Merge pull request #4079 from pthak94/proxy-protocol-per-target-group

k8s-ci-robot · web-flow · commit bee5f8c8a936 · 2025-03-16T17:57:47.000-07:00
Added support for setting Proxy protocol per target group based on ServicePort
diff --git a/docs/guide/service/annotations.md b/docs/guide/service/annotations.md
@@ -23,6 +23,7 @@
 | [service.beta.kubernetes.io/aws-load-balancer-internal](#lb-internal)                            | boolean                 | false                     | deprecated, in favor of [aws-load-balancer-scheme](#lb-scheme)                                                                                                                                                                      |
 | [service.beta.kubernetes.io/aws-load-balancer-scheme](#lb-scheme)                                | string                  | internal                  |                                                                                                                                                                                                                                     |
 | [service.beta.kubernetes.io/aws-load-balancer-proxy-protocol](#proxy-protocol-v2)                | string                  |                           | Set to `"*"` to enable                                                                                                                                                                                                              |
+| [service.beta.kubernetes.io/aws-load-balancer-proxy-protocol-per-target-group](#proxy-protocol-v2)                | string                  |                           | If specified,configures proxy protocol for the target groups corresponding to the ports mentioned and disables for the rest. For example, if you have services deployed on ports `"80, 443 and 22"`, the annotation value `"80, 443"` will enable proxy protocol for ports 80 and 443 only, and disable for port 22. This annotation is overriden by `"service.beta.kubernetes.io/aws-load-balancer-proxy-protocol"`                                                                                                                                                                                                            |
 | [service.beta.kubernetes.io/aws-load-balancer-ip-address-type](#ip-address-type)                 | string                  | ipv4                      | ipv4 \| dualstack                                                                                                                                                                                                                   |
 | [service.beta.kubernetes.io/aws-load-balancer-access-log-enabled](#deprecated-attributes)        | boolean                 | false                     | deprecated, in favor of [aws-load-balancer-attributes](#load-balancer-attributes)                                                                                                                                                   |
 | [service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name](#deprecated-attributes) | string                  |                           | deprecated, in favor of [aws-load-balancer-attributes](#load-balancer-attributes)                                                                                                                                                   |
diff --git a/pkg/annotations/constants.go b/pkg/annotations/constants.go
@@ -69,6 +69,7 @@ const (
 	SvcLBSuffixScheme                                    = "aws-load-balancer-scheme"
 	SvcLBSuffixInternal                                  = "aws-load-balancer-internal"
 	SvcLBSuffixProxyProtocol                             = "aws-load-balancer-proxy-protocol"
+	SvcLBSuffixProxyProtocolPerTargetGroup               = "aws-load-balancer-proxy-protocol-per-target-group"
