Add annotation to preserve client IP

(cherry picked from commit 65dae83)

Author: chengxiangdong

docs/huawei-cloud-controller-manager-configuration.md

@@ -184,6 +184,27 @@ The following arguments are supported:
   * `timeout` Required. Specifies the health check timeout duration in the unit of second.
     The value ranges from `1` to `50`. Defaults to `3`.
 
+* `enable-transparent-client-ip` Specifies whether to pass source IP addresses of the clients to backend servers.
+  Valid values are `'true'` and `'false'`.
+
+  TCP or UDP listeners of shared load balancers:
+  The value can be **true** or **false**, and the default value is **false** if this annotation is not passed.
+
+  HTTP or HTTPS listeners of shared load balancers:
+  The value can only be **true**, and the default value is **true** if this annotation is not passed.
+
+  All listeners of dedicated load balancers:
+  The value can only be **true**, and the default value is **true** if this annotation is not passed.
+
+  > Note:
+  >
+  > If this function is enabled, the load balancer communicates with backend servers using their real IP addresses.
+  > Ensure that security group rules and access control policies are correctly configured.
+  >
+  > If this function is enabled, a server cannot serve as both a backend server and a client.
+  >
+  > If this function is enabled, backend server specifications cannot be changed.
+
 * `enable-cross-vpc` Optional. Specifies whether to enable cross-VPC backend.
   The value can be `true` (enable cross-VPC backend) or `false` (disable cross-VPC backend).
   The value can only be updated to `true`.

docs/usage-guide.md

@@ -141,6 +141,27 @@ will be used, otherwise use the set value.
   * `timeout` Required. Specifies the health check timeout duration in the unit of second.
     The value ranges from `1` to `50`. Defaults to `3`.
 
+* `kubernetes.io/elb.enable-transparent-client-ip` Optional. Specifies whether to pass source IP addresses of the clients to backend servers.
+  Valid values are `'true'` and `'false'`.
+
+  TCP or UDP listeners of shared load balancers: 
+  The value can be **true** or **false**, and the default value is **false** if this annotation is not passed.
+
+  HTTP or HTTPS listeners of shared load balancers: 
+  The value can only be **true**, and the default value is **true** if this annotation is not passed.
+
+  All listeners of dedicated load balancers: 
+  The value can only be **true**, and the default value is **true** if this annotation is not passed.
+
+  > Note:
+  > 
+  > If this function is enabled, the load balancer communicates with backend servers using their real IP addresses. 
+  > Ensure that security group rules and access control policies are correctly configured.
+  > 
+  > If this function is enabled, a server cannot serve as both a backend server and a client.
+  > 
+  > If this function is enabled, backend server specifications cannot be changed.
+
 * `kubernetes.io/elb.x-forwarded-host` Optional. Specifies whether to rewrite the `X-Forwarded-Host` header.
   If this function is enabled, `X-Forwarded-Host` is rewritten based on Host in the request and sent to backend servers.
   Valid values are `'true'` and `'false'`, defaults to `'false'`.
@@ -216,7 +237,7 @@ kind: Service
 metadata:
   annotations:
     kubernetes.io/elb.class: shared
-    kubernetes.io/elb.id: xxxx  # Please fill your ELB service ID.
+    kubernetes.io/elb.id: xx  # Please replace xx with your ELB instance ID.
     kubernetes.io/elb.lb-algorithm: ROUND_ROBIN
   labels:
     app: nginx
@@ -263,6 +284,7 @@ metadata:
   annotations:
     kubernetes.io/elb.class: shared
     kubernetes.io/elb.lb-algorithm: ROUND_ROBIN
+    kubernetes.io/elb.enable-transparent-client-ip: 'true'  # Preserve client IP to backend servers.
   labels:
     app: nginx
   name: loadbalancer-service-demo-02

pkg/cloudprovider/huaweicloud/sharedloadbalancer.go

@@ -676,6 +676,13 @@ func (l *SharedLoadBalancer) createListener(loadbalancerID string, service *v1.S
 		}
 	}
 
+	if protocol == ProtocolTCP || protocol == ProtocolUDP {
+		// TCP or UDP listeners transparent_client_ip_enable can be true or false.
+		transparentClientIPEnable := getBoolFromSvsAnnotation(service, ElbEnableTransparentClientIP,
+			l.loadbalancerOpts.EnableTransparentClientIP)
+		createOpt.TransparentClientIpEnable = &transparentClientIPEnable
+	}
+
 	listener, err := l.dedicatedELBClient.CreateListener(createOpt)
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "Failed to create listener for loadbalancer %s: %v",
@@ -708,6 +715,13 @@ func (l *SharedLoadBalancer) updateListener(listener *elbmodel.ListenerResp, ser
 		}
 	}
 
+	if listener.Protocol.Value() == ProtocolTCP || listener.Protocol.Value() == ProtocolUDP {
+		// TCP or UDP listeners transparent_client_ip_enable can be true or false.
+		transparentClientIPEnable := getBoolFromSvsAnnotation(service, ElbEnableTransparentClientIP,
+			l.loadbalancerOpts.EnableTransparentClientIP)
+		updateOpt.TransparentClientIpEnable = &transparentClientIPEnable
+	}
+
 	err := l.dedicatedELBClient.UpdateListener(listener.Id, updateOpt)
 	if err != nil {
 		return err

test/e2e/shared_loadbalancer_test.go

@@ -76,6 +76,8 @@ var _ = ginkgo.Describe("Shared loadbalancer(TCP) service testing", func() {
 		annotations[huaweicloud.ElbSessionAffinityOption] = `{"type":"SOURCE_IP", "persistence_timeout": 3}`
 		annotations[huaweicloud.ElbHealthCheckFlag] = "on"
 		annotations[huaweicloud.ElbHealthCheckOptions] = `{"delay": 4, "timeout": 16, "max_retries": 4}`
+		annotations[huaweicloud.ElbHealthCheckOptions] = `{"delay": 3, "timeout": 15, "max_retries": 3}`
+		annotations[huaweicloud.ElbEnableTransparentClientIP] = "true"
 
 		service = newLoadbalancerAutoService(testNamespace, serviceName, 80, annotations)
 		framework.CreateService(kubeClient, service)