Add upstream and downstream support for the PROXY protocol on TransportServer#9192
Add upstream and downstream support for the PROXY protocol on TransportServer#9192moo1210 wants to merge 2 commits intonginx:mainfrom
Conversation
…rtServer Signed-off-by: moo1210 (Carter) <moo1210@moo1210.dev>
|
✅ All required contributors have signed the F5 CLA for this PR. Thank you! |
github-actions
bot
added
enhancement
|
I have hereby read the F5 CLA and agree to its terms |
There was a problem hiding this comment.
Pull request overview
This PR extends TransportServer to support the PROXY protocol both downstream (accepting PROXY headers on the listener) and upstream (sending PROXY headers to upstreams), addressing current limitations around custom listeners and upstream configuration.
Changes:
- Add
upstreamParameters.proxyProtocolto enable upstream PROXY protocol (proxy_protocol on;) in TransportServer stream server blocks. - Add
PROXYas a valid listener protocol and generatelisten ... proxy_protocol;for TransportServer listeners. - Update CRD schemas/docs and add tests covering PROXY listener + upstream behavior.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/client/applyconfiguration/configuration/v1/upstreamparameters.go | Adds apply-config field for proxyProtocol in upstream parameters. |
| pkg/apis/configuration/validation/globalconfiguration.go | Allows PROXY as a valid protocol and updates port/protocol conflict logic. |
| pkg/apis/configuration/v1/types.go | Adds ProxyProtocol to the UpstreamParameters API type. |
| internal/configs/version2/template_helper.go | Enables downstream PROXY protocol in generated transport listen directives. |
| internal/configs/version2/template_helper_test.go | Adds unit coverage for listen ... proxy_protocol; generation. |
| internal/configs/version2/stream.go | Extends StreamServer with upstream/downstream PROXY protocol flags. |
| internal/configs/version2/nginx.transportserver.tmpl | Emits proxy_protocol on; when upstream PROXY is enabled. |
| internal/configs/version2/nginx-plus.transportserver.tmpl | Emits proxy_protocol on; when upstream PROXY is enabled (Plus template). |
| internal/configs/transportserver.go | Wires listener protocol and upstreamParameters into StreamServer config flags. |
| internal/configs/transportserver_test.go | Adds config-generation test for listener.protocol: PROXY + upstream proxyProtocol. |
| docs/crd/k8s.nginx.org_transportservers.md | Documents upstreamParameters.proxyProtocol. |
| deploy/crds.yaml | Adds proxyProtocol to generated CRD YAML (deploy bundle). |
| config/crd/bases/k8s.nginx.org_transportservers.yaml | Adds proxyProtocol to the CRD base for TransportServers. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | `upstreamParameters.nextUpstreamTimeout` | `string` | The time allowed to pass a connection to the next server. The default is 0. | | ||
| | `upstreamParameters.nextUpstreamTries` | `integer` | The number of tries for passing a connection to the next server. The default is 0. | | ||
| | `upstreamParameters.proxyProtocol` | `boolean` | Enables or disables the use of the PROXY protocol. The default is false. | | ||
| | `upstreamParameters.udpRequests` | `integer` | The number of datagrams, after receiving which, the next datagram from the same client starts a new session. The default is 0. | | ||
| | `upstreamParameters.udpResponses` | `integer` | The number of datagrams expected from the proxied server in response to a client datagram. By default, the number of datagrams is not limited. | |
There was a problem hiding this comment.
This doc update adds upstreamParameters.proxyProtocol, but the TransportServer also now supports listener.protocol: PROXY for downstream PROXY protocol. Consider updating the listener.protocol row to document the accepted values (including PROXY) so users can discover the new listener option from the CRD docs.
There was a problem hiding this comment.
The listener.protocol row makes no mention of TCP or UDP, so adding PROXY to the docs there seems outside the scope of this PR.
| isUDP := p.transportServerEx.TransportServer.Spec.Listener.Protocol == "UDP" | ||
| isProxyProtocol := p.transportServerEx.TransportServer.Spec.Listener.Protocol == "PROXY" | ||
|
|
There was a problem hiding this comment.
Introducing listener.protocol: PROXY makes the protocol space no longer just TCP vs UDP. There are existing code paths that treat anything other than "TCP" as UDP (for example, TransportServer metrics in internal/k8s/configuration.go increments TotalUDP in the else branch), which will misclassify PROXY TransportServers. Update those call sites to treat "PROXY" as TCP (or add a dedicated counter) and adjust tests accordingly.
|
Hey @moo1210 , thanks for making this. Seems like a lot of work, thank you! Once the team has time, we can review this and get back to you. Thanks! |
Proposed changes
This PR adds upstream and downstream support for the PROXY protocol to
TransportServerCurrent behavior and limitations:
kubernetes-ingress/internal/configs/version2/template_helper.go
Line 190 in e070aca
These limitations are unblocked by:
proxyProtocolis added toupstreamParametersin the TransportServer CRD.PROXYprotocol is added as an available protocol to listener configuration in the TransportServer and GlobalConfiguration CRDs.Checklist
Before creating a PR, run through this checklist and mark each as complete.