digitalocean-cloud-controller-manager icon indicating copy to clipboard operation
digitalocean-cloud-controller-manager copied to clipboard
verified publisher icon digitalocean

Implement support for "Load balancer IP address mode"

Open diesieben07 opened this issue 9 months ago • 3 comments

When enabling the proxy protocol in a DO load balancer it breaks requests to hosts that point at the load balancer that originate from with in the cluster. The reason for this is that Kubernetes routes these requests directly inside the cluster, bypassing the load balancer. When the proxy protocol is enabled, the requests then end up as raw HTTPS at the Ingress, but the Ingress is expecting the proxy protocol.

This issue is described in the readme as well: https://github.com/digitalocean/digitalocean-cloud-controller-manager/blob/master/docs/controllers/services/examples/README.md#accessing-pods-over-a-managed-load-balancer-from-inside-the-cluster

~~The existing workaround requires modifying the applications running within the cluster to talk to a different hostname. This is not always viable.~~

Since Kubernetes 1.32 controllers can set the "ipMode" for a load balancer, allowing configuration of this behavior. If it is set to "Proxy" then the load balancer is not bypassed for traffic from within the cluster. The relevant documentation is here: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-ip-mode

My understanding is that for this to be used on DO, a new annotation (akin to service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol, etc.) would need to be implemented in the DO Cloud Controller Manager to let users control this behavior.

For example:

apiVersion: v1
kind: Service
spec:
  type: LoadBalancer
metadata:
  annotations:
    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "false"
    service.beta.kubernetes.io/do-loadbalancer-ip-mode: "Proxy" # <<- HERE

diesieben07 avatar Mar 13 '25 15:03 diesieben07

This would be a great option to have available. The linked workaround involves multiple setup steps and external configuration. https://github.com/compumike/hairpin-proxy is another common workaround that could be avoided if this option were available.

jtpereyda avatar Jul 21 '25 20:07 jtpereyda

The related KEP : https://github.com/kubernetes/enhancements/issues/1860

jfcoz avatar Sep 02 '25 13:09 jfcoz

DigitalOcean support says they prioritize via votes, I’ve added : https://ideas.digitalocean.com/kubernetes/p/loadbalancer-proxy-ipmode

jfcoz avatar Sep 10 '25 10:09 jfcoz