Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reverse proxy support? #1275

Open
neilmfrench opened this issue Sep 18, 2023 · 7 comments · May be fixed by #1710
Open

Reverse proxy support? #1275

neilmfrench opened this issue Sep 18, 2023 · 7 comments · May be fixed by #1710
Labels
enhancement New feature or request
Milestone
1.1

Comments

@neilmfrench
Copy link

Hi,
I'm prototyping this with our reverse proxy. However, I'm running into an issue where coredns (exposed) is returning the internal IP of reverse proxy entrypoint, whereas I'd like it to return an external IP so we can have our main DNS delegate to it. Is this currently possible?

Thanks for your help!
@ytsarev
Copy link
Member

ytsarev commented Sep 18, 2023

Hi @neilmfrench , can you elaborate more about the specifics of your setup? What kind of ingress controller do you use and how is it integrated with reverse proxy?

@neilmfrench
Copy link
Author

Hi @neilmfrench , can you elaborate more about the specifics of your setup? What kind of ingress controller do you use and how is it integrated with reverse proxy?

Sure, I am using Traefik (other cluster uses nginx, but testing on cluster with Traefik first). Life of a request flows like this

request -> Cloudflare proxy -> external IP (189.XX.XX.XX)-> internal load balancer for Traefik (172.16.XX.XX) -> cluster nodes (not exposed)

I need coredns to respond with the external IP rather than the internal load balancer IP it currently responds with:

Status:
  Healthy Records:
    .....................
      172.16.20.30

I tried creating my own DNSEndpoint with the correct external IP as the target, but it didn't seem to get picked up.

@neilmfrench
Copy link
Author

neilmfrench commented Nov 18, 2023
edited
Loading

I think the simplest solution would be to allow the reading of the "real" external IP from an annotation on the ingress if it exists, rather than relying only on status.loadBalancer.ingress. Health checks would still use the internal IP, but for building out the local targets list it would use whatever IP the annotation has.

@ytsarev
Copy link
Member

ytsarev commented Nov 19, 2023

@neilmfrench, thanks a lot for the suggestions! That sounds reasonable and should be relatively straightforward to add. We will put it into the roadmap 👍

@Aksine
Copy link

Aksine commented Aug 3, 2024

Hello, is there any update on fixing this issue ?

@ytsarev
Copy link
Member

ytsarev commented Aug 3, 2024

Hi, we haven't implemented it yet. I will make sure we will discuss it on the next community meeting. Thanks for bringing it up

@ytsarev ytsarev added this to the 1.1 milestone Aug 3, 2024
@ytsarev ytsarev added the enhancement New feature or request label Aug 3, 2024
@ytsarev ytsarev added this to k8gb Aug 3, 2024
@github-project-automation github-project-automation bot moved this to To do in k8gb Aug 3, 2024
@Aksine
Copy link

Aksine commented Aug 4, 2024

Thank you for your prompt response, i'm looking forward this feature implemented !!

abaguas added a commit to abaguas/k8gb that referenced this issue Aug 25, 2024
@abaguas
Add reverse proxy support
3dc180d 
Problem
K8GB reads IP addresses from `Ingress.Status.LoadBalancer.Ingress` or from `Service.Status.LoadBalancer.Ingress` for ingress configured with Kubernetes Ingress and Istio Virtual Service, respectively.
The IP addresses exposed by these resources are the IP addresses exposed by the Kubernetes Cluster. However, in some setups the clients do not route their traffic to these IP addresses because the cluster is behind a reverse proxy.

Solution
To support this setup, K8GB should expose DNS records with the IP address of the reverse proxy. Since the address is unknown to the cluster the K8GB administrator must provide it via configuration. This PR adds to K8GB the capability to read IP address from an annotation `k8gb.io/external-ips` on Ingress and Service resources.

Examples
```
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  labels:
    app: ingress
  annotations:
    k8gb.io/external-ips: "185.199.110.153"
```

```
apiVersion: v1
kind: Service
metadata:
  name: istio-ingressgateway
  namespace: istio-ingress
  labels:
    app: istio-ingressgateway
  annotations:
    k8gb.io/external-ips: "185.199.110.153,185.199.109.153"
```

Fixes k8gb-io#1275

Signed-off-by: Andre Baptista Aguas <[email protected]>
@abaguas abaguas linked a pull request Aug 25, 2024 that will close this issue
Open
abaguas added a commit to abaguas/k8gb that referenced this issue Aug 25, 2024
@abaguas
Add reverse proxy support
8274656 
Problem
K8GB reads IP addresses from `Ingress.Status.LoadBalancer.Ingress` or from `Service.Status.LoadBalancer.Ingress` for ingress configured with Kubernetes Ingress and Istio Virtual Service, respectively.
The IP addresses exposed by these resources are the IP addresses exposed by the Kubernetes Cluster. However, in some setups the clients do not route their traffic to these IP addresses because the cluster is behind a reverse proxy.

Solution
To support this setup, K8GB should expose DNS records with the IP address of the reverse proxy. Since the address is unknown to the cluster the K8GB administrator must provide it via configuration. This PR adds to K8GB the capability to read IP address from an annotation `k8gb.io/external-ips` on Ingress and Service resources.

