Add proxy protocol support for tunnel servers

Add support for configuring proxy protocol on inlets tunnel servers
provisioned by the operator. When enabled, the tunnel server is started
with the --proxy-proto flag so that the original client IP address is
preserved and forwarded to upstream services.

The proxy protocol can be set globally using the --tunnel-proxy-proto
flag or per-service using the operator.inlets.dev/proxy-proto annotation.
The annotation takes precedence over the global flag. Accepted values
are 'v1', 'v2', or empty (disabled).

Configuration options:
- Flag: --tunnel-proxy-proto=v1|v2
- Helm value: tunnelProxyProto
- Annotation: operator.inlets.dev/proxy-proto (per-service override)

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>

Author: welteki

README.md

@@ -63,6 +63,26 @@ Install the chart with `annotatedOnly: true`, then run:
 kubectl annotate service nginx-1 operator.inlets.dev/manage=1
 ```
 
+## Proxy Protocol support
+
+Proxy protocol can be enabled on tunnel exit servers so that the original client IP address is preserved and forwarded to your services.
+
+To enable proxy protocol globally for all tunnel servers, set the `tunnelProxyProto` value in the Helm chart:
+
+```yaml
+tunnelProxyProto: "v2"
+```
+
+Allowed values are `v1`, `v2`, or `""` (disabled).
+
+Alternatively, you can enable proxy protocol on a per-service basis by annotating individual services. This can be used instead of the global setting, or to override it for specific services:
+
+```bash
+kubectl annotate service nginx-1 operator.inlets.dev/proxy-proto=v2
+```
+
+The per-service annotation takes precedence over the global setting when both are configured.
+
 ## Using IPVS for your Kubernetes networking?
 
 For IPVS, you need to declare a Tunnel Custom Resource instead of using the LoadBalancer field.

chart/inlets-operator/templates/deployment.yaml

@@ -62,6 +62,9 @@ spec:
         {{- if .Values.maxClientMemory }}
         - "-max-client-memory={{.Values.maxClientMemory}}"
         {{- end }}
+        {{- if .Values.tunnelProxyProto }}
+        - "-tunnel-proxy-proto={{.Values.tunnelProxyProto}}"
+        {{- end }}
         resources:
           {{- toYaml .Values.resources | nindent 12 }}
         env:

chart/inlets-operator/values.yaml

@@ -59,6 +59,10 @@ resources:
 # Set a maximum memory limit for the inlets client Deployments
 maxClientMemory: 128Mi
 
+# Enable proxy protocol on tunnel exit servers.
+# Allowed values: "v1", "v2", or "" (disabled)
+tunnelProxyProto: ""
+
 nodeSelector: {}
 tolerations: []
 affinity: {}

config.go

@@ -32,6 +32,7 @@ type InletsProConfig struct {
 	LicenseFile   string
 	ClientImage   string
 	InletsRelease string
+	ProxyProto    string
 }
 
 func (c InletsProConfig) GetLicenseKey() (string, error) {

controller.go

@@ -49,6 +49,7 @@ import (
 const controllerAgentName = "inlets-operator"
 const inletsPROControlPort = 8123
 const inletsPortsAnnotation = "inlets.dev/ports"
+const proxyProtoAnnotation = "operator.inlets.dev/proxy-proto"
 const licenseSecretName = "inlets-license"
 
 const (
@@ -593,6 +594,10 @@ func createTunnelResource(service *corev1.Service, c *Controller) error {
 			return nil
 		}
 
+		if v, ok := service.Annotations[proxyProtoAnnotation]; ok && v != "v1" && v != "v2" {
