healthcheck: support TCP health check with ProxyProtocol #31691
Conversation
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
Shikugawa
force-pushed
the
proxy-proto-hc
branch
3 times, most recently
from
246c869
to
44e9615
Compare
|
/lgtm api @zuercher for owner review |
|
@zuercher friendly ping |
| // When setting this value, it tries to attempt health check request with ProxyProtocol. | ||
| // Payload is sent after preceding ProxyProtocol header. | ||
| ProxyProtocolConfig proxy_protocol_config = 3; |
There was a problem hiding this comment.
For the comment, would prefer: "Use the proxy protocol for health checks. The send payload is sent immediately after the proxy protocol header."
Furthermore, is it valid to have an empty send payload when this flag is enabled? If so we should both document that and guard against configurations that leave send empty.
There was a problem hiding this comment.
Yes. Empty send payload is allowed when this flag is enabled. Let me fix.
There was a problem hiding this comment.
Sorry I forcefully pushed. The fixed commits are shown here. 495ba97#diff-4ccbbf045baa1ad3abd43bb7534d765e115e50be2ac9d9c3639588a4fd54e8a6R183-R185
| bool should_write_data = false; | ||
|
|
||
| if (parent_.proxy_protocol_config_ != nullptr) { | ||
| Extensions::Common::ProxyProtocol::generateProxyProtoHeader(*parent_.proxy_protocol_config_, |
There was a problem hiding this comment.
There another proxy protocol command "local" which looks like it's meant for health checks (and that the remote server should use the connection endpoints and causes the endpoints in the protocol to be ignored). I think it's okay to use the command this function generates since we'll set the endpoints to be ourselves the server being health checked, but I thought I'd point it out.
There was a problem hiding this comment.
Actually I think it's enough to use local to check whether servers can accept ProxyProtocol or not. But the capability to fetch downstream info from ProxyProtocol header is the main focus of them. So some backend implementation may check the capability whether it can fetch downstream info or not (AFAIK I don't know the actual usecase. But it might be helpful).
So having generateProxyProtoHeader may help users more than using local directly.
There was a problem hiding this comment.
Could you elaborate more for the meaning of address setting in the Proxy Protocol header? The health check client's local address is the upstream local address, and the remote is the health check address of the remote host. I think this is different from the real upstream request which is using the downstream connection as the input of this generateProxyProtoHeader util.
I'd incline to add some comments for this, and describe the LOCAL as well as the address setting. Also could you add a test to see if the proxy protocol with address is actually sent/received?
There was a problem hiding this comment.
@botengyao @zuercher Hi. Sorry for late response.
I revisited how to provide this feature and came up with that we should provide this feature with LOCAL command for V2, and present local/remote address for V1 because it doesn't support them. It is because I found that some users faced confusion with this behavior to provide PROXY command for healthcheck in HAProxy community. haproxy/haproxy#511
So, I noticed the previous implementation may make users confused by the difference between Envoy and HAProxy's one. Thus, I cleaned the entire code in this patch to support them.
Shikugawa
force-pushed
the
proxy-proto-hc
branch
4 times, most recently
from
1476e57
to
8aca444
Compare
Signed-off-by: Rei Shimizu <shimizu.rei@linecorp.com>
Shikugawa
force-pushed
the
proxy-proto-hc
branch
from
8aca444
to
495ba97
Compare
Signed-off-by: Rei Shimizu <shimizu.rei@linecorp.com>
|
/lgtm api |
|
@Shikugawa one last thing, can you add a release note for the new field? |
Signed-off-by: Rei Shimizu <shimizu.rei@linecorp.com>
Signed-off-by: Rei Shimizu <shimizu.rei@linecorp.com>
Signed-off-by: Rei Shimizu <shimizu.rei@linecorp.com>
|
ping @Shikugawa |
|
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
github-actions
bot
added
the
stale
|
This pull request has been automatically closed because it has not had activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
github-actions
bot
removed
the
stale
Signed-off-by: Rei Shimizu <shimizu.rei@linecorp.com>
Signed-off-by: Rei Shimizu <shimizu.rei@linecorp.com>
|
@botengyao @zuercher i think this is waiting for final review |
Signed-off-by: Rei Shimizu <shimizu.rei@linecorp.com>
|
@zuercher Fixed conflict. Could you please approve again? |
|
/retest |
Commit Message: healthcheck: support TCP health check with ProxyProtocol
Additional Description: This PR aims to support TCP healthcheck with ProxyProtocol. This feature is useful to ensure Proxy Protocol is enabled or not from upstream servers. It works in addition to normal TCP based healthcheck. This feature is the equivalent with
check-send-proxyprovided by HAProxy. https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#5.2-check-send-proxyRisk Level: Low
Testing: Unit/Integration
Docs Changes: Required
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]