Support downstream and upstream Proxy Protocol

[JuniorJPDJ]

Envoy Gateway should support Proxy Protocol on traffic coming from the world to support for example cases of Network Load Balancers from some cloud providers (AWS example from Emissary Ingress docs) and other cases when we have some sort of L4 LB in front of the K8S cluster.

It should also support Proxy Protocol on egress traffic to support cases where eg. pointing to ExternalService outside of the cluster or we just need raw L4 socket (TCP or UDP) and source IP preservation.

I actually need the second case, but I know there are lots of people needing first one due to cloud deployments with L4 LBs in front of the k8s.

Istio for example has 2 issues for upstream proxy proto (istio/istio#42257, istio/istio#44342) and some forum posts from people implementing it with EnvoyFilter mechanism and it also has example of configuration in docs for downstream proxy proto due to cloud usage.

Upstream proxy protocol would for example allow placing nginx ingress controler behind Envoy Gateway without losing the source IPs when someone needs legacy ingress resource support: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#use-proxy-protocol

[arkodg]

thanks for raising this issue @JuniorJPDJ, ive raised a issue in the upstream API repo

[JuniorJPDJ]

Can you please link this issue here?

[arkodg]

kubernetes-sigs/gateway-api#1955

[JuniorJPDJ]

Sure.
But IMO it should be extension, not part of main spec.
Lets see what upstream will say :D

[arkodg]

@JuniorJPDJ yes an extension (policyAttachment or Filter) might be the way to go if the feature is not supported by the native upstream API

[haq204]

Not sure if a policyAttachment or Filter would be necessary since you could also introduce it as extended protocol types in Gateway.listeners[].protocol (e.g. HTTPPROXY, HTTPSPROXY, etc.).

This is allowed under the existing spec:

Implementations can define their own protocols if a core ProtocolType does not exist. Such definitions must use prefixed name, such as mycompany.com/my-custom-protocol. Un-prefixed names are reserved for core protocols. Any protocol defined by implementations will fall under Implementation-specific conformance.

[arkodg]

hey @haq204 thats a really good idea
+1 to it
now the protocol name is being overloaded with 3 nouns - HTTP + S + PROXYPROTOCOL :)

[JuniorJPDJ]

But this is a solution for just a downstream proxy proto.

[haq204]

I think for upstream proxy it would probably would need to be a Filter/PolicyAttachment but not really keen on that idea. There is an effort upstream to expand backend properties kubernetes-sigs/gateway-api#1282 which would include protocol selection kubernetes-sigs/gateway-api#1911 so upstream proxy would seem to be a more natural fit here.

[haq204]

hey @haq204 thats a really good idea +1 to it now the protocol name is being overloaded with 3 nouns - HTTP + S + PROXYPROTOCOL :)

Maybe there should be a protocolStack option as well :)

protocolStack: []Protocol

or a useProxyProtocol flag

[arkodg]

for upstream, appProtocol within a service may be used https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol to infer upstream protocol type, but this makes things a little magical(mightt surprise the user) and are tied to Service kind, we are also now in the realm of custom protocol naming

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.