Add proxy protocol support for tunnel servers

Add support for configuring proxy protocol on inlets tunnel servers
provisioned by the operator. When enabled, the tunnel server is started
with the --proxy-proto flag so that the original client IP address is
preserved and forwarded to upstream services.

The proxy protocol can be set globally using the --tunnel-proxy-proto
flag or per-service using the operator.inlets.dev/proxy-proto annotation.
The annotation takes precedence over the global flag. Accepted values
are 'v1', 'v2', or empty (disabled).

Configuration options:
- Flag: --tunnel-proxy-proto=v1|v2
- Helm value: tunnelProxyProto
- Annotation: operator.inlets.dev/proxy-proto (per-service override)

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>

Author: welteki

Dockerfile

@@ -30,6 +30,8 @@ COPY validate.go validate.go
 COPY validate_test.go validate_test.go
 COPY config.go  config.go
 COPY config_test.go  config_test.go
+COPY userdata.go userdata.go
+COPY userdata_test.go userdata_test.go
 
 RUN gofmt -l -d $(find . -type f -name '*.go' -not -path "./vendor/*")
 

README.md

@@ -63,6 +63,28 @@ Install the chart with `annotatedOnly: true`, then run:
 kubectl annotate service nginx-1 operator.inlets.dev/manage=1
 ```
 
+## Proxy Protocol support
+
+Proxy protocol can be enabled on tunnel exit servers so that the original client IP address is preserved and forwarded to your services.
+
+To enable proxy protocol globally for all tunnel servers, set the `tunnelProxyProto` value in the Helm chart:
+
+```yaml
+tunnelProxyProto: "v2"
+```
+
+Allowed values are `v1`, `v2`, or `""` (disabled).
+
+Alternatively, you can enable proxy protocol on a per-service basis by annotating individual services. This can be used instead of the global setting, or to override it for specific services:
+
+```bash
+kubectl annotate service nginx-1 operator.inlets.dev/proxy-proto=v2
+```
+
+The per-service annotation takes precedence over the global setting when both are configured.
+
+> **Important**: The proxy protocol configuration is applied when the tunnel exit server VM is provisioned and **cannot be changed afterwards**. If you need to change the proxy protocol setting for an existing service, you must delete the service (which will delete the tunnel and VM), then recreate it with the new annotation.
+
 ## Using IPVS for your Kubernetes networking?
 
 For IPVS, you need to declare a Tunnel Custom Resource instead of using the LoadBalancer field.

chart/inlets-operator/templates/deployment.yaml

@@ -62,6 +62,9 @@ spec:
         {{- if .Values.maxClientMemory }}
         - "-max-client-memory={{.Values.maxClientMemory}}"
         {{- end }}
+        {{- if .Values.tunnelProxyProto }}
+        - "-tunnel-proxy-proto={{.Values.tunnelProxyProto}}"
+        {{- end }}
         resources:
           {{- toYaml .Values.resources | nindent 12 }}
         env:

chart/inlets-operator/values.yaml

@@ -59,6 +59,10 @@ resources:
 # Set a maximum memory limit for the inlets client Deployments
 maxClientMemory: 128Mi
 
+# Enable proxy protocol on tunnel exit servers.
+# Allowed values: "v1", "v2", or "" (disabled)
+tunnelProxyProto: ""
+
 nodeSelector: {}
 tolerations: []
 affinity: {}

config.go

@@ -32,6 +32,7 @@ type InletsProConfig struct {
 	LicenseFile   string
 	ClientImage   string
 	InletsRelease string
