feat(lb): implement ConnectionRateLimit, EnableAccessLogs and EnableHTTP3

nox-404 · nox-404 · commit 203c5e08ee4a · 2025-08-14T17:19:46.000+02:00
diff --git a/scaleway/loadbalancers.go b/scaleway/loadbalancers.go
@@ -963,11 +963,32 @@ func servicePortToFrontend(service *v1.Service, loadbalancer *scwlb.LB, port v1.
 		return nil, fmt.Errorf("error getting certificate IDs for loadbalancer %s: %v", loadbalancer.ID, err)
 	}
 
+	connectionRateLimit, err := getConnectionRateLimit(service)
+	if err != nil {
+		return nil, fmt.Errorf("error getting %s annotation for loadbalancer %s: %v",
+			serviceAnnotationLoadBalancerConnectionRateLimit, loadbalancer.ID, err)
+	}
+
+	enableAccessLogs, err := getEnableAccessLogs(service)
+	if err != nil {
+		return nil, fmt.Errorf("error getting %s annotation for loadbalancer %s: %v",
+			serviceAnnotationLoadBalancerEnableAccessLogs, loadbalancer.ID, err)
+	}
+
+	enableHTTP3, err := getEnableHTTP3(service)
+	if err != nil {
+		return nil, fmt.Errorf("error getting %s annotation for loadbalancer %s: %v",
+			serviceAnnotationLoadBalancerEnableHTTP3, loadbalancer.ID, err)
+	}
+
 	return &scwlb.Frontend{
-		Name:           fmt.Sprintf("%s_tcp_%d", string(service.UID), port.Port),
-		InboundPort:    port.Port,
-		TimeoutClient:  &timeoutClient,
-		CertificateIDs: certificateIDs,
+		Name:                fmt.Sprintf("%s_tcp_%d", string(service.UID), port.Port),
+		InboundPort:         port.Port,
+		TimeoutClient:       &timeoutClient,
+		ConnectionRateLimit: connectionRateLimit,
+		CertificateIDs:      certificateIDs,
+		EnableAccessLogs:    enableAccessLogs,
+		EnableHTTP3:         enableHTTP3,
 	}, nil
 }
 
@@ -1547,14 +1568,16 @@ func (l *loadbalancers) updateBackend(service *v1.Service, loadbalancer *scwlb.L
 // createFrontend creates a frontend on the load balancer
 func (l *loadbalancers) createFrontend(service *v1.Service, loadbalancer *scwlb.LB, frontend *scwlb.Frontend, backend *scwlb.Backend) (*scwlb.Frontend, error) {
 	f, err := l.api.CreateFrontend(&scwlb.ZonedAPICreateFrontendRequest{
-		Zone:           loadbalancer.Zone,
-		LBID:           loadbalancer.ID,
-		Name:           frontend.Name,
-		InboundPort:    frontend.InboundPort,
-		BackendID:      backend.ID,
-		TimeoutClient:  frontend.TimeoutClient,
-		CertificateIDs: &frontend.CertificateIDs,
-		EnableHTTP3:    frontend.EnableHTTP3,
+		Zone:                loadbalancer.Zone,
+		LBID:                loadbalancer.ID,
+		Name:                frontend.Name,
+		InboundPort:         frontend.InboundPort,
+		BackendID:           backend.ID,
+		TimeoutClient:       frontend.TimeoutClient,
+		CertificateIDs:      &frontend.CertificateIDs,
+		ConnectionRateLimit: frontend.ConnectionRateLimit,
+		EnableAccessLogs:    frontend.EnableAccessLogs,
+		EnableHTTP3:         frontend.EnableHTTP3,
 	})
 
