From 06abedb06314b02a3b2605ea86bde25b2bac11a8 Mon Sep 17 00:00:00 2001
From: Jefftree <jeffrey.ying86@live.com>
Date: Thu, 5 Mar 2020 15:49:35 -0800
Subject: [PATCH 1/2] Allow both GRPC and http-connect mode to be toggled

---
 cluster/gce/config-default.sh       |  1 +
 cluster/gce/gci/configure-helper.sh | 33 +++++++++++++++++++++++++++--
 cluster/gce/util.sh                 |  5 +++++
 3 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh
index 29cc0523846..01912818576 100755
--- a/cluster/gce/config-default.sh
+++ b/cluster/gce/config-default.sh
@@ -496,3 +496,4 @@ GCE_PRIVATE_CLUSTER_PORTS_PER_VM="${KUBE_GCE_PRIVATE_CLUSTER_PORTS_PER_VM:-}"
 
 # Optional: Create apiserver konnectivity server and agent.
 ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE="${KUBE_ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}"
+KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE="${KUBE_KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE:-grpc}"
diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index 86f5111e929..cb04ab9a547 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -806,7 +806,8 @@ contexts:
 EOF
   fi
   if [[ "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
-    cat <<EOF >/etc/srv/kubernetes/egress_selector_configuration.yaml
+    if [[ "${KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE:-grpc}" == 'grpc' ]]; then
+      cat <<EOF >/etc/srv/kubernetes/egress_selector_configuration.yaml
 apiVersion: apiserver.k8s.io/v1alpha1
 kind: EgressSelectorConfiguration
 egressSelections:
@@ -823,6 +824,28 @@ egressSelections:
   connection:
     proxyProtocol: Direct
 EOF
+    elif [[ "${KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE:-grpc}" == 'http-connect' ]]; then
+      cat <<EOF >/etc/srv/kubernetes/egress_selector_configuration.yaml
+apiVersion: apiserver.k8s.io/v1alpha1
+kind: EgressSelectorConfiguration
+egressSelections:
+- name: cluster
+  connection:
+    proxyProtocol: HTTPConnect
+    transport:
+      uds:
+        udsName: /etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket
+- name: master
+  connection:
+    proxyProtocol: Direct
+- name: etcd
+  connection:
+    proxyProtocol: Direct
+EOF
+    else
+      echo "KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE must be set to either grpc or http-connect"
+      exit 1
+    fi
   fi
 
   if [[ -n "${WEBHOOK_GKE_EXEC_AUTH:-}" ]]; then
@@ -1660,7 +1683,13 @@ function prepare-konnectivity-server-manifest {
   params+=("--uds-name=/etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket")
   params+=("--cluster-cert=/etc/srv/kubernetes/pki/apiserver.crt")
   params+=("--cluster-key=/etc/srv/kubernetes/pki/apiserver.key")
-  params+=("--mode=grpc")
+  if [[ "${KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE:-grpc}" == 'http-connect' ]]; then
+    params+=("--mode=http-connect")
+  else
+    # We can assume the mode is GRPC because we check for a valid protocol beforehand
+    params+=("--mode=grpc")
+  fi
+
   params+=("--server-port=0")
   params+=("--agent-port=$1")
   params+=("--admin-port=$2")
diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh
index 382cc653db1..082f6265dc2 100755
--- a/cluster/gce/util.sh
+++ b/cluster/gce/util.sh
@@ -1522,6 +1522,11 @@ EOF
   if [[ "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
       cat >>$file <<EOF
 ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE: $(yaml-quote ${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE})
+EOF
+  fi
+  if [[ -n "${KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE:-}" ]]; then
+      cat >>$file <<EOF
+KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE: $(yaml-quote ${KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE})
 EOF
   fi
 }

From 6fd748e2c56191bb8a2a29f8f101b8badd1a18ad Mon Sep 17 00:00:00 2001
From: Jefftree <jeffrey.ying86@live.com>
Date: Thu, 5 Mar 2020 16:43:16 -0800
Subject: [PATCH 2/2] exit if KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE is set
 incorrectly

---
 cluster/gce/gci/configure-helper.sh | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index cb04ab9a547..2ac0d176071 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -1683,11 +1683,13 @@ function prepare-konnectivity-server-manifest {
   params+=("--uds-name=/etc/srv/kubernetes/konnectivity-server/konnectivity-server.socket")
   params+=("--cluster-cert=/etc/srv/kubernetes/pki/apiserver.crt")
   params+=("--cluster-key=/etc/srv/kubernetes/pki/apiserver.key")
-  if [[ "${KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE:-grpc}" == 'http-connect' ]]; then
+  if [[ "${KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE:-grpc}" == 'grpc' ]]; then
+    params+=("--mode=grpc")
+  elif [[ "${KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE:-grpc}" == 'http-connect' ]]; then
     params+=("--mode=http-connect")
   else
-    # We can assume the mode is GRPC because we check for a valid protocol beforehand
-    params+=("--mode=grpc")
+    echo "KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE must be set to either grpc or http-connect"
+    exit 1
   fi
 
   params+=("--server-port=0")