hgranillo opened a new pull request, #353: URL: https://github.com/apache/apisix-helm-chart/pull/353
Hello Dear APISIX Helm Chart maintainers! This PR adds the option to enable Proxy Protocol in the apisix configuration file and allows to add the proxy protocol listeners to the gateway kubernetes service. I tested this changes with the following configuration, I'm using the [aws-load-balancer-controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/) to provision the a NBL with SSL/TLS Offloading and Proxy Protocol enabled This allows me to send HTTP(80) -> ProxyProtocol HTTP(9181) and HTTPS 443 -> ProxyProtocol HTTP (9181) It also allows for values.yaml ``` gateway: type: LoadBalancer externalTrafficPolicy: Cluster annotations: service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: service_name=ingress-apisix service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: 3600 service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval: 10 service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing" service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443" service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: proxy_protocol_v2.enabled=true # https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/guide/service/nlb/#configuration # The AWS in-tree controller ignores those services resources that have the service.beta.kubernetes.io/aws-load-balancer-type annotation as external service.beta.kubernetes.io/aws-load-balancer-type: "external" #Env Specific Annotations service.beta.kubernetes.io/aws-load-balancer-name: "my-ingress-apisix" service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:xx-xxxx-x:xxxxxxxxxxxxxx:certificate/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx http: enabled: true servicePort: 9080 containerPort: 9080 tls: enabled: true servicePort: 9443 containerPort: 9443 existingCASecret: "" certCAFilename: "" http2: enabled: true sslProtocols: "TLSv1.2 TLSv1.3" proxyProtocol: http: enabled: true servicePort: 80 containerPort: 9181 https: enabled: true servicePort: 443 containerPort: 9181 ``` I've also tested sending HTTPs traffic to the HTTPs Proxy Protocol port with a regular non SSL/TLS offloading NLB and seemed to work fine. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
