Real client IP on Bare Metal?

[ShakataGaNai]

The default setup for the emqx operator uses listenersServiceTemplate of LoadBalancer, which I understand to not support the real client IP. The only suggestions I see here are related to cloud LB services, but I'm running on bare metal. I tried switching to NodePort, which "works" (random port assignment, of course, and I can deal with that).... However the client IP's are still reported to be in Kube local.

Any thoughts/suggestions on how to get real client IP's reported? Or an intermediary service setup that's been seen to work well? Do I need to goto an ingress controller?

[Rory-Z]

You can set proxy protocol in EMQX: https://docs.emqx.com/en/enterprise/v5.7.1/hocon/#V-listeners-S-listeners-tcp-S-mqtt_tcp_listener-proxy_protocol

Of course, you need make sure your LB / ingress controller support this and have correct config, most of LB / ingress controller supported proxy protocol

[ShakataGaNai]

The answer for Kubernetes is fairly trivial, if you're willing to make a sacrifice.

Use:

  listenersServiceTemplate:
    spec:
      type: LoadBalancer
      externalTrafficPolicy: Local

Per "Preserving the client source IP":

There are two available options: Cluster (default) and Local. Cluster obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading. Local preserves the client source IP and avoids a second hop for LoadBalancer and NodePort type Services, but risks potentially imbalanced traffic spreading.

So if you're like me and running on bare metal with nothing in front, for a smaller cluster, you can use externalTrafficPolicy: Local (with no other changes) and you'll see real IP's. In my case since it's Kubernetes with multiple public hosts, I'm using multiple A records. DNS based load balancing should be sufficient.