Support for Proxy Protocol Version 2 (PPv2) on NLB via CCM

New E2E - should be possible to create Service type:LoadBalancer and mutate the Proxy Protocol Version on its Listeners

Author: l-technicore

pkg/cloudprovider/providers/oci/load_balancer_spec.go

@@ -26,6 +26,7 @@ import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	apiservice "k8s.io/kubernetes/pkg/api/v1/service"
+	"k8s.io/utils/pointer"
 
 	"github.com/oracle/oci-cloud-controller-manager/pkg/cloudprovider/providers/oci/config"
 	"github.com/oracle/oci-cloud-controller-manager/pkg/oci/client"
@@ -234,6 +235,9 @@ const (
 	// ServiceAnnotationNetworkLoadBalancerIsPreserveSource is a service annotation to enable/disable preserving source information
 	// on the NLB traffic. Default value when no annotation is given is to enable this for NLBs with externalTrafficPolicy=Local.
 	ServiceAnnotationNetworkLoadBalancerIsPreserveSource = "oci-network-load-balancer.oraclecloud.com/is-preserve-source"
+
+	// ServiceAnnotationNetworkLoadBalancerIsPpv2Enabled is a service annotation to enable/disable PPv2 feature for the listeners of this NLB.
+	ServiceAnnotationNetworkLoadBalancerIsPpv2Enabled = "oci-network-load-balancer.oraclecloud.com/is-ppv2-enabled"
 )
 
 // certificateData is a structure containing the data about a K8S secret required
@@ -1047,13 +1051,22 @@ func getListenersNetworkLoadBalancer(svc *v1.Service, listenerBackendIpVersion [
 	listeners := make(map[string]client.GenericListener)
 	portsMap := make(map[int][]string)
 	mixedProtocolsPortSet := make(map[int]bool)
+	var enablePpv2 *bool
 
 	requireIPv4, requireIPv6 := getRequireIpVersions(listenerBackendIpVersion)
 
 	for _, servicePort := range svc.Spec.Ports {
 		portsMap[int(servicePort.Port)] = append(portsMap[int(servicePort.Port)], string(servicePort.Protocol))
 	}
 
+	if ppv2EnabledValue, ppv2AnnotationSet := svc.Annotations[ServiceAnnotationNetworkLoadBalancerIsPpv2Enabled]; ppv2AnnotationSet {
+		if strings.ToLower(ppv2EnabledValue) == "true" {
+			enablePpv2 = pointer.Bool(true)
+		} else if strings.ToLower(ppv2EnabledValue) == "false" {
+			enablePpv2 = pointer.Bool(false)
+		}
+	}
+
 	for _, servicePort := range svc.Spec.Ports {
 		protocol := string(servicePort.Protocol)
 
@@ -1081,8 +1094,9 @@ func getListenersNetworkLoadBalancer(svc *v1.Service, listenerBackendIpVersion [
 		}
 
 		genericListener := client.GenericListener{
-			Protocol: &protocol,
-			Port:     &port,
+			Protocol:      &protocol,
+			Port:          &port,
+			IsPpv2Enabled: enablePpv2,
 		}
 		if requireIPv4 {
 			genericListener.Name = common.String(listenerName)

