USER STORY:

As a SPLAT Engineer, I want to understand the behavior of a Golang app using TLS when the ProxyV2 is enabled on Network Load Balancer and how can extract the client IP from TCP payload, so that we can share the results with engineering teams.

DESCRIPTION:

SDN Engineering team was having doubts how to interpret the client IP from connections arriving from API's NLB discovered/parsed by this k8s function from machinery in this thread. That function seems not to get the correct client IP when the application is behind a NLB, only for ALB (application ELB that set the X-Forward-for header on L7/HTTP). When using NLB (that is L4) with target IP with ProxyV2 Disabled, the req.RemoteAddr will be the balancer's nodes IP, and not the client IP.

The IPI creates a API's NLBs (public and private) with ProxyV2=Disabled. When the ProxyV2 is Enabled, the ProxyV2 headers will be prepend to TCP data, then the Client's IP can be parsed. We don't know the behavior when using TLS, if it can be enabled without impact nor the best way to parse that TCP data fields.

Required:

• A sample app in Go listening on TCP to read the client's IP when using . There's a sample lib that can be used as baseline: https://github.com/pires/go-proxyproto
• A short document explaining the tests used when the Proxy is Disabled and Enabled
• Share the docs with related engineering teams

Nice to have:

• Detailed Steps to enable the ProxyV2 on NLB to be used on kube-apiserver's NLB (AWS Console? from Installer manifests?)

ACCEPTANCE CRITERIA:

• a short document/steps taken when Enable the ProxyV2 in a app using TLS and the related results
• share to aos-devel

ENGINEERING DETAILS:
- Slack Thread that started that doubts
- Lib to read ProxyV2
- Steps to Enable Proxy on NLB