Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-3692

Ability to Update IngressController associated with primary NLB


    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request
      OSD/ROSA managed Ingress improvements: https://issues.redhat.com/browse/SDE-1768

      2. What is the nature and description of the request?

      User wants a supported way in which to route traffic into their cluster in a reliable and secure way. Preferably through an NLB. 


      ROSA to support the following:

      • Openshift NLB Ingress should have the ability to enable the AWS NLB proxyProtocol V2
      • The HARouterProxy should support proxyProtocol V2 


      Reason being is that in the current architecture we loose the Client's Source IP when going through our primary NLB. Only way preserve it would be using a ProxyProtocol V2 due to VPC link between our "spoke" AWS accounts and the "hub"(I.e. the account the cluster lives on) AWS accounts.

      Note the Proxy was something that was enabled as part of Openshift 4.8: https://issues.redhat.com/browse/RFE-401 

      Attaching an Architecture document showing what we have tried and explaining why those options did not work.

      3. Why does the customer need this? (List the business requirements here)

      We need to know the source IP address so that we can:

      • Audit traffic coming in to the cluster
      • Security (update the NLB’s target group security group to
        allow essentially access.)

      4. List any affected packages or components.

            ddharwar@redhat.com Deepthi Dharwar
            jland@redhat.com James Land
            1 Vote for this issue
            12 Start watching this issue