feat: svc enable proxy protocol on specified ports

arnaud-dezandee · arnaud-dezandee · commit 5537c4084ec0 · 2025-06-22T16:32:06.000+02:00
diff --git a/docs/guide/service/annotations.md b/docs/guide/service/annotations.md
@@ -27,7 +27,7 @@
 | [service.beta.kubernetes.io/aws-load-balancer-name](#load-balancer-name)                                             | string                  |                          |                                                                                                                                                                                                                                                                                                                                                                                                                      |
 | [service.beta.kubernetes.io/aws-load-balancer-internal](#lb-internal)                                                | boolean                 | false                    | deprecated, in favor of [aws-load-balancer-scheme](#lb-scheme)                                                                                                                                                                                                                                                                                                                                                       |
 | [service.beta.kubernetes.io/aws-load-balancer-scheme](#lb-scheme)                                                    | string                  | internal                 |                                                                                                                                                                                                                                                                                                                                                                                                                      |
-| [service.beta.kubernetes.io/aws-load-balancer-proxy-protocol](#proxy-protocol-v2)                                    | string                  |                          | Set to `"*"` to enable                                                                                                                                                                                                                                                                                                                                                                                               |
+| [service.beta.kubernetes.io/aws-load-balancer-proxy-protocol](#proxy-protocol-v2)                                    | string                  |                          | Set to `"*"` to enable for all service ports |
 | [service.beta.kubernetes.io/aws-load-balancer-proxy-protocol-per-target-group](#proxy-protocol-v2)                   | string                  |                          | If specified,configures proxy protocol for the target groups corresponding to the ports mentioned and disables for the rest. For example, if you have services deployed on ports `"80, 443 and 22"`, the annotation value `"80, 443"` will enable proxy protocol for ports 80 and 443 only, and disable for port 22. This annotation is overriden by `"service.beta.kubernetes.io/aws-load-balancer-proxy-protocol"` |
 | [service.beta.kubernetes.io/aws-load-balancer-ip-address-type](#ip-address-type)                                     | string                  | ipv4                     | ipv4 \| dualstack                                                                                                                                                                                                                                                                                                                                                                                                    |
 | [service.beta.kubernetes.io/aws-load-balancer-access-log-enabled](#deprecated-attributes)                            | boolean                 | false                    | deprecated, in favor of [aws-load-balancer-attributes](#load-balancer-attributes)                                                                                                                                                                                                                                                                                                                                    |
@@ -256,11 +256,18 @@ You can configure dualstack NLB to support UDP-based services over IPv6 via the
 NLB resource attributes can be controlled via the following annotations:
 
 - <a name="proxy-protocol-v2">service.beta.kubernetes.io/aws-load-balancer-proxy-protocol</a> specifies whether to enable proxy protocol v2 on the target group.
-Set to '*' to enable proxy protocol v2. This annotation takes precedence over the annotation `service.beta.kubernetes.io/aws-load-balancer-target-group-attributes`
-for proxy protocol v2 configuration.
+This annotation takes precedence over the annotation `service.beta.kubernetes.io/aws-load-balancer-target-group-attributes` for proxy protocol v2 configuration.
+If you specify `*`, proxy protocol v2 is enabled for all ports. If you specify a list of one or more ports, proxy protocol v2 is enabled only for those ports.
 
-    !!!note ""
-        The only valid value for this annotation is `*`.
+    !!!example
+        - enable proxy protocol for all ports
+        ```
+        service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: *
+        ```
+        - enable proxy protocol for ports 80 and 443
+        ```
+        service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: 80, 443
+        ```
 
 - <a name="target-group-attributes">`service.beta.kubernetes.io/aws-load-balancer-target-group-attributes`</a> specifies the
 [Target Group Attributes](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-group-attributes) to be configured.
diff --git a/pkg/service/model_build_target_group.go b/pkg/service/model_build_target_group.go
@@ -6,7 +6,6 @@ import (
 	"encoding/hex"
 	"fmt"
 	"regexp"
-	"sigs.k8s.io/aws-load-balancer-controller/pkg/shared_constants"
 	"sort"
 	"strconv"
 	"strings"
@@ -23,6 +22,7 @@ import (
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/k8s"
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/networking"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/shared_constants"
 )
 
 func (t *defaultModelBuildTask) buildTargetGroup(ctx context.Context, port corev1.ServicePort, tgProtocol elbv2model.Protocol, scheme elbv2model.LoadBalancerScheme) (*elbv2model.TargetGroup, error) {
@@ -233,12 +233,18 @@ func (t *defaultModelBuildTask) buildTargetGroupAttributes(_ context.Context, po
 		}
 	}
 