pkg/cloudprovider/providers/oci/load_balancer_spec_test.go

@@ -17,6 +17,7 @@ package oci
 import (
 	"context"
 	"fmt"
+	"k8s.io/utils/pointer"
 	"net/http"
 	"reflect"
 	"testing"
@@ -9041,6 +9042,89 @@ func Test_getListenersNetworkLoadBalancer(t *testing.T) {
 			},
 			err: nil,
 		},
+		"NLB_with_Ppv2_Enabled": {
+			service: &v1.Service{
+				Spec: v1.ServiceSpec{
+					SessionAffinity: v1.ServiceAffinityNone,
+					Ports: []v1.ServicePort{
+						{
+							Protocol: v1.ProtocolTCP,
+							Port:     int32(67),
+						},
+						{
+							Protocol: v1.ProtocolUDP,
+							Port:     int32(68),
+						},
+					},
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						ServiceAnnotationLoadBalancerType:                 "nlb",
+						ServiceAnnotationNetworkLoadBalancerIsPpv2Enabled: "true",
+					},
+				},
+			},
+			listenerBackendIpVersion: []string{IPv4},
+			wantListeners: map[string]client.GenericListener{
+				"TCP-67": {
+					Name:                  &testTwoListenerNameOne,
+					DefaultBackendSetName: common.String(testTwoBackendSetNameOne),
+					Protocol:              &testTwoProtocolOne,
+					Port:                  &testTwoPortOne,
+					IsPpv2Enabled:         pointer.Bool(true),
+				},
+				"UDP-68": {
+					Name:                  &testTwoListenerNameTwo,
+					DefaultBackendSetName: common.String(testTwoBackendSetNameTwo),
+					Protocol:              &testTwoProtocolTwo,
+					Port:                  &testTwoPortTwo,
+					IsPpv2Enabled:         pointer.Bool(true),
+				},
+			},
+			err: nil,
+		},
+
+		"NLB_with_Ppv2_Disabled": {
+			service: &v1.Service{
+				Spec: v1.ServiceSpec{
+					SessionAffinity: v1.ServiceAffinityNone,
+					Ports: []v1.ServicePort{
+						{
+							Protocol: v1.ProtocolTCP,
+							Port:     int32(67),
+						},
+						{
+							Protocol: v1.ProtocolUDP,
+							Port:     int32(68),
+						},
+					},
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						ServiceAnnotationLoadBalancerType:                 "nlb",
+						ServiceAnnotationNetworkLoadBalancerIsPpv2Enabled: "xyz",
+					},
+				},
+			},
+			listenerBackendIpVersion: []string{IPv4},
+			wantListeners: map[string]client.GenericListener{
+				"TCP-67": {
+					Name:                  &testTwoListenerNameOne,
+					DefaultBackendSetName: common.String(testTwoBackendSetNameOne),
+					Protocol:              &testTwoProtocolOne,
+					Port:                  &testTwoPortOne,
+					IsPpv2Enabled:         pointer.Bool(true),
+				},
+				"UDP-68": {
+					Name:                  &testTwoListenerNameTwo,
+					DefaultBackendSetName: common.String(testTwoBackendSetNameTwo),
+					Protocol:              &testTwoProtocolTwo,
+					Port:                  &testTwoPortTwo,
+					IsPpv2Enabled:         pointer.Bool(false),
+				},
+			},
+			err: nil,
+		},
 	}
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {

pkg/cloudprovider/providers/oci/load_balancer_util.go

@@ -448,6 +448,9 @@ func hasListenerChanged(logger *zap.SugaredLogger, actual client.GenericListener
 	if toString(actual.Protocol) != toString(desired.Protocol) {
 		listenerChanges = append(listenerChanges, fmt.Sprintf(changeFmtStr, "Listener:Protocol", toString(actual.Protocol), toString(desired.Protocol)))
 	}
+	if toBool(actual.IsPpv2Enabled) != toBool(desired.IsPpv2Enabled) {
+		listenerChanges = append(listenerChanges, fmt.Sprintf(changeFmtStr, "Listener:IsPpv2Enabled", toBool(actual.IsPpv2Enabled), toBool(desired.IsPpv2Enabled)))
+	}
 
 	listenerChanges = append(listenerChanges, getSSLConfigurationChanges(actual.SslConfiguration, desired.SslConfiguration)...)
 	listenerChanges = append(listenerChanges, getConnectionConfigurationChanges(actual.ConnectionConfiguration, desired.ConnectionConfiguration)...)

pkg/cloudprovider/providers/oci/load_balancer_util_test.go

@@ -879,6 +879,74 @@ func TestGetListenerChanges(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "proxy protocol version switch to true - NLB",
+			desired: map[string]client.GenericListener{
+				"TCP-80": client.GenericListener{
+					Name:                  common.String("TCP-80"),
+					DefaultBackendSetName: common.String("TCP-80"),
+					Protocol:              common.String("TCP"),
+					Port:                  common.Int(80),
+					IsPpv2Enabled:         common.Bool(true),
+				},
+			},
+			actual: map[string]client.GenericListener{
+				"TCP-80": client.GenericListener{
+					Name:                  common.String("TCP-80"),
+					DefaultBackendSetName: common.String("TCP-80"),
+					Protocol:              common.String("TCP"),
+					Port:                  common.Int(80),
+					IsPpv2Enabled:         common.Bool(false),
+				},
+			},
+			expected: []Action{
+				&ListenerAction{
+					name:       "TCP-80",
+					actionType: Update,
+					Listener: client.GenericListener{
+						Name:                  common.String("TCP-80"),
+						DefaultBackendSetName: common.String("TCP-80"),
+						Protocol:              common.String("TCP"),
+						Port:                  common.Int(80),
+						IsPpv2Enabled:         common.Bool(true),
+					},
+				},
+			},
+		},
+		{
+			name: "proxy protocol version change - NLB",
+			desired: map[string]client.GenericListener{
+				"TCP-80": client.GenericListener{
+					Name:                  common.String("TCP-80"),
+					DefaultBackendSetName: common.String("TCP-80"),
+					Protocol:              common.String("TCP"),
+					Port:                  common.Int(80),
+					IsPpv2Enabled:         common.Bool(true),
+				},
+			},
+			actual: map[string]client.GenericListener{
+				"TCP-80": client.GenericListener{
+					Name:                  common.String("TCP-80"),
+					DefaultBackendSetName: common.String("TCP-80"),
+					Protocol:              common.String("TCP"),
+					Port:                  common.Int(80),
+					IsPpv2Enabled:         nil,
+				},
+			},
+			expected: []Action{
+				&ListenerAction{
+					name:       "TCP-80",
+					actionType: Update,
+					Listener: client.GenericListener{
+						Name:                  common.String("TCP-80"),
+						DefaultBackendSetName: common.String("TCP-80"),
+						Protocol:              common.String("TCP"),
+						Port:                  common.Int(80),
+						IsPpv2Enabled:         common.Bool(true),
+					},
+				},
+			},
+		},
 		{
 			name: "ssl config change [legacy listeners]",
 			desired: map[string]client.GenericListener{

