Using PROXY protocol in Managed Kubernetes cluster

For your information

The PROXY protocol works correctly only with Managed Kubernetes clusters of version 1.21.10 or higher. You can upgrade the cluster version.

For your information

This is a guide for configuring access via the Nginx Ingress Controller.

Download the ingresscontroller.yaml manifest.
Make changes to the manifest fields that are marked with the [EDIT]: tag:
- enable PROXY protocol:
```
config:
    use-proxy-protocol: true
```
- create a Service with the following parameters:
```
type: LoadBalancer
externalTrafficPolicy: Cluster
annotations:
    loadbalancer.openstack.org/proxy-protocol: "true"
```
Do not change the value of the externalTrafficPolicy parameter.
Install the Helm package manager.

Optional: add the ingress-nginx repository to Helm and update it:

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update

Create an Ingress Controller using the manifest from step 1:

helm install ingress-nginx/ingress-nginx --values ingresscontroller.yaml --generate-name

Check that the Ingress Controller is installed:

kubectl get svc

The command output should contain an external IP address with the nip.io suffix:

NAME                  TYPE         CLUSTER-IP    EXTERNAL-IP          PORT(S)                    AGE
ingress-nginx-ingress LoadBalancer 10.100.100.100 123.123.123.123.nip.io 80:31039/TCP,443:31667/TCP 103s

Create a test deployment of the echo server:

cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
    name: echoserver
    namespace: default
    labels:
      app: echoserver
spec:
    replicas: 1
    selector:
      matchLabels:
        app: echoserver
    template:
      metadata:
        labels:
          app: echoserver
      spec:
        containers:
        - name: echoserver
          image: gcr.io/google-containers/echoserver:1.10
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 8080
EOF

Create a Service for the echo server:

kubectl expose deployment echoserver --type=ClusterIP --target-port=8080

Create an Ingress rule for the echo server Service:

cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
    name: test-proxy-protocol
    namespace: default
spec:
    ingressClassName: "nginx"
    rules:
      - host: test.com
        http:
          paths:
          - path: /ping
            pathType: Exact
            backend:
              service:
                name: echoserver
                port:
                  number: 8080
EOF

Check the Ingress:

kubectl get ing

Command output (the IP address may take some time to appear):

NAME                HOSTS    ADDRESS                PORTS AGE
test-proxy-protocol test.com 123.123.123.123.nip.io 80    2s

Check the connection:

ip=123.123.123.123.nip.io
curl -sH 'Host: test.com' http://$ip/ping | sed '/^\s*$/d'

Command output:

Hostname: echoserver-5c79dc5747-txwnz
Pod Information:
        -no pod information available-
Server values:
        server_version=nginx: 1.13.3 - lua: 10008
Request Information:
        client_address=10.10.10.31
        method=GET
        real path=/ping
        query=
        request_version=1.1
        request_scheme=http
        request_uri=http://test.com:8080/ping
Request Headers:
        accept=*/*
        connection=close
        host=test.com
        user-agent=curl/7.74.0
        x-forwarded-for=<xxx>
        x-forwarded-host=test.com
        x-forwarded-port=80
        x-forwarded-proto=http
        x-real-ip=<xxx>
Request Body:
        -no body in request-