-	proxyV2Annotation := ""
-	if exists := t.annotationParser.ParseStringAnnotation(annotations.SvcLBSuffixProxyProtocol, &proxyV2Annotation, t.service.Annotations); exists {
-		if proxyV2Annotation != "*" {
-			return []elbv2model.TargetGroupAttribute{}, errors.Errorf("invalid value %v for Load Balancer proxy protocol v2 annotation, only value currently supported is *", proxyV2Annotation)
+	var proxyV2Annotations []string
+	if exists := t.annotationParser.ParseStringSliceAnnotation(annotations.SvcLBSuffixProxyProtocol, &proxyV2Annotations, t.service.Annotations); exists {
+		for _, proxySelector := range proxyV2Annotations {
+			if proxySelector == "*" {
+				rawAttributes[shared_constants.TGAttributeProxyProtocolV2Enabled] = "true"
+				break
+			}
+			if proxySelector == strconv.Itoa(int(port.Port)) {
+				rawAttributes[shared_constants.TGAttributeProxyProtocolV2Enabled] = "true"
+				break
+			}
 		}
-		rawAttributes[shared_constants.TGAttributeProxyProtocolV2Enabled] = "true"
 	}
 
 	if rawPreserveIPEnabled, ok := rawAttributes[shared_constants.TGAttributePreserveClientIPEnabled]; ok {
diff --git a/pkg/service/model_build_target_group_test.go b/pkg/service/model_build_target_group_test.go
@@ -3,25 +3,24 @@ package service
 import (
 	"context"
 	"errors"
-	"sigs.k8s.io/aws-load-balancer-controller/pkg/shared_constants"
 	"sort"
 	"strconv"
 	"testing"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
 	"github.com/golang/mock/gomock"
-	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
-	"sigs.k8s.io/aws-load-balancer-controller/pkg/networking"
-
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	elbv2api "sigs.k8s.io/aws-load-balancer-controller/apis/elbv2/v1beta1"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/annotations"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/config"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/networking"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/shared_constants"
 )
 
 func Test_defaultModelBuilderTask_targetGroupAttrs(t *testing.T) {
@@ -65,15 +64,67 @@ func Test_defaultModelBuilderTask_targetGroupAttrs(t *testing.T) {
 			},
 		},
 		{
-			testName: "Invalid value",
+			testName: "no matching value",
 			svc: &corev1.Service{
 				ObjectMeta: metav1.ObjectMeta{
 					Annotations: map[string]string{
 						"service.beta.kubernetes.io/aws-load-balancer-proxy-protocol": "v2",
 					},
 				},
 			},
-			wantError: true,
+			wantValue: []elbv2.TargetGroupAttribute{
+				{
+					Key:   shared_constants.TGAttributeProxyProtocolV2Enabled,
+					Value: "false",
+				},
+			},
+			wantError: false,
+		},
+		{
+			testName: "matching value",
+			svc: &corev1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"service.beta.kubernetes.io/aws-load-balancer-proxy-protocol": "80",
+					},
+				},
+			},
+			port: corev1.ServicePort{
+				Name:       "http",
+				Port:       80,
+				TargetPort: intstr.FromInt(8080),
+				NodePort:   32768,
+			},
+			wantValue: []elbv2.TargetGroupAttribute{
+				{
+					Key:   shared_constants.TGAttributeProxyProtocolV2Enabled,
+					Value: "true",
+				},
+			},
+			wantError: false,
+		},
+		{
+			testName: "multiple values",
+			svc: &corev1.Service{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						"service.beta.kubernetes.io/aws-load-balancer-proxy-protocol": "443, 80, 9090",
+					},
+				},
+			},
+			port: corev1.ServicePort{
+				Name:       "http",
+				Port:       80,
+				TargetPort: intstr.FromInt(8080),
+				NodePort:   32768,
+			},
+			wantValue: []elbv2.TargetGroupAttribute{
+				{
+					Key:   shared_constants.TGAttributeProxyProtocolV2Enabled,
+					Value: "true",
+				},
+			},
+			wantError: false,
 		},
 		{
 			testName: "target group attributes",
