Tangible Bytes

Digital Ocean provide this document https://docs.digitalocean.com/products/kubernetes/how-to/configure-load-balancers/#proxy-protocol

While it tells you what changes to make - it doesn’t tell you anything about where to make them.

While it might be possible to extract a YAML file with kubectl, edit it and apply the change - this would be a hard thing to document and retain in the events that the nginx-ingress helm chart need to be updated (eg for a security patch)

It also turns out that this one change isn’t enough - you need to configure both the load balancer service and the nginx controller

values-proxy.yaml

controller:
  config:
    use-proxy-protocol: "true"  # Tells NGINX to parse PROXY headers
    real-ip-header: "proxy_protocol"
    set-real-ip-from: "0.0.0.0/0"

  service:
    annotations:
      service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
      service.beta.kubernetes.io/do-loadbalancer-name: staging-loadbalancer

Docs on the configMap are here https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/

and real IP here https://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from

(I also added a change to the load-balancer name because DO had set it as a UUID and I took this opportunity to make it meaningful)

Apply with

helm upgrade ingress-nginx ingress-nginx/ingress-nginx  \
 --namespace ingress-nginx   \
 --values values-proxy.yaml \
 --description "enable proxy protocol and set loadbalancer name"

Now my IP addresses are preserved, my load balancer has a meaningful name.

If I need to build a new cluster or update nginx I can just re-run this command