Examples
```
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  labels:
    app: ingress
  annotations:
    k8gb.io/external-ips: "185.199.110.153"
```

```
apiVersion: v1
kind: Service
metadata:
  name: istio-ingressgateway
  namespace: istio-ingress
  labels:
    app: istio-ingressgateway
  annotations:
    k8gb.io/external-ips: "185.199.110.153,185.199.109.153"
```

Fixes k8gb-io#1275

Signed-off-by: Andre Baptista Aguas <[email protected]>
abaguas added a commit to abaguas/k8gb that referenced this issue Sep 24, 2024
@abaguas
Add reverse proxy support
d5d76c0 
Problem
K8GB reads IP addresses from `Ingress.Status.LoadBalancer.Ingress` or from `Service.Status.LoadBalancer.Ingress` for ingress configured with Kubernetes Ingress and Istio Virtual Service, respectively.
The IP addresses exposed by these resources are the IP addresses exposed by the Kubernetes Cluster. However, in some setups the clients do not route their traffic to these IP addresses because the cluster is behind a reverse proxy.

Solution
To support this setup, K8GB should expose DNS records with the IP address of the reverse proxy. Since the address is unknown to the cluster the K8GB administrator must provide it via configuration. This PR adds to K8GB the capability to read IP address from an annotation `k8gb.io/external-ips` on Ingress and Service resources.

Examples
```
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  labels:
    app: ingress
  annotations:
    k8gb.io/external-ips: "185.199.110.153"
```

```
apiVersion: v1
kind: Service
metadata:
  name: istio-ingressgateway
  namespace: istio-ingress
  labels:
    app: istio-ingressgateway
  annotations:
    k8gb.io/external-ips: "185.199.110.153,185.199.109.153"
```

Fixes k8gb-io#1275

Signed-off-by: Andre Baptista Aguas <[email protected]>
abaguas added a commit to abaguas/k8gb that referenced this issue Oct 13, 2024
@abaguas
Add reverse proxy support
af3314d 
Problem
K8GB reads IP addresses from `Ingress.Status.LoadBalancer.Ingress` or from `Service.Status.LoadBalancer.Ingress` for ingress configured with Kubernetes Ingress and Istio Virtual Service, respectively.
The IP addresses exposed by these resources are the IP addresses exposed by the Kubernetes Cluster. However, in some setups the clients do not route their traffic to these IP addresses because the cluster is behind a reverse proxy.

Solution
To support this setup, K8GB should expose DNS records with the IP address of the reverse proxy. Since the address is unknown to the cluster the K8GB administrator must provide it via configuration. This PR adds to K8GB the capability to read IP address from an annotation `k8gb.io/external-ips` on the GSLB resource.

Examples
```
apiVersion: k8gb.absa.oss/v1beta1
kind: Gslb
metadata:
  labels:
    app: ingress
  annotations:
    k8gb.io/external-ips: "185.199.110.153"
```

Fixes k8gb-io#1275

Signed-off-by: Andre Baptista Aguas <[email protected]>
abaguas added a commit to abaguas/k8gb that referenced this issue Oct 13, 2024
@abaguas
Add reverse proxy support
64327c1 
Problem
K8GB reads IP addresses from `Ingress.Status.LoadBalancer.Ingress` or from `Service.Status.LoadBalancer.Ingress` for ingress configured with Kubernetes Ingress and Istio Virtual Service, respectively.
The IP addresses exposed by these resources are the IP addresses exposed by the Kubernetes Cluster. However, in some setups the clients do not route their traffic to these IP addresses because the cluster is behind a reverse proxy.

Solution
To support this setup, K8GB should expose DNS records with the IP address of the reverse proxy. Since the address is unknown to the cluster the K8GB administrator must provide it via configuration. This PR adds to K8GB the capability to read IP address from an annotation `k8gb.io/external-ips` on the GSLB resource.

Example
```
apiVersion: k8gb.absa.oss/v1beta1
kind: Gslb
metadata:
  labels:
    app: ingress
  annotations:
    k8gb.io/external-ips: "185.199.110.153"
```

Fixes k8gb-io#1275

Signed-off-by: Andre Baptista Aguas <[email protected]>
abaguas added a commit to abaguas/k8gb that referenced this issue Nov 7, 2024
@abaguas
Add reverse proxy support
1e1db90 
Problem
K8GB reads IP addresses from `Ingress.Status.LoadBalancer.Ingress` or from `Service.Status.LoadBalancer.Ingress` for ingress configured with Kubernetes Ingress and Istio Virtual Service, respectively.
The IP addresses exposed by these resources are the IP addresses exposed by the Kubernetes Cluster. However, in some setups the clients do not route their traffic to these IP addresses because the cluster is behind a reverse proxy.

Solution
To support this setup, K8GB should expose DNS records with the IP address of the reverse proxy. Since the address is unknown to the cluster the K8GB administrator must provide it via configuration. This PR adds to K8GB the capability to read IP address from an annotation `k8gb.io/external-ips` on the GSLB resource.

Example
```
apiVersion: k8gb.absa.oss/v1beta1
kind: Gslb
metadata:
  labels:
    app: ingress
  annotations:
    k8gb.io/external-ips: "185.199.110.153"
```

Fixes k8gb-io#1275

Signed-off-by: Andre Baptista Aguas <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
k8gb
Status: To do
Milestone
1.1
Development

Successfully merging a pull request may close this issue.

Support k8gb behind a reverse proxy abaguas/k8gb
3 participants
@ytsarev @neilmfrench @Aksine