+	ProxyProto    string
 }
 
 func (c InletsProConfig) GetLicenseKey() (string, error) {

controller.go

@@ -49,6 +49,7 @@ import (
 const controllerAgentName = "inlets-operator"
 const inletsPROControlPort = 8123
 const inletsPortsAnnotation = "inlets.dev/ports"
+const proxyProtoAnnotation = "operator.inlets.dev/proxy-proto"
 const licenseSecretName = "inlets-license"
 
 const (
@@ -593,6 +594,10 @@ func createTunnelResource(service *corev1.Service, c *Controller) error {
 			return nil
 		}
 
+		if v, ok := service.Annotations[proxyProtoAnnotation]; ok && v != "v1" && v != "v2" {
+			return fmt.Errorf("%s annotation must be 'v1' or 'v2', got: %s", proxyProtoAnnotation, v)
+		}
+
 		klog.Infof("Creating Tunnel: %s.%s\n", name, namespace)
 
 		tunnel := &inletsv1alpha1.Tunnel{
@@ -749,7 +754,12 @@ func getHostConfig(c *Controller, tunnel *inletsv1alpha1.Tunnel, service *corev1
 		return provision.BasicHost{}, err
 	}
 
-	userData := provision.MakeExitServerUserdata(tokenValue, inletsVersion)
+	proxyProto := c.infraConfig.ProConfig.ProxyProto
+	if v, ok := service.Annotations[proxyProtoAnnotation]; ok {
+		proxyProto = v
+	}
+
+	userData := MakeExitServerUserdata(tokenValue, inletsVersion, proxyProto)
 
 	var host provision.BasicHost
 

main.go

@@ -61,6 +61,7 @@ func main() {
 	flag.StringVar(&infra.ProConfig.LicenseFile, "license-file", "", "Supply a file to read for the inlets-pro license")
 	flag.StringVar(&infra.ProConfig.ClientImage, "client-image", "ghcr.io/inlets/inlets-pro:"+defaultRelease, "Container image for inlets tunnel clients run in the cluster")
 	flag.StringVar(&infra.ProConfig.InletsRelease, "inlets-release", defaultRelease, "Inlets version to use to create tunnel servers")
+	flag.StringVar(&infra.ProConfig.ProxyProto, "tunnel-proxy-proto", "", "Enable proxy protocol on tunnel servers, allowed values: v1 or v2")
 
 	flag.StringVar(&infra.MaxClientMemory, "max-client-memory", "128Mi", "Maximum memory limit for the tunnel clients")
 

userdata.go

@@ -0,0 +1,43 @@
+// Copyright (c) inlets Author(s) 2019. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+package main
+
+// MakeExitServerUserdata makes a user-data script in bash to setup inlets
+// PRO with a systemd service and the given version. If proxyProto is non-empty,
+// the PROXY_PROTO environment variable is set in the service configuration.
+func MakeExitServerUserdata(authToken, version, proxyProto string) string {
+	return `#!/bin/bash
+export AUTHTOKEN="` + authToken + `"
+export IP=$(curl -sfSL https://checkip.amazonaws.com)
+export PROXY_PROTO="` + proxyProto + `"
+
+curl -SLsf https://github.com/inlets/inlets-pro/releases/download/` + version + `/inlets-pro -o /tmp/inlets-pro && \
+  chmod +x /tmp/inlets-pro  && \
+  mv /tmp/inlets-pro /usr/local/bin/inlets-pro
+
+cat > /etc/systemd/system/inlets-pro.service <<EOF
+[Unit]
+Description=inlets TCP server
+After=network.target
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=2
+StartLimitInterval=0
+EnvironmentFile=/etc/default/inlets-pro
+ExecStart=/usr/local/bin/inlets-pro tcp server --auto-tls --auto-tls-san="\${IP}" --token="\${AUTHTOKEN}" --proxy-protocol="\${PROXY_PROTO}"
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+echo "AUTHTOKEN=$AUTHTOKEN" >> /etc/default/inlets-pro && \
+  echo "IP=$IP" >> /etc/default/inlets-pro && \
+  echo "PROXY_PROTO=$PROXY_PROTO" >> /etc/default/inlets-pro && \
