Epic Goal

• Implement the support of exposing the "Traffic Configuration", target group attributes, for a Service type-loadBalancer NLB when creating a Service on CCM-AWS (cloud-provider-aws)
• The "Traffic Configuration" attributes are composed by:
  • Preserve client IP addresses
  • Proxy protocol v2

Why is this important?

Client IP preservation causes that, if a pod opens a connection to the load balancer service and that connection is sent to the same node where the pod resides, the connection fails. This makes mandatory dedicating nodes to ingress controllers, which is not preferred for ROSA HCP.

The problem was recently exposed through an e2e[1] in the upstream project, an issue has been created[2]. More details in the research Epic SPLAT-2257.

As aligned with Network Edge team[3], CCM changes is a must to allow Cluster Ingress Controller control attributes when it requires to enable Proxy Protocol on NLB for default routers services on Internal Publish Strategy clusters (a.k.a private).

This is a bug on any OpenShift private deployments when using NLB. (OCPBUGS-58456 )

[1] https://github.com/kubernetes/cloud-provider-aws/pull/1161#issuecomment-3080713501 

[2] https://github.com/kubernetes/cloud-provider-aws/issues/1160 

[3] https://redhat-internal.slack.com/archives/CCH60A77E/p1749137394974759?thread_ts=1745435593.239899&cid=CCH60A77E 

Scenarios

As a user of an OpenShift Container Platform cluster installed in AWS, I want to be able to:

• Annotate a LoadBalancer service that uses NLBs Target Group attribute of "Client IP preservation" to disable when using target type instance so that client IP will be NATed by NLB addresses, and won't have more the SYN-ACK packet issues from the server (hairpin connection issue)
• Annotate a LoadBalancer service that uses NLB's Target Group attribute of "Proxy Protocol v2" to enable so that kubernetes features and routing won't be affected when need to know source ip addresses.
• provide a mechanism to ingress controller that uses NLB to configure service attributes so that default routers can be safety deployed in private environments, specially in ROSA HCP.
•  

Acceptance Criteria

• Implement the mechanism to change the target group attributes to CCM-AWS
• PRs in upstream must be merged
• Downstream project must be updated with the feature
• Next step work for CIO is clearly defined to completely resolve ROSA HCP scenario
•  

Dependencies (internal and external)

1. Which Epic will cover the cluster-ingress-operator changes to enable PROXY to haproxy, as well patching the router Service objects when private clusters with NLB?

Previous Work (Optional):

1. https://issues.redhat.com/browse/SPLAT-2257
2. https://github.com/kubernetes/cloud-provider-aws/pull/1161
3. https://github.com/kubernetes/cloud-provider-aws/issues/1160
4.  

Open questions::

1. …

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>

Additional References:

• Slack thread with managed service issue: https://redhat-internal.slack.com/archives/CCH60A77E/p1745435593239899
• Internal Discussion https://docs.google.com/document/d/18yuGkz-7msmBBBvfPMlALJDB0b5edt9sS5zO59_YWPw/edit?tab=t.0