 	return f, err
@@ -1563,14 +1586,16 @@ func (l *loadbalancers) createFrontend(service *v1.Service, loadbalancer *scwlb.
 // updateFrontend updates a frontend on the load balancer
 func (l *loadbalancers) updateFrontend(service *v1.Service, loadbalancer *scwlb.LB, frontend *scwlb.Frontend, backend *scwlb.Backend) (*scwlb.Frontend, error) {
 	f, err := l.api.UpdateFrontend(&scwlb.ZonedAPIUpdateFrontendRequest{
-		Zone:           loadbalancer.Zone,
-		FrontendID:     frontend.ID,
-		Name:           frontend.Name,
-		InboundPort:    frontend.InboundPort,
-		BackendID:      backend.ID,
-		TimeoutClient:  frontend.TimeoutClient,
-		CertificateIDs: &frontend.CertificateIDs,
-		EnableHTTP3:    frontend.EnableHTTP3,
+		Zone:                loadbalancer.Zone,
+		FrontendID:          frontend.ID,
+		Name:                frontend.Name,
+		InboundPort:         frontend.InboundPort,
+		BackendID:           backend.ID,
+		TimeoutClient:       frontend.TimeoutClient,
+		CertificateIDs:      &frontend.CertificateIDs,
+		ConnectionRateLimit: frontend.ConnectionRateLimit,
+		EnableAccessLogs:    &frontend.EnableAccessLogs,
+		EnableHTTP3:         frontend.EnableHTTP3,
 	})
 
 	return f, err
diff --git a/scaleway/loadbalancers_annotations.go b/scaleway/loadbalancers_annotations.go
@@ -107,6 +107,18 @@ const (
 	// serviceAnnotationLoadBalancerZone is the zone to create the load balancer
 	serviceAnnotationLoadBalancerZone = "service.beta.kubernetes.io/scw-loadbalancer-zone"
 
+	// serviceAnnotationLoadBalancerConnectionRateLimit is the annotation to set the incoming connection rate limit per second.
+	// Set to 0 to disable the rate limit
+	serviceAnnotationLoadBalancerConnectionRateLimit = "service.beta.kubernetes.io/scw-loadbalancer-connection-rate-limit"
+
+	// serviceAnnotationLoadBalancerEnableAccessLogs is the annotation to enable access logs for the load balancer.
+	// The default value is "false". The possible values are "false" or "true".
+	serviceAnnotationLoadBalancerEnableAccessLogs = "service.beta.kubernetes.io/scw-loadbalancer-enable-access-logs"
+
+	// serviceAnnotationLoadBalancerEnableHTTP3 is the annotation to enable HTTP/3 protocol for the load balancer.
+	// The default value is "false". The possible values are "false" or "true".
+	serviceAnnotationLoadBalancerEnableHTTP3 = "service.beta.kubernetes.io/scw-loadbalancer-enable-http3"
+
 	// serviceAnnotationLoadBalancerTimeoutClient is the maximum client connection inactivity time
 	// The default value is "10m". The duration are go's time.Duration (ex: "1s", "2m", "4h", ...)
 	serviceAnnotationLoadBalancerTimeoutClient = "service.beta.kubernetes.io/scw-loadbalancer-timeout-client"
@@ -957,3 +969,33 @@ func getKeyValueFromAnnotation(annotation string) map[string]string {
 
 	return additionalTags
 }
+
+func getConnectionRateLimit(service *v1.Service) (*uint32, error) {
+	connectionRateLimit, ok := service.Annotations[serviceAnnotationLoadBalancerConnectionRateLimit]
+	if !ok {
+		return nil, nil
+	}
+	connectionRateLimitInt, err := strconv.Atoi(connectionRateLimit)
+	if err != nil {
+		klog.Errorf("invalid value for annotation %s", serviceAnnotationLoadBalancerConnectionRateLimit)
+		return nil, errLoadBalancerInvalidAnnotation
+	}
+	connectionRateLimitUint32 := uint32(connectionRateLimitInt)
+	return &connectionRateLimitUint32, nil
+}
+
+func getEnableAccessLogs(service *v1.Service) (bool, error) {
+	enableAccessLogs, ok := service.Annotations[serviceAnnotationLoadBalancerEnableAccessLogs]
+	if !ok {
+		return false, nil
+	}
+	return strconv.ParseBool(enableAccessLogs)
+}
+
+func getEnableHTTP3(service *v1.Service) (bool, error) {
+	enableHTTP3, ok := service.Annotations[serviceAnnotationLoadBalancerEnableHTTP3]
+	if !ok {
+		return false, nil
+	}
+	return strconv.ParseBool(enableHTTP3)
+}
