Add the LoadBalancer IP Mode capability

Ref: cloudscale-ch/cloudscale-cloud-controller-manager#15
projectsyn · Aug 28, 2024 · d37db1d · d37db1d
1 parent 74dae66
commit d37db1d
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 2 deletions.
diff --git a/class/defaults.yml b/class/defaults.yml
@@ -3,7 +3,7 @@ parameters:
     =_metadata: {}
     namespace: syn-cloudscale-cloud-controller-manager
 
-    manifests_version: 1.0.0
+    manifests_version: 1.1.0
 
     args: []
 

diff --git a/docs/modules/ROOT/pages/how-tos/loadbalance-ipmode.adoc b/docs/modules/ROOT/pages/how-tos/loadbalance-ipmode.adoc
@@ -0,0 +1,59 @@
+= Load Balancer IP Mode
+
+This guide describes how to steer the internal traffic flow with cloudscale CCM.
+
+== Internal routing and Proxy Protocol
+
+Kubernetes tries to route traffic within the cluster whenever possible.
+This is usually a valid default as it is faster.
+
+However if the proxy protocol or proxy protocol v2 is enabled on both the load balancer and the listening service, the service expects to receive encapsulated traffic using the proxy protocol headers.
+
+If the traffic is routed directly and not passing the load balancer the traffic is not to be encapsulated, which results in the service being unable to parse it correctly and dropping the connection:
+[source,bash]
+----
+curl http://internal-path-to-service/
+curl: (56) Recv failure: Connection reset by peer
+----
+
+== Kubernetes 1.30 and higher
+
+The cloudscale CCM does set .status.loadBalancer.ingress.ipMode automatically to "Proxy", unless LoadBalancerIPMode is set to "VIP".
+This behavior therefore routes the traffic via the load balancer and you have manually configure it to "VIP" to enforce the cluster internal routing.
+
+See the Kubernetes documentation https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-ip-mode[Specifying IPMode of load balancer status] for more information.
+
+== Kubernetes up to 1.29
+
+To force on older Kubernetes routing traffic via the load balancer, you need to replace the service IP with the load balancer hostname.
+The cloudscale CCM allows you to set the hostname using the annotation `k8s.cloudscale.ch/loadbalancer-force-hostname`:
+[source,yaml]
+----
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    k8s.cloudscale.ch/loadbalancer-pool-protocol: proxyv2
+    k8s.cloudscale.ch/loadbalancer-force-hostname: <full qualified load balancer DNS name>
+  name: example-service
+  namespace: example
+spec:
+  externalTrafficPolicy: Local
+  internalTrafficPolicy: Cluster
+  ipFamilies:
+  - IPv4
+  ipFamilyPolicy: SingleStack
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: http
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: https
+  selector:
+    app.kubernetes.io/name: example
+  sessionAffinity: None
+  type: LoadBalancer
+----
diff --git a/docs/modules/ROOT/partials/nav.adoc b/docs/modules/ROOT/partials/nav.adoc
@@ -1,3 +1,4 @@
 * xref:index.adoc[Home]
 * xref:how-tos/deploy-ocp.adoc[]
+* xref:how-tos/loadbalance-ipmode.adoc[]
 * xref:references/parameters.adoc[Parameters]
diff --git a/...cloudscale-cloud-controller-manager/cloudscale-cloud-controller-manager/10_daemonset.yaml b/...cloudscale-cloud-controller-manager/cloudscale-cloud-controller-manager/10_daemonset.yaml
@@ -34,7 +34,7 @@ spec:
                 secretKeyRef:
                   key: access-token
                   name: cloudscale
-          image: quay.io/cloudscalech/cloudscale-cloud-controller-manager:1.0.0
+          image: quay.io/cloudscalech/cloudscale-cloud-controller-manager:1.1.0
           imagePullPolicy: IfNotPresent
           name: cloudscale-cloud-controller-manager
       hostNetwork: true