Merge branch 'main' into httproute-unsupported-filters

envoyproxy · Feb 16, 2024 · fae5f06 · fae5f06
2 parents e635f07 + 1775624
commit fae5f06
Show file tree

Hide file tree

Showing 23 changed files with 763 additions and 30 deletions.
diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
@@ -70,7 +70,7 @@ jobs:
       run: make build-multiarch PLATFORMS="linux_amd64 linux_arm64"
 
     - name: Upload EG Binaries
-      uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8  # v4.3.0
+      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3  # v4.3.1
       with:
         name: envoy-gateway
         path: bin/

diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
@@ -59,7 +59,7 @@ jobs:
 
     # Upload docs for GitHub Pages
     - name: Upload GitHub Pages artifact
-      uses: actions/upload-pages-artifact@0252fc4ba7626f0298f0cf00902a25c6afc77fa8  # v3.0.0
+      uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa  # v3.0.1
       with:
         # Path of the directory containing the static assets.
         path: site/public
@@ -86,4 +86,4 @@ jobs:
     steps:
     - name: Deploy to GitHub Pages
       id: deployment
-      uses: actions/deploy-pages@87c3283f01cd6fe19a0ab93a23b2f6fcba5a8e42  # v4.0.3
+      uses: actions/deploy-pages@decdde0ac072f6dcbe43649d82d9c635fff5b4e4  # v4.0.4
diff --git a/.github/workflows/experimental_conformance.yaml b/.github/workflows/experimental_conformance.yaml
@@ -32,7 +32,7 @@ jobs:
       run: make experimental-conformance
 
     - name: Upload Conformance Report
-      uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8  # v4.3.0
+      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3  # v4.3.1
       with:
         name: conformance-report-k8s-${{ matrix.version }}
         path: ./test/conformance/conformance-report-k8s-${{ matrix.version }}.yaml
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -33,7 +33,7 @@ jobs:
         publish_results: true
 
     - name: "Upload artifact"
-      uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8  # v4.3.0
+      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3  # v4.3.1
       with:
         name: SARIF file
         path: results.sarif

diff --git a/api/v1alpha1/clienttrafficpolicy_types.go b/api/v1alpha1/clienttrafficpolicy_types.go
@@ -95,11 +95,20 @@ type HeaderSettings struct {
 }
 
 // ClientIPDetectionSettings provides configuration for determining the original client IP address for requests.
+//
+// +kubebuilder:validation:XValidation:rule="!(has(self.xForwardedFor) && has(self.customHeader))",message="customHeader cannot be used in conjunction with xForwardedFor"
 type ClientIPDetectionSettings struct {
 	// XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
 	//
 	// +optional
 	XForwardedFor *XForwardedForSettings `json:"xForwardedFor,omitempty"`
+	// CustomHeader provides configuration for determining the client IP address for a request based on
+	// a trusted custom HTTP header. This uses the the custom_header original IP detection extension.
+	// Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
+	// for more details.
+	//
+	// +optional
+	CustomHeader *CustomHeaderExtensionSettings `json:"customHeader,omitempty"`
 }
 
 // XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
@@ -113,6 +122,26 @@ type XForwardedForSettings struct {
 	NumTrustedHops *uint32 `json:"numTrustedHops,omitempty"`
 }
 
+// CustomHeader provides configuration for determining the client IP address for a request based on
+// a trusted custom HTTP header. This uses the the custom_header original IP detection extension.
+// Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
+// for more details.
+type CustomHeaderExtensionSettings struct {
+	// Name of the header containing the original downstream remote address, if present.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=255
+	// +kubebuilder:validation:Pattern="^[A-Za-z0-9-]+$"
+	//
+	Name string `json:"name"`
+	// FailClosed is a switch used to control the flow of traffic when client IP detection
+	// fails. If set to true, the listener will respond with 403 Forbidden when the client
+	// IP address cannot be determined.
+	//
+	// +optional
+	FailClosed *bool `json:"failClosed,omitempty"`
+}
+
 // HTTP3Settings provides HTTP/3 configuration on the listener.
 type HTTP3Settings struct {
 }

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
@@ -48,6 +48,29 @@ spec:
                 description: ClientIPDetectionSettings provides configuration for
                   determining the original client IP address for requests.
                 properties:
+                  customHeader:
+                    description: CustomHeader provides configuration for determining
+                      the client IP address for a request based on a trusted custom
+                      HTTP header. This uses the the custom_header original IP detection
+                      extension. Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
+                      for more details.
+                    properties:
+                      failClosed:
+                        description: FailClosed is a switch used to control the flow
+                          of traffic when client IP detection fails. If set to true,
+                          the listener will respond with 403 Forbidden when the client
+                          IP address cannot be determined.
+                        type: boolean
+                      name:
+                        description: Name of the header containing the original downstream
+                          remote address, if present.
+                        maxLength: 255
+                        minLength: 1
+                        pattern: ^[A-Za-z0-9-]+$
+                        type: string
+                    required:
+                    - name
+                    type: object
                   xForwardedFor:
                     description: XForwardedForSettings provides configuration for
                       using X-Forwarded-For headers for determining the client IP
@@ -63,6 +86,9 @@ spec:
                         type: integer
                     type: object
                 type: object
+                x-kubernetes-validations:
+                - message: customHeader cannot be used in conjunction with xForwardedFor
+                  rule: '!(has(self.xForwardedFor) && has(self.customHeader))'
               enableProxyProtocol:
                 description: EnableProxyProtocol interprets the ProxyProtocol header
                   and adds the Client Address into the X-Forwarded-For header. Note

diff --git a/internal/gatewayapi/testdata/clienttrafficpolicy-client-ip-detection.in.yaml b/internal/gatewayapi/testdata/clienttrafficpolicy-client-ip-detection.in.yaml
@@ -3,7 +3,7 @@ clientTrafficPolicies:
   kind: ClientTrafficPolicy
   metadata:
     namespace: envoy-gateway
-    name: target-gateway-1
+    name: target-gateway-1-http-1
   spec:
     clientIPDetection:
       xForwardedFor:
@@ -13,6 +13,39 @@ clientTrafficPolicies:
       kind: Gateway
       name: gateway-1
       namespace: envoy-gateway
+      sectionName: http-1
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: ClientTrafficPolicy
+  metadata:
+    namespace: envoy-gateway
+    name: target-gateway-1-http-2
+  spec:
+    clientIPDetection:
+      customHeader:
+        name: "x-client-ip-address"
+        failClosed: false
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: gateway-1
+      namespace: envoy-gateway
+      sectionName: http-2
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: ClientTrafficPolicy
+  metadata:
+    namespace: envoy-gateway
+    name: target-gateway-1-http-3
+  spec:
+    clientIPDetection:
+      customHeader:
+        name: "x-client-ip-address"
+        failClosed: true
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: gateway-1
+      namespace: envoy-gateway
+      sectionName: http-3
 gateways:
 - apiVersion: gateway.networking.k8s.io/v1
   kind: Gateway
@@ -28,3 +61,22 @@ gateways:
       allowedRoutes:
         namespaces:
           from: Same
+    - name: http-2
+      protocol: HTTP
+      port: 8082
+      allowedRoutes:
+        namespaces:
+          from: Same
+    - name: http-3
+      protocol: HTTP
+      port: 8083
+      allowedRoutes:
+        namespaces:
+          from: Same
+    - name: http-4
+      protocol: HTTP
+      port: 8084
+      allowedRoutes:
+        namespaces:
+          from: Same
+