pkg/oci/client/generic_load_balancer_types.go

@@ -84,6 +84,7 @@ type GenericListener struct {
 	RoutingPolicyName       *string
 	RuleSetNames            []string
 	IpVersion               *GenericIpVersion
+	IsPpv2Enabled           *bool
 }
 
 type GenericConnectionConfiguration struct {

pkg/oci/client/network_load_balancer.go

@@ -304,6 +304,7 @@ func (c *networkLoadbalancer) CreateListener(ctx context.Context, lbID string, n
 		DefaultBackendSetName: details.DefaultBackendSetName,
 		Port:                  details.Port,
 		Protocol:              networkloadbalancer.ListenerProtocolsEnum(*details.Protocol),
+		IsPpv2Enabled:         details.IsPpv2Enabled,
 	}
 
 	if details.IpVersion != nil {
@@ -338,6 +339,7 @@ func (c *networkLoadbalancer) UpdateListener(ctx context.Context, lbID string, n
 		DefaultBackendSetName: details.DefaultBackendSetName,
 		Port:                  details.Port,
 		Protocol:              networkloadbalancer.ListenerProtocolsEnum(*details.Protocol),
+		IsPpv2Enabled:         details.IsPpv2Enabled,
 	}
 
 	if details.IpVersion != nil {
@@ -569,6 +571,7 @@ func (c *networkLoadbalancer) listenersToGenericListenerDetails(details map[stri
 			Port:                  v.Port,
 			Protocol:              &protocol,
 			IpVersion:             &ipVersion,
+			IsPpv2Enabled:         v.IsPpv2Enabled,
 		}
 	}
 	return genericListenerDetails
@@ -659,6 +662,7 @@ func (c *networkLoadbalancer) genericListenerDetailsToListenerDetails(details ma
 			DefaultBackendSetName: v.DefaultBackendSetName,
 			Port:                  v.Port,
 			Protocol:              networkloadbalancer.ListenerProtocolsEnum(*v.Protocol),
+			IsPpv2Enabled:         v.IsPpv2Enabled,
 		}
 		if v.IpVersion != nil {
 			switch *v.IpVersion {

test/e2e/cloud-provider-oci/load_balancer.go

@@ -1317,7 +1317,7 @@ var _ = Describe("LB Properties", func() {
 	baseName := "lb-properties"
 	f := sharedfw.NewDefaultFramework(baseName)
 
-	Context("[cloudprovider][ccm][lb]", func() {
+	Context("[cloudprovider][ccm][lb][properties]", func() {
 
 		healthCheckTestArray := []struct {
 			lbType              string
@@ -1385,7 +1385,12 @@ var _ = Describe("LB Properties", func() {
 					s.Spec.Ports = []v1.ServicePort{{Name: "http", Port: 80, TargetPort: intstr.FromInt(80)},
 						{Name: "https", Port: 443, TargetPort: intstr.FromInt(80)}}
 					s.ObjectMeta.Annotations = test.CreationAnnotations
-					s.ObjectMeta.Annotations[cloudprovider.ServiceAnnotationLoadBalancerInternal] = "true"
+					if test.lbType == "lb" {
+						s.ObjectMeta.Annotations[cloudprovider.ServiceAnnotationLoadBalancerInternal] = "true"
+					}
+					if test.lbType == "nlb" {
+						s.ObjectMeta.Annotations[cloudprovider.ServiceAnnotationNetworkLoadBalancerInternal] = "true"
+					}
 				})
 
