New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
healthcheck: support TCP health check with ProxyProtocol #31691
Conversation
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
246c869
to
44e9615
Compare
/lgtm api @zuercher for owner review |
@zuercher friendly ping |
// When setting this value, it tries to attempt health check request with ProxyProtocol. | ||
// Payload is sent after preceding ProxyProtocol header. | ||
ProxyProtocolConfig proxy_protocol_config = 3; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the comment, would prefer: "Use the proxy protocol for health checks. The send payload is sent immediately after the proxy protocol header."
Furthermore, is it valid to have an empty send
payload when this flag is enabled? If so we should both document that and guard against configurations that leave send
empty.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. Empty send payload is allowed when this flag is enabled. Let me fix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry I forcefully pushed. The fixed commits are shown here. 495ba97#diff-4ccbbf045baa1ad3abd43bb7534d765e115e50be2ac9d9c3639588a4fd54e8a6R183-R185
bool should_write_data = false; | ||
|
||
if (parent_.proxy_protocol_config_ != nullptr) { | ||
Extensions::Common::ProxyProtocol::generateProxyProtoHeader(*parent_.proxy_protocol_config_, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There another proxy protocol command "local" which looks like it's meant for health checks (and that the remote server should use the connection endpoints and causes the endpoints in the protocol to be ignored). I think it's okay to use the command this function generates since we'll set the endpoints to be ourselves the server being health checked, but I thought I'd point it out.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually I think it's enough to use local
to check whether servers can accept ProxyProtocol or not. But the capability to fetch downstream info from ProxyProtocol header is the main focus of them. So some backend implementation may check the capability whether it can fetch downstream info or not (AFAIK I don't know the actual usecase. But it might be helpful).
So having generateProxyProtoHeader
may help users more than using local
directly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you elaborate more for the meaning of address setting in the Proxy Protocol header? The health check client's local address is the upstream local address, and the remote is the health check address of the remote host. I think this is different from the real upstream request which is using the downstream connection as the input of this generateProxyProtoHeader
util.
I'd incline to add some comments for this, and describe the LOCAL
as well as the address setting. Also could you add a test to see if the proxy protocol with address is actually sent/received?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@botengyao @zuercher Hi. Sorry for late response.
I revisited how to provide this feature and came up with that we should provide this feature with LOCAL command for V2, and present local/remote address for V1 because it doesn't support them. It is because I found that some users faced confusion with this behavior to provide PROXY command for healthcheck in HAProxy community. haproxy/haproxy#511
So, I noticed the previous implementation may make users confused by the difference between Envoy and HAProxy's one. Thus, I cleaned the entire code in this patch to support them.
1476e57
to
8aca444
Compare
Signed-off-by: Rei Shimizu <shimizu.rei@linecorp.com>
8aca444
to
495ba97
Compare
Signed-off-by: Rei Shimizu <shimizu.rei@linecorp.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ilzan sorry, I asked for a comment change in the API and it needs to be re-approved.
Otherwise, lgtm.
/lgtm api |
@Shikugawa one last thing, can you add a release note for the new field? |
Signed-off-by: Rei Shimizu <shimizu.rei@linecorp.com>
Signed-off-by: Rei Shimizu <shimizu.rei@linecorp.com>
Signed-off-by: Rei Shimizu <shimizu.rei@linecorp.com>
ping @Shikugawa |
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
This pull request has been automatically closed because it has not had activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
Signed-off-by: Rei Shimizu <shimizu.rei@linecorp.com>
Signed-off-by: Rei Shimizu <shimizu.rei@linecorp.com>
@botengyao @zuercher i think this is waiting for final review |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lizan this needs API re-approval because a comment was updated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm api
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/assign-from @envoyproxy/senior-maintainers
For a pass and merging.
Signed-off-by: Rei Shimizu <shimizu.rei@linecorp.com>
@zuercher Fixed conflict. Could you please approve again? |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving the conflict-merge commit only, and assuming zuercher's review of everything before that still applies.
Commit Message: healthcheck: support TCP health check with ProxyProtocol
Additional Description: This PR aims to support TCP healthcheck with ProxyProtocol. This feature is useful to ensure Proxy Protocol is enabled or not from upstream servers. It works in addition to normal TCP based healthcheck. This feature is the equivalent with
check-send-proxy
provided by HAProxy. https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#5.2-check-send-proxyRisk Level: Low
Testing: Unit/Integration
Docs Changes: Required
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]