 	SvcLBSuffixIPAddressType                             = "aws-load-balancer-ip-address-type"
 	SvcLBSuffixAccessLogEnabled                          = "aws-load-balancer-access-log-enabled"
 	SvcLBSuffixAccessLogS3BucketName                     = "aws-load-balancer-access-log-s3-bucket-name"
diff --git a/pkg/service/model_build_target_group.go b/pkg/service/model_build_target_group.go
@@ -44,7 +44,7 @@ func (t *defaultModelBuildTask) buildTargetGroup(ctx context.Context, port corev
 	if err != nil {
 		return nil, err
 	}
-	tgAttrs, err := t.buildTargetGroupAttributes(ctx)
+	tgAttrs, err := t.buildTargetGroupAttributes(ctx, port)
 	if err != nil {
 		return nil, err
 	}
@@ -204,41 +204,66 @@ func (t *defaultModelBuildTask) buildTargetGroupName(_ context.Context, svcPort
 	return fmt.Sprintf("k8s-%.8s-%.8s-%.10s", sanitizedNamespace, sanitizedName, uuid)
 }
 
-func (t *defaultModelBuildTask) buildTargetGroupAttributes(_ context.Context) ([]elbv2model.TargetGroupAttribute, error) {
-	var rawAttributes map[string]string
-	if _, err := t.annotationParser.ParseStringMapAnnotation(annotations.SvcLBSuffixTargetGroupAttributes, &rawAttributes, t.service.Annotations); err != nil {
-		return nil, err
-	}
-	if rawAttributes == nil {
-		rawAttributes = make(map[string]string)
-	}
-	if _, ok := rawAttributes[tgAttrsProxyProtocolV2Enabled]; !ok {
-		rawAttributes[tgAttrsProxyProtocolV2Enabled] = strconv.FormatBool(t.defaultProxyProtocolV2Enabled)
-	}
-	proxyV2Annotation := ""
-	if exists := t.annotationParser.ParseStringAnnotation(annotations.SvcLBSuffixProxyProtocol, &proxyV2Annotation, t.service.Annotations); exists {
-		if proxyV2Annotation != "*" {
-			return []elbv2model.TargetGroupAttribute{}, errors.Errorf("invalid value %v for Load Balancer proxy protocol v2 annotation, only value currently supported is *", proxyV2Annotation)
-		}
-		rawAttributes[tgAttrsProxyProtocolV2Enabled] = "true"
-	}
-	if rawPreserveIPEnabled, ok := rawAttributes[tgAttrsPreserveClientIPEnabled]; ok {
-		_, err := strconv.ParseBool(rawPreserveIPEnabled)
-		if err != nil {
-			return nil, errors.Wrapf(err, "failed to parse attribute %v=%v", tgAttrsPreserveClientIPEnabled, rawPreserveIPEnabled)
-		}
-	}
-	attributes := make([]elbv2model.TargetGroupAttribute, 0, len(rawAttributes))
-	for attrKey, attrValue := range rawAttributes {
-		attributes = append(attributes, elbv2model.TargetGroupAttribute{
-			Key:   attrKey,
-			Value: attrValue,
-		})
-	}
-	sort.Slice(attributes, func(i, j int) bool {
-		return attributes[i].Key < attributes[j].Key
-	})
-	return attributes, nil
+func (t *defaultModelBuildTask) buildTargetGroupAttributes(_ context.Context, port corev1.ServicePort) ([]elbv2model.TargetGroupAttribute, error) {
+    var rawAttributes map[string]string
+    if _, err := t.annotationParser.ParseStringMapAnnotation(annotations.SvcLBSuffixTargetGroupAttributes, &rawAttributes, t.service.Annotations); err != nil {
+        return nil, err
+    }
+    if rawAttributes == nil {
+        rawAttributes = make(map[string]string)
+    }
+    if _, ok := rawAttributes[tgAttrsProxyProtocolV2Enabled]; !ok {
+        rawAttributes[tgAttrsProxyProtocolV2Enabled] = strconv.FormatBool(t.defaultProxyProtocolV2Enabled)
+    }
+
+    var proxyProtocolPerTG string
+    if t.annotationParser.ParseStringAnnotation(annotations.SvcLBSuffixProxyProtocolPerTargetGroup, &proxyProtocolPerTG, t.service.Annotations) {
+        ports := strings.Split(proxyProtocolPerTG, ",")
+        enabledPorts := make(map[string]struct{})
+        for _, p := range ports {
+            trimmedPort := strings.TrimSpace(p)
+            if trimmedPort != "" {
+                if _, err := strconv.Atoi(trimmedPort); err != nil {
+                    return nil, errors.Errorf("invalid port number in proxy-protocol-per-target-group: %v", trimmedPort)
+                }