+  systemctl daemon-reload && \
+  systemctl start inlets-pro && \
+  systemctl enable inlets-pro
+`
+}

userdata_test.go

@@ -0,0 +1,92 @@
+// Copyright (c) inlets Author(s) 2019. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+package main
+
+import (
+	"testing"
+)
+
+func Test_MakeUserdata_InletsPro(t *testing.T) {
+	userData := MakeExitServerUserdata("auth", "0.7.0", "")
+
+	wantUserdata := `#!/bin/bash
+export AUTHTOKEN="auth"
+export IP=$(curl -sfSL https://checkip.amazonaws.com)
+export PROXY_PROTO=""
+
+curl -SLsf https://github.com/inlets/inlets-pro/releases/download/0.7.0/inlets-pro -o /tmp/inlets-pro && \
+  chmod +x /tmp/inlets-pro  && \
+  mv /tmp/inlets-pro /usr/local/bin/inlets-pro
+
+cat > /etc/systemd/system/inlets-pro.service <<EOF
+[Unit]
+Description=inlets TCP server
+After=network.target
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=2
+StartLimitInterval=0
+EnvironmentFile=/etc/default/inlets-pro
+ExecStart=/usr/local/bin/inlets-pro tcp server --auto-tls --auto-tls-san="\${IP}" --token="\${AUTHTOKEN}" --proxy-protocol="\${PROXY_PROTO}"
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+echo "AUTHTOKEN=$AUTHTOKEN" >> /etc/default/inlets-pro && \
+  echo "IP=$IP" >> /etc/default/inlets-pro && \
+  echo "PROXY_PROTO=$PROXY_PROTO" >> /etc/default/inlets-pro && \
+  systemctl daemon-reload && \
+  systemctl start inlets-pro && \
+  systemctl enable inlets-pro
+`
+
+	if userData != wantUserdata {
+		t.Errorf("want: %s, but got: %s", wantUserdata, userData)
+	}
+}
+
+func Test_MakeUserdata_InletsPro_WithProxyProto(t *testing.T) {
+	userData := MakeExitServerUserdata("auth", "0.7.0", "v1")
+
+	wantUserdata := `#!/bin/bash
+export AUTHTOKEN="auth"
+export IP=$(curl -sfSL https://checkip.amazonaws.com)
+export PROXY_PROTO="v1"
+
+curl -SLsf https://github.com/inlets/inlets-pro/releases/download/0.7.0/inlets-pro -o /tmp/inlets-pro && \
+  chmod +x /tmp/inlets-pro  && \
+  mv /tmp/inlets-pro /usr/local/bin/inlets-pro
+
+cat > /etc/systemd/system/inlets-pro.service <<EOF
+[Unit]
+Description=inlets TCP server
+After=network.target
+
+[Service]
+Type=simple
+Restart=always
+RestartSec=2
+StartLimitInterval=0
+EnvironmentFile=/etc/default/inlets-pro
+ExecStart=/usr/local/bin/inlets-pro tcp server --auto-tls --auto-tls-san="\${IP}" --token="\${AUTHTOKEN}" --proxy-protocol="\${PROXY_PROTO}"
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+echo "AUTHTOKEN=$AUTHTOKEN" >> /etc/default/inlets-pro && \
+  echo "IP=$IP" >> /etc/default/inlets-pro && \
+  echo "PROXY_PROTO=$PROXY_PROTO" >> /etc/default/inlets-pro && \
+  systemctl daemon-reload && \
+  systemctl start inlets-pro && \
+  systemctl enable inlets-pro
+`
+
+	if userData != wantUserdata {
+		t.Errorf("want: %s, but got: %s", wantUserdata, userData)
+	}
+}

validate.go

@@ -37,6 +37,12 @@ func validateFlags(c InfraConfig) error {
 			return fmt.Errorf("region required for provider: %s", c.Provider)
 		}
 	}
+	if len(c.ProConfig.ProxyProto) > 0 {
+		if c.ProConfig.ProxyProto != "v1" && c.ProConfig.ProxyProto != "v2" {
+			return fmt.Errorf("tunnel-proxy-proto must be 'v1' or 'v2', got: %s", c.ProConfig.ProxyProto)
+		}
+	}
+
 	if len(c.MaxClientMemory) > 0 {
 		if _, err := resource.ParseQuantity(c.MaxClientMemory); err != nil {
 			return fmt.Errorf("invalid memory value: %s", err.Error())