStrategy.Type == operatorv1.LoadBalancerServiceStrategyType { // For now, check if we are on AWS. This can really be done for // for any external [cloud] LBs that support the proxy protocol. if infraConfig.Status.Platform == configv1.AWSPlatformType { + log.Info("Platform is AWS - using PROXY PROTOCOL") env = append(env, corev1.EnvVar{Name: "ROUTER_USE_PROXY_PROTOCOL", Value: "true"}) } } diff --git a/vendor/github.com/openshift/api/operator/v1/types_ingress.go b/vendor/github.com/openshift/api/operator/v1/types_ingress.go index 9223d55939..d6d98335ca 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_ingress.go +++ b/vendor/github.com/openshift/api/operator/v1/types_ingress.go @@ -64,6 +64,13 @@ type IngressControllerSpec struct { // +optional Replicas *int32 `json:"replicas,omitempty"` + + // proxyprotocol is a flag used to indicate whether the ingress routers should be configured to accept the PROXY Protocol or not. + // If unset, defaults to false, unless the Infrastructure platform is of type AWS, which it is enabled by default. + // + // +optional + ProxyProtocolEnabled bool `json:"proxyprotocol,omitempty"` + // endpointPublishingStrategy is used to publish the ingress controller // endpoints to other networks, enable load balancer integrations, etc. //