+                enabledPorts[trimmedPort] = struct{}{}
+            }
+        }
+
+        currentPortStr := strconv.FormatInt(int64(port.Port), 10)
+        if _, enabled := enabledPorts[currentPortStr]; enabled {
+            rawAttributes[tgAttrsProxyProtocolV2Enabled] = "true"
+        } else {
+            rawAttributes[tgAttrsProxyProtocolV2Enabled] = "false"
+        }
+    }
+
+    proxyV2Annotation := ""
+    if exists := t.annotationParser.ParseStringAnnotation(annotations.SvcLBSuffixProxyProtocol, &proxyV2Annotation, t.service.Annotations); exists {
+        if proxyV2Annotation != "*" {
+            return []elbv2model.TargetGroupAttribute{}, errors.Errorf("invalid value %v for Load Balancer proxy protocol v2 annotation, only value currently supported is *", proxyV2Annotation)
+        }
+        rawAttributes[tgAttrsProxyProtocolV2Enabled] = "true"
+    }
+
+    if rawPreserveIPEnabled, ok := rawAttributes[tgAttrsPreserveClientIPEnabled]; ok {
+        _, err := strconv.ParseBool(rawPreserveIPEnabled)
+        if err != nil {
+            return nil, errors.Wrapf(err, "failed to parse attribute %v=%v", tgAttrsPreserveClientIPEnabled, rawPreserveIPEnabled)
+        }
+    }
+
+    attributes := make([]elbv2model.TargetGroupAttribute, 0, len(rawAttributes))
+    for attrKey, attrValue := range rawAttributes {
+        attributes = append(attributes, elbv2model.TargetGroupAttribute{
+            Key:   attrKey,
+            Value: attrValue,
+        })
+    }
+    sort.Slice(attributes, func(i, j int) bool {
+        return attributes[i].Key < attributes[j].Key
+    })
+    return attributes, nil
 }
 
 func (t *defaultModelBuildTask) buildPreserveClientIPFlag(_ context.Context, targetType elbv2model.TargetType, tgAttrs []elbv2model.TargetGroupAttribute) (bool, error) {
@@ -711,4 +736,4 @@ func (t *defaultModelBuildTask) buildTargetGroupBindingMultiClusterFlag(svc *cor
 		return rawEnabled, nil
 	}
 	return false, nil
-}
+}
diff --git a/pkg/service/model_build_target_group_test.go b/pkg/service/model_build_target_group_test.go
@@ -26,6 +26,7 @@ func Test_defaultModelBuilderTask_targetGroupAttrs(t *testing.T) {
 	tests := []struct {
 		testName  string
 		svc       *corev1.Service
+		port      corev1.ServicePort
 		wantError bool
 		wantValue []elbv2.TargetGroupAttribute
 	}{
@@ -140,6 +141,44 @@ func Test_defaultModelBuilderTask_targetGroupAttrs(t *testing.T) {
 			},
 			wantError: true,
 		},
+		{
+			testName: "proxy protocol per target group port 80",
+			svc: &corev1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"service.beta.kubernetes.io/aws-load-balancer-proxy-protocol-per-target-group": "80",	
+					},
+				},
+			},
+			port:      corev1.ServicePort{Port: 80},
+			wantError: false,
+			wantValue: []elbv2.TargetGroupAttribute{
+				{
+					Key: tgAttrsProxyProtocolV2Enabled, 
+					Value: "true",
+				},
+			},
+		},
+		{
+			testName: "proxy protocol per target group port 80 proxy v2 override",
+			svc: &corev1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"service.beta.kubernetes.io/aws-load-balancer-proxy-protocol-per-target-group": "443, 22",
+						"service.beta.kubernetes.io/aws-load-balancer-proxy-protocol":          "*",
+						
+					},
+				},
+			},
+			port:      corev1.ServicePort{Port: 80},
+			wantError: false,
+			wantValue: []elbv2.TargetGroupAttribute{
+				{
+					Key: tgAttrsProxyProtocolV2Enabled, 
+					Value: "true",
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.testName, func(t *testing.T) {
@@ -148,7 +187,7 @@ func Test_defaultModelBuilderTask_targetGroupAttrs(t *testing.T) {
 				service:          tt.svc,
 				annotationParser: parser,
 			}
-			tgAttrs, err := builder.buildTargetGroupAttributes(context.Background())
+			tgAttrs, err := builder.buildTargetGroupAttributes(context.Background(), tt.port)
 			if tt.wantError {
 				assert.Error(t, err)
 			} else {
