Make original client-ip visible inside Solace when running in Kubernetes

Options
jfg1306
jfg1306 Member Posts: 12
in General Discussions #1

Hello everyone,

we are running Solace in a Kubernetes Cluster. We have the issue that all connected clients are only shown with a IP address from the internal K8S Cluster subnet (e.g. 10.240.0.0/24).

Our setup is as follows:

  • We are using Traefik as IngressController
  • Traefiks service is set to be of type LoadBalancer (getting assigned a public IP)
  • The L4 LoadBalancer is provided by Yawol https://github.com/stackitcloud/yawol
  • The service of the Solace instance is set to ClusterIP
  • We define a (set of) IngressRouteTCP to route TCP traffic towards Solace through Traefik.

On the Yawol-LoadBalancer and Traefik I have the option to enable the "Proxy Protocol" which provides a convenient way to safely transport connection information such as a client's address across multiple layers of NAT or TCP proxies (see https://www.haproxy.org/download/2.0/doc/proxy-protocol.txt )

This works up until Traefik, once the packages get routed towards the Solace Broker the information seems to get lost (or Solace does not handle the Proxy Protocol ?) and the clients are only shown with the kubernetes cluster internal IP.

My questions would be:

  • Does someone know if Solace has envoy support for proxy protocol ?
  • Do I have other options to get the client ip without changing my setup ?
  • Maybe someone knows if this would work if I skip the IngressController in the middle and assign directly to the Solace Service a public IP ?

I tried to draw my setup - maybe this helps to showcase what I am trying to achieve

solace-community-question.drawio.png

Greetings,

Jan-Filip.

—-

Additional links:

Best Answer

  • uherbst
    uherbst Member, Employee Posts: 121 Solace Employee
    #2 Answer ✓
    Options

    Hi Jan-Filip,

    I suggest to open a support ticket with the question "Does Solace support the proxy protocol".

    (I'm afraid, the answer is "no"… but we'll see).
    If the answer is "no", feel free to open a feature request from your ticket.

    (I would like to be in your CC while opening that ticket)

    Uli

Answers

  • uherbst
    uherbst Member, Employee Posts: 121 Solace Employee
    #3 Answer ✓
    Options

    Hi Jan-Filip,

    I suggest to open a support ticket with the question "Does Solace support the proxy protocol".

    (I'm afraid, the answer is "no"… but we'll see).
    If the answer is "no", feel free to open a feature request from your ticket.

    (I would like to be in your CC while opening that ticket)

    Uli

Categories

This Month's Leaders

This Week's Leaders