New routing strategy: proxyProtocolAuthorityIdentifiesNode#101
Open
hrishabhg wants to merge 2 commits intokroxylicious:mainfrom
Open
New routing strategy: proxyProtocolAuthorityIdentifiesNode#101hrishabhg wants to merge 2 commits intokroxylicious:mainfrom
hrishabhg wants to merge 2 commits intokroxylicious:mainfrom
Conversation
tombentley
approved these changes
Apr 21, 2026
Member
tombentley
left a comment
tombentley
left a comment
There was a problem hiding this comment.
@hrishabhg thanks for this. The use case makes sense, and I think we should do this.
I would like to see some words calling out that when terminating TLS in NLB/HAProxy and using plain TCP for the connection to the Kroxylicious proxy instance(s) there is an assumption that the intermediate network is trusted. It's obvious, but should not be overlooked by people deploying the proxy, so we'll need to ensure that we have similar words in the docs too.
robobario
reviewed
Apr 22, 2026
| gateways: | ||
| - name: via-nlb | ||
| proxyProtocolAuthorityIdentifiesNode: | ||
| bootstrapAddress: 0.0.0.0:9192 |
Member
There was a problem hiding this comment.
For the other strategies we support a convenience bootstrapAddress like:
sniHostIdentifiesNode:
bootstrapAddress: bootstrap.mycluster.example.com:9192
advertisedBrokerAddressPattern: mybroker-$(nodeId).mycluster.example.com:443
Kafka does not require this, but it can make client configuration more convenient.
Do we also want to support a convenience bootstrapAddress in this strategy? So that users might connect to the NLB with bootstrap.kafka.example.com and the Proxy can identify which gateway the incoming connection is associated with?
Member
There was a problem hiding this comment.
ah, yes in your POC example you have:
Kafka clients connecting via TLS to HAProxy with bootstrap server `bootstrap.kafka.example.com:49192` produced the following in Kroxylicious logs:
so I think the proxy will need to be aware of that host so it can route it to the right place. Maybe something like:
- name: via-nlb
proxyProtocolAuthorityIdentifiesNode:
bindAddress: 0.0.0.0:9192
bootstrapHostname: bootstrap.kafka.example.com
advertisedBrokerAddressPattern: broker-$(nodeId).kafka.example.com
| gateways: | ||
| - name: via-nlb | ||
| proxyProtocolAuthorityIdentifiesNode: | ||
| bootstrapAddress: 0.0.0.0:9192 |
Member
There was a problem hiding this comment.
Can multiple proxyProtocolAuthorityIdentifiesNode gateways share a port the same way we do for SNI? I imagine that they can.
| | Project | Affected | Notes | | ||
| |---------|----------|-------| | ||
| | kroxylicious-proxy | Yes | New routing strategy implementation, extends `HaProxyContext` to expose authority TLV to routing layer | | ||
| | kroxylicious-operator | Yes | CRD update to support the new gateway type | |
Member
There was a problem hiding this comment.
Maybe we should set this to not affected and cover the operator in a separate proposal, going into detail here will add complexity to this design.
Member
|
Discussed at Community Call 23rd April. General feeling is that this is good idea. |
hrishabhg
added a commit
to hrishabhg/design
that referenced
this pull request
Apr 24, 2026
- Add trust boundary subsection calling out the plaintext LB->proxy assumption (tombentley). - Require proxyProtocol.mode: required to be explicit; no implicit coercion (tombentley). - Rename bootstrapAddress to bindAddress and add bootstrapHostname so the proxy can identify the gateway for a bootstrap connection (robobario). - Document optional :port suffix on advertisedBrokerAddressPattern (robobario). - Document that multiple gateways can share a bindAddress, same as sniIdentifiesNode (robobario). - Mark kroxylicious-operator as not affected; defer CRD work to a follow-up proposal (robobario). Assisted-by: Claude claude-opus-4-7 <noreply@anthropic.com> Signed-off-by: Hrishabh Gupta <hgupta@confluent.io> Signed-off-by: Hrishabh Gupta <hgupta@confluent.io>
k-wall
added a commit
to k-wall/design
that referenced
this pull request
Apr 28, 2026
Add PRs kroxylicious#96, kroxylicious#98, kroxylicious#99, kroxylicious#100, kroxylicious#101, and kroxylicious#103 which were opened after the initial script was created. Note: PR kroxylicious#100 is already correctly named (100-sidecar-injection-webhook.md). Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
k-wall
added a commit
to k-wall/design
that referenced
this pull request
Apr 28, 2026
