contour icon indicating copy to clipboard operation
contour copied to clipboard

Published 20 hours ago verified publisher icon projectcontour

Add upstream support for PROXYv2

Open rosskukulinski opened this issue 6 years ago • 9 comments

Describe the solution you'd like

As a platform operator, I would like to use Contour at the border/edge of all my regions (e.g. it has a public IP address). Contour will terminate HTTP1.1, HTTP2.0, GRPC, WebSocket, TCP, HTTPS, etc.

Then I would like it to proxy the connection to backend Ingress Controllers that run in each upstream Kubernetes cluster which may or may not be Contour. This proxying should be done with the PROXYv2 protocol so that connection metadata (client IP address, mTLS SAN, etc) are passed onto the upstream ingress controller.

Blocked

  • [x] Upgrade to Envoy 1.12 #1351
  • [x] envoyproxy/envoy#7503

rosskukulinski avatar Feb 19 '19 15:02 rosskukulinski

At the moment I don't believe Envoy offers the option to encapsulate an upstream, Envoy's word for Envoy to Pod traffic, TCP session in a PROXYv2 header. This is a blocker for adding this feature to Contour.

davecheney avatar Feb 19 '19 18:02 davecheney

Hello,

Without support for PROXYv2 in envoy we cannot implement this feature. I would prefer not to leave this issue open indefinitely as there are no active plans to work on it. If/when upstream implements PROXYv2 support towards backends please reopen this issue.

davecheney avatar Apr 09 '19 05:04 davecheney

In the envoy project on github there is already some effort on implementing proxy protocl for upstreams, for example

https://github.com/envoyproxy/envoy/issues/4128 https://github.com/envoyproxy/envoy/issues/173

I will check later on and post again if envoy has completed the implementation...

discostur avatar Jul 08 '19 08:07 discostur

Thank you for the reference to the Envoy issue. I'll reopen this and target it for beta1, hopefully Envoy 1.11 will be out by then.

davecheney avatar Jul 08 '19 08:07 davecheney

Moving to 0.15 as the envoy 1.11.0 upgrade is complete #1242

Marking as help wanted because nobody is scheduled to work on this at the moment.

davecheney avatar Aug 01 '19 22:08 davecheney

It looks like this feature is in master, but not 1.11. I'm moving this issue to the unplanned milestone as it is blocked on #1351

davecheney avatar Aug 19 '19 01:08 davecheney

PROXY support for upstream sockets (envoyproxy/envoy#1031) has now landed in Envoy (envoyproxy/envoy#12762).

bgagnon avatar Oct 26 '20 17:10 bgagnon

I've put this one back into "needs triage" so that we can reevaluate where it's at and try to get it prioritized.

youngnick avatar Oct 27 '20 05:10 youngnick

xref #2529

jpeach avatar Nov 18 '20 00:11 jpeach