 				svcPort := int(tcpService.Spec.Ports[0].Port)
@@ -1423,6 +1428,12 @@ var _ = Describe("LB Properties", func() {
 				By("changing TCP service health check config")
 				tcpService = jig.UpdateServiceOrFail(ns, tcpService.Name, func(s *v1.Service) {
 					s.ObjectMeta.Annotations = test.UpdatedAnnotations
+					if test.lbType == "lb" {
+						s.ObjectMeta.Annotations[cloudprovider.ServiceAnnotationLoadBalancerInternal] = "true"
+					}
+					if test.lbType == "nlb" {
+						s.ObjectMeta.Annotations[cloudprovider.ServiceAnnotationNetworkLoadBalancerInternal] = "true"
+					}
 				})
 
 				By("waiting upto 5m0s to verify health check config after modification to initial")
@@ -1432,6 +1443,12 @@ var _ = Describe("LB Properties", func() {
 				By("changing TCP service health check config - remove annotations")
 				tcpService = jig.UpdateServiceOrFail(ns, tcpService.Name, func(s *v1.Service) {
 					s.ObjectMeta.Annotations = test.RemovedAnnotations
+					if test.lbType == "lb" {
+						s.ObjectMeta.Annotations[cloudprovider.ServiceAnnotationLoadBalancerInternal] = "true"
+					}
+					if test.lbType == "nlb" {
+						s.ObjectMeta.Annotations[cloudprovider.ServiceAnnotationNetworkLoadBalancerInternal] = "true"
+					}
 				})
 
 				By("waiting upto 5m0s to verify health check config should fall back to default after removing annotations")
@@ -1686,8 +1703,8 @@ var _ = Describe("LB Properties", func() {
 			{
 				"nlb",
 				map[string]string{
-					cloudprovider.ServiceAnnotationLoadBalancerInternal: "true",
-					cloudprovider.ServiceAnnotationLoadBalancerType:     "nlb",
+					cloudprovider.ServiceAnnotationNetworkLoadBalancerInternal: "true",
+					cloudprovider.ServiceAnnotationLoadBalancerType:            "nlb",
 				},
 				cloudprovider.ServiceAnnotationNetworkLoadBalancerNetworkSecurityGroups,
 			},
@@ -1738,7 +1755,6 @@ var _ = Describe("LB Properties", func() {
 					s.Spec.Ports = []v1.ServicePort{{Name: "http", Port: 80, TargetPort: intstr.FromInt(80)},
 						{Name: "https", Port: 443, TargetPort: intstr.FromInt(80)}}
 					s.ObjectMeta.Annotations = test.Annotations
-					s.ObjectMeta.Annotations[cloudprovider.ServiceAnnotationLoadBalancerInternal] = "true"
 				})
 
 				svcPort := int(tcpService.Spec.Ports[0].Port)
@@ -1781,6 +1797,12 @@ var _ = Describe("LB Properties", func() {
 					test.Annotations[test.nsgAnnotation] = nsgIds
 					tcpService = jig.UpdateServiceOrFail(ns, tcpService.Name, func(s *v1.Service) {
 						s.ObjectMeta.Annotations = test.Annotations
+						if test.lbtype == "lb" {
+							s.ObjectMeta.Annotations[cloudprovider.ServiceAnnotationLoadBalancerInternal] = "true"
+						}
+						if test.lbtype == "nlb" {
+							s.ObjectMeta.Annotations[cloudprovider.ServiceAnnotationNetworkLoadBalancerInternal] = "true"
+						}
 					})
 					err = f.WaitForLoadBalancerNSGChange(loadBalancer, t.resultantNsgIds, test.lbtype)
 					sharedfw.ExpectNoError(err)
@@ -1856,7 +1878,12 @@ var _ = Describe("LB Properties", func() {
 					s.Spec.Ports = []v1.ServicePort{{Name: "http", Port: 80, TargetPort: intstr.FromInt(80)},
 						{Name: "https", Port: 443, TargetPort: intstr.FromInt(80)}}
 					s.ObjectMeta.Annotations = test.CreationAnnotations
-					s.ObjectMeta.Annotations[cloudprovider.ServiceAnnotationLoadBalancerInternal] = "true"
+					if test.lbType == "lb" {
+						s.ObjectMeta.Annotations[cloudprovider.ServiceAnnotationLoadBalancerInternal] = "true"
+					}
+					if test.lbType == "nlb" {
+						s.ObjectMeta.Annotations[cloudprovider.ServiceAnnotationNetworkLoadBalancerInternal] = "true"
+					}
 				})
 
 				svcPort := int(tcpService.Spec.Ports[0].Port)