From 7a4290e8c7b0bcfdbcef1ac44e497c91f13c318b Mon Sep 17 00:00:00 2001 From: Kris Budde Date: Tue, 7 May 2024 11:36:27 +0200 Subject: [PATCH] [occm] KEP-1860: Add support for LoadBalancer ipMode (#2587) * KEP-1860: Add support for LoadBalancer ipMode * cleaner: use assertEqual for test --- pkg/openstack/loadbalancer.go | 28 +++++++++++++++++---------- pkg/openstack/loadbalancer_test.go | 31 ++++++++++++++++++++++++++++++ 2 files changed, 49 insertions(+), 10 deletions(-) diff --git a/pkg/openstack/loadbalancer.go b/pkg/openstack/loadbalancer.go index b9708c8920..895453b211 100644 --- a/pkg/openstack/loadbalancer.go +++ b/pkg/openstack/loadbalancer.go @@ -1568,18 +1568,26 @@ func (lbaas *LbaasV2) createLoadBalancerStatus(service *corev1.Service, svcConf status.Ingress = []corev1.LoadBalancerIngress{{Hostname: hostname}} return status } - // If the load balancer is using the PROXY protocol, expose its IP address via - // the Hostname field to prevent kube-proxy from injecting an iptables bypass. - // This is a workaround until - // https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/1860-kube-proxy-IP-node-binding - // is implemented (maybe in v1.22). - if svcConf.enableProxyProtocol && lbaas.opts.EnableIngressHostname { - fakeHostname := fmt.Sprintf("%s.%s", addr, lbaas.opts.IngressHostnameSuffix) - status.Ingress = []corev1.LoadBalancerIngress{{Hostname: fakeHostname}} - return status + + ipMode := corev1.LoadBalancerIPModeVIP + if svcConf.enableProxyProtocol { + // If the load balancer is using the PROXY protocol, expose its IP address via + // the Hostname field to prevent kube-proxy from injecting an iptables bypass. + // Setting must be removed by the user to allow the use of the LoadBalancerIPModeProxy. + if lbaas.opts.EnableIngressHostname { + fakeHostname := fmt.Sprintf("%s.%s", addr, lbaas.opts.IngressHostnameSuffix) + status.Ingress = []corev1.LoadBalancerIngress{{Hostname: fakeHostname}} + return status + } + // Set the LoadBalancerIPMode to Proxy to prevent kube-proxy from injecting an iptables bypass. + // https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/1860-kube-proxy-IP-node-binding + ipMode = corev1.LoadBalancerIPModeProxy } // Default to IP - status.Ingress = []corev1.LoadBalancerIngress{{IP: addr}} + status.Ingress = []corev1.LoadBalancerIngress{{ + IP: addr, + IPMode: &ipMode, + }} return status } diff --git a/pkg/openstack/loadbalancer_test.go b/pkg/openstack/loadbalancer_test.go index 7539bb34e6..6f3dbcb8d7 100644 --- a/pkg/openstack/loadbalancer_test.go +++ b/pkg/openstack/loadbalancer_test.go @@ -709,12 +709,15 @@ func TestLbaasV2_checkListenerPorts(t *testing.T) { } } func TestLbaasV2_createLoadBalancerStatus(t *testing.T) { + ipmodeProxy := corev1.LoadBalancerIPModeProxy + ipmodeVIP := corev1.LoadBalancerIPModeVIP type fields struct { LoadBalancer LoadBalancer } type result struct { HostName string IPAddress string + IPMode *corev1.LoadBalancerIPMode } type args struct { service *corev1.Service @@ -800,6 +803,33 @@ func TestLbaasV2_createLoadBalancerStatus(t *testing.T) { }, want: result{ IPAddress: "10.10.0.6", + IPMode: &ipmodeVIP, + }, + }, + { + name: "it should return ipMode proxy if using proxyProtocol and not EnableIngressHostname", + fields: fields{ + LoadBalancer: LoadBalancer{ + opts: LoadBalancerOpts{ + EnableIngressHostname: false, + IngressHostnameSuffix: "ingress-suffix", + }, + }, + }, + args: args{ + service: &corev1.Service{ + ObjectMeta: v1.ObjectMeta{ + Annotations: map[string]string{"test": "key"}, + }, + }, + svcConf: &serviceConfig{ + enableProxyProtocol: true, + }, + addr: "10.10.0.6", + }, + want: result{ + IPAddress: "10.10.0.6", + IPMode: &ipmodeProxy, }, }, } @@ -812,6 +842,7 @@ func TestLbaasV2_createLoadBalancerStatus(t *testing.T) { result := lbaas.createLoadBalancerStatus(tt.args.service, tt.args.svcConf, tt.args.addr) assert.Equal(t, tt.want.HostName, result.Ingress[0].Hostname) assert.Equal(t, tt.want.IPAddress, result.Ingress[0].IP) + assert.Equal(t, tt.want.IPMode, result.Ingress[0].IPMode) }) } }