When using PROXY protocol for source address preservation, all proxies that terminate TCP connections in the chain must be configured to send and receive PROXY protocol headers after initiating L4 connections. In the case of Red Hat OpenShift on IBM Cloud clusters running on VPC infrastructure, we have two proxies: the VPC Application Load Balancer (ALB) and the Ingress Controller.

On OpenShift clusters, the Ingress Operator is responsible for managing the Ingress Controller instances and the load balancers used to expose the Ingress Controllers. The operator watches IngressController resources on the cluster and makes adjustments to match the desired state.

Thanks to the Ingress Operator, we can enable PROXY protocol for both of our proxies at once. All we need to do is to change the endpointPublishingStrategy configuration on our IngressController resource:

endpointPublishingStrategy:

type: LoadBalancerService

loadBalancer:

scope: External

providerParameters:

type: IBM

ibm:

protocol: PROXY

When you apply the previous configuration, the operat,or switches the Ingress Controller into PROXY protocol mode and adds the

service.kubernetes.io/ibm-load-balancer-cloud-provider-enable- features: "proxy-protocol"