This change simplifies the proposal numbering system by using PR numbers as proposal identifiers, eliminating number collisions and removing the need for a separate allocation process. Changes: - Simplified proposals/README.md to focus on author workflow - Removed index tables (directory listing serves as the index) - Streamlined instructions for creating and renaming proposals - Updated proposal template with workflow instructions - Require PR number in title format: # <PR#> - <Title> - Moved workflow instructions into comment block - Added GitHub workflow to automatically check proposal numbering - Validates both filename and title format - Updates PR description when proposal files don't match PR number - Provides exact commands to fix naming issues - Removes warning once corrected - Handles both added and renamed files - Runs on all PRs (ready for mandatory status check) - Added notification script for existing open PRs - After merge, run notify-open-prs.sh to ask authors to rebase - Workflow will automatically guide them through renaming - Updated with all current open proposal PRs (kroxylicious#70, kroxylicious#82, kroxylicious#83, kroxylicious#85, kroxylicious#88, kroxylicious#93, kroxylicious#94, kroxylicious#96, kroxylicious#98, kroxylicious#99, kroxylicious#100, kroxylicious#101, kroxylicious#103) Proposals 001-019 retain their original numbers. Assisted-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Keith Wall <kwall@apache.org>
k-wall
added a commit
that referenced
this pull request
Apr 28, 2026
This change simplifies the proposal numbering system by using PR numbers as proposal identifiers, eliminating number collisions and removing the need for a separate allocation process. Changes: - Simplified proposals/README.md to focus on author workflow - Removed index tables (directory listing serves as the index) - Streamlined instructions for creating and renaming proposals - Updated proposal template with workflow instructions - Require PR number in title format: # <PR#> - <Title> - Moved workflow instructions into comment block - Added GitHub workflow to automatically check proposal numbering - Validates both filename and title format - Updates PR description when proposal files don't match PR number - Provides exact commands to fix naming issues - Removes warning once corrected - Handles both added and renamed files - Runs on all PRs (ready for mandatory status check) - Added notification script for existing open PRs - After merge, run notify-open-prs.sh to ask authors to rebase - Workflow will automatically guide them through renaming - Updated with all current open proposal PRs (#70, #82, #83, #85, #88, #93, #94, #96, #98, #99, #100, #101, #103) Proposals 001-019 retain their original numbers. Assisted-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Keith Wall <kwall@apache.org>
Member
|
Hi! We've updated the proposal numbering system to use PR numbers as proposal identifiers. Action required: Please rebase your PR on Once you rebase, you'll need to rename your proposal file and update the title: git mv proposals/017-proxy-protocol-authority-routing.md proposals/101-protocol-authority-routing.md
# Update title: remove any old number prefix and add PR number
sed -i.bak '0,/^# /{s/^# \([0-9]\{3\}\|xxx\|nnn\|000\) - /# 101 - /; t; s/^# /# 101 - /}' proposals/101-protocol-authority-routing.md && rm proposals/101-protocol-authority-routing.md.bak
git add proposals/101-protocol-authority-routing.md
git commit -m "Rename proposal to use PR number"
git pushThe GitHub workflow will automatically check your proposal file naming after you push and update this PR description if any corrections are still needed. See proposals/README.md for the updated workflow. |
Member
|
Correction: The previous notification had an incorrect filename. Here are the correct commands: git mv proposals/017-proxy-protocol-authority-routing.md proposals/101-proxy-protocol-authority-routing.md
# Update title: remove any old number prefix and add PR number
sed -i.bak '0,/^# /{s/^# \([0-9]\{3\}\|xxx\|nnn\|000\) - /# 101 - /; t; s/^# /# 101 - /}' proposals/101-proxy-protocol-authority-routing.md && rm proposals/101-proxy-protocol-authority-routing.md.bak
git add proposals/101-proxy-protocol-authority-routing.md
git commit -m "Rename proposal to use PR number"
git pushSorry for the confusion! |
Signed-off-by: Hrishabh Gupta <hrishabhg@gmail.com>
- Add trust boundary subsection calling out the plaintext LB->proxy assumption (tombentley). - Require proxyProtocol.mode: required to be explicit; no implicit coercion (tombentley). - Rename bootstrapAddress to bindAddress and add bootstrapHostname so the proxy can identify the gateway for a bootstrap connection (robobario). - Document optional :port suffix on advertisedBrokerAddressPattern (robobario). - Document that multiple gateways can share a bindAddress, same as sniIdentifiesNode (robobario). - Mark kroxylicious-operator as not affected; defer CRD work to a follow-up proposal (robobario). Assisted-by: Claude claude-opus-4-7 <noreply@anthropic.com> Signed-off-by: Hrishabh Gupta <hgupta@confluent.io> Signed-off-by: Hrishabh Gupta <hgupta@confluent.io>
hrishabhg
force-pushed
the
ppv2-authority-based-identification-strategy
branch
from
48b7c46 to
42225f4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains proposal files that don't follow the expected format:
Issues found:
proposals/017-proxy-protocol-authority-routing.mdFix for
proposals/017-proxy-protocol-authority-routing.md:Note: The commands above can be copied and pasted directly into your terminal. The sed command will automatically preserve your title text.
See proposals/README.md for the complete workflow.