From 7d58e9785ad52f8ebdaef450f95eb55f043974c5 Mon Sep 17 00:00:00 2001
From: Gabriel Mainberger <gabriel.mainberger@vshn.net>
Date: Wed, 28 Aug 2024 09:19:12 +0200
Subject: [PATCH] Add the LoadBalancer IP Mode capability

Ref: https://github.com/cloudscale-ch/cloudscale-cloud-controller-manager/issues/15
---
 class/defaults.yml                            |  2 +-
 .../pages/how-tos/loadbalance-ipmode.adoc     | 59 +++++++++++++++++++
 docs/modules/ROOT/partials/nav.adoc           |  1 +
 .../10_daemonset.yaml                         |  2 +-
 .../10_daemonset.yaml                         |  2 +-
 5 files changed, 63 insertions(+), 3 deletions(-)
 create mode 100644 docs/modules/ROOT/pages/how-tos/loadbalance-ipmode.adoc

diff --git a/class/defaults.yml b/class/defaults.yml
index fc2ca91..e39663f 100644
--- a/class/defaults.yml
+++ b/class/defaults.yml
@@ -3,7 +3,7 @@ parameters:
     =_metadata: {}
     namespace: syn-cloudscale-cloud-controller-manager
 
-    manifests_version: 1.0.0
+    manifests_version: 1.1.0
 
     args: []
 
diff --git a/docs/modules/ROOT/pages/how-tos/loadbalance-ipmode.adoc b/docs/modules/ROOT/pages/how-tos/loadbalance-ipmode.adoc
new file mode 100644
index 0000000..d541ca0
--- /dev/null
+++ b/docs/modules/ROOT/pages/how-tos/loadbalance-ipmode.adoc
@@ -0,0 +1,59 @@
+= Load Balancer IP Mode
+
+This guide describes how to steer the internal traffic flow with cloudscale CCM.
+
+== Internal routing and Proxy Protocol
+
+Kubernetes tries to route traffic within the cluster whenever possible.
+This is usually a valid default as it is faster.
+
+However if the proxy protocol or proxy protocol v2 is enabled on both the load balancer and the listening service, the service expects to receive encapsulated traffic using the proxy protocol headers.
+
+If the traffic is routed directly and not passing the load balancer the traffic is not to be encapsulated, which results in the service being unable to parse it correctly and dropping the connection:
+[source,bash]
+----
+curl http://internal-path-to-service/
+curl: (56) Recv failure: Connection reset by peer
+----
+
+== Kubernetes 1.30 and higher
+
+The cloudscale CCM does set .status.loadBalancer.ingress.ipMode automatically to "Proxy", unless LoadBalancerIPMode is set to "VIP".
+This behavior therefore routes the traffic via the load balancer and you have manually configure it to "VIP" to enforce the cluster internal routing.
+
+See the Kubernetes documentation https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-ip-mode[Specifying IPMode of load balancer status] for more information.
+
+== Kubernetes up to 1.29
+
+To force on older Kubernetes routing traffic via the load balancer, you need to replace the service IP with the load balancer hostname.
+The cloudscale CCM allows you to set the hostname using the annotation `k8s.cloudscale.ch/loadbalancer-force-hostname`:
+[source,yaml]
+----
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    k8s.cloudscale.ch/loadbalancer-pool-protocol: proxyv2
+    k8s.cloudscale.ch/loadbalancer-force-hostname: <full qualified load balancer DNS name>
+  name: example-service
+  namespace: example
+spec:
+  externalTrafficPolicy: Local
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/name: example
+  sessionAffinity: None
+  type: LoadBalancer
+----
diff --git a/docs/modules/ROOT/partials/nav.adoc b/docs/modules/ROOT/partials/nav.adoc
index c0a291e..8ccdead 100644
--- a/docs/modules/ROOT/partials/nav.adoc
+++ b/docs/modules/ROOT/partials/nav.adoc
@@ -1,3 +1,4 @@
 * xref:index.adoc[Home]
 * xref:how-tos/deploy-ocp.adoc[]
+* xref:how-tos/loadbalance-ipmode.adoc[]
 * xref:references/parameters.adoc[Parameters]
diff --git a/tests/golden/defaults/cloudscale-cloud-controller-manager/cloudscale-cloud-controller-manager/10_daemonset.yaml b/tests/golden/defaults/cloudscale-cloud-controller-manager/cloudscale-cloud-controller-manager/10_daemonset.yaml
index 611e123..82325dd 100644
--- a/tests/golden/defaults/cloudscale-cloud-controller-manager/cloudscale-cloud-controller-manager/10_daemonset.yaml
+++ b/tests/golden/defaults/cloudscale-cloud-controller-manager/cloudscale-cloud-controller-manager/10_daemonset.yaml
@@ -34,7 +34,7 @@ spec:
                 secretKeyRef:
                   key: access-token
                   name: cloudscale
-          image: quay.io/cloudscalech/cloudscale-cloud-controller-manager:1.0.0
+          image: quay.io/cloudscalech/cloudscale-cloud-controller-manager:1.1.0
           imagePullPolicy: IfNotPresent
           name: cloudscale-cloud-controller-manager
       hostNetwork: true
diff --git a/tests/golden/openshift4/cloudscale-cloud-controller-manager/cloudscale-cloud-controller-manager/10_daemonset.yaml b/tests/golden/openshift4/cloudscale-cloud-controller-manager/cloudscale-cloud-controller-manager/10_daemonset.yaml
index e23a60c..aea1971 100644
--- a/tests/golden/openshift4/cloudscale-cloud-controller-manager/cloudscale-cloud-controller-manager/10_daemonset.yaml
+++ b/tests/golden/openshift4/cloudscale-cloud-controller-manager/cloudscale-cloud-controller-manager/10_daemonset.yaml
@@ -34,7 +34,7 @@ spec:
                 secretKeyRef:
                   key: access-token
                   name: cloudscale
-          image: quay.io/cloudscalech/cloudscale-cloud-controller-manager:1.0.0
+          image: quay.io/cloudscalech/cloudscale-cloud-controller-manager:1.1.0
           imagePullPolicy: IfNotPresent
           name: cloudscale-cloud-controller-manager
       hostNetwork: true