+			return fmt.Errorf("%s annotation must be 'v1' or 'v2', got: %s", proxyProtoAnnotation, v)
+		}
+
 		klog.Infof("Creating Tunnel: %s.%s\n", name, namespace)
 
 		tunnel := &inletsv1alpha1.Tunnel{
@@ -749,7 +754,12 @@ func getHostConfig(c *Controller, tunnel *inletsv1alpha1.Tunnel, service *corev1
 		return provision.BasicHost{}, err
 	}
 
-	userData := provision.MakeExitServerUserdata(tokenValue, inletsVersion)
+	proxyProto := c.infraConfig.ProConfig.ProxyProto
+	if v, ok := service.Annotations[proxyProtoAnnotation]; ok {
+		proxyProto = v
+	}
+
+	userData := provision.MakeExitServerUserdataWithProxyProto(tokenValue, inletsVersion, proxyProto)
 
 	var host provision.BasicHost
 

go.mod

@@ -2,6 +2,8 @@ module github.com/inlets/inlets-operator
 
 go 1.25.0
 
+replace github.com/inlets/cloud-provision => ../cloud-provision
+
 require (
 	github.com/google/go-cmp v0.7.0
 	github.com/inlets/cloud-provision v0.7.1

main.go

@@ -61,6 +61,7 @@ func main() {
 	flag.StringVar(&infra.ProConfig.LicenseFile, "license-file", "", "Supply a file to read for the inlets-pro license")
 	flag.StringVar(&infra.ProConfig.ClientImage, "client-image", "ghcr.io/inlets/inlets-pro:"+defaultRelease, "Container image for inlets tunnel clients run in the cluster")
 	flag.StringVar(&infra.ProConfig.InletsRelease, "inlets-release", defaultRelease, "Inlets version to use to create tunnel servers")
+	flag.StringVar(&infra.ProConfig.ProxyProto, "tunnel-proxy-proto", "", "Enable proxy protocol on tunnel servers, allowed values: v1 or v2")
 
 	flag.StringVar(&infra.MaxClientMemory, "max-client-memory", "128Mi", "Maximum memory limit for the tunnel clients")
 

validate.go

@@ -37,6 +37,12 @@ func validateFlags(c InfraConfig) error {
 			return fmt.Errorf("region required for provider: %s", c.Provider)
 		}
 	}
+	if len(c.ProConfig.ProxyProto) > 0 {
+		if c.ProConfig.ProxyProto != "v1" && c.ProConfig.ProxyProto != "v2" {
+			return fmt.Errorf("tunnel-proxy-proto must be 'v1' or 'v2', got: %s", c.ProConfig.ProxyProto)
+		}
+	}
+
 	if len(c.MaxClientMemory) > 0 {
 		if _, err := resource.ParseQuantity(c.MaxClientMemory); err != nil {
 			return fmt.Errorf("invalid memory value: %s", err.Error())

validate_test.go

@@ -163,6 +163,49 @@ func Test_validateFlags_EmptyMemoryValue(t *testing.T) {
 	}
 }
 
+func Test_validateFlags_ProxyProto_Valid(t *testing.T) {
+	tests := []struct {
+		name  string
+		value string
+	}{
+		{"v1", "v1"},
+		{"v2", "v2"},
+		{"empty", ""},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := InfraConfig{
+				Provider:      "digitalocean",
+				Region:        "lon1",
+				AccessKey:     "set",
+				ProConfig:     InletsProConfig{ProxyProto: tt.value},
+			}
+			err := validateFlags(c)
+			if err != nil {
+				t.Errorf("expected no error, got: %s", err.Error())
+			}
+		})
+	}
+}
+
+func Test_validateFlags_ProxyProto_Invalid(t *testing.T) {
+	c := InfraConfig{
+		Provider:      "digitalocean",
+		Region:        "lon1",
+		AccessKey:     "set",
+		ProConfig:     InletsProConfig{ProxyProto: "v3"},
+	}
+	err := validateFlags(c)
+	want := "tunnel-proxy-proto must be 'v1' or 'v2', got: v3"
+	if err == nil {
+		t.Fatalf("expected an error")
+	}
+	if err.Error() != want {
+		t.Errorf("expected error: %q, got: %q", want, err.Error())
+	}
+}
+
 func Test_validateFlags_Hetzner(t *testing.T) {
 	c := InfraConfig{
 		Provider:  "hetzner",