envoyproxy · arkodg · Feb 16, 2024 · Feb 2, 2024 · Feb 7, 2024 · Feb 7, 2024
@@ -89,11 +89,20 @@ type ClientTrafficPolicySpec struct {
 }
 
 // ClientIPDetectionSettings provides configuration for determining the original client IP address for requests.
+//
+// +kubebuilder:validation:XValidation:rule="!(has(self.xForwardedFor) && has(self.customHeader))",message="customHeader cannot be used in conjunction xForwardedFor"
 type ClientIPDetectionSettings struct {
 	// XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
 	//
 	// +optional
 	XForwardedFor *XForwardedForSettings `json:"xForwardedFor,omitempty"`
+	// CustomHeader provides configuration for determining the client IP address for a request based on
+	// a trusted custom HTTP header. This uses the the custom_header original IP detection extension.
+	// Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
+	// for more details.
+	//
+	// +optional
+	CustomHeader *CustomHeaderExtensionSettings `json:"customHeader,omitempty"`
 }
 
 // XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
@@ -107,6 +116,28 @@ type XForwardedForSettings struct {
 	NumTrustedHops *uint32 `json:"numTrustedHops,omitempty"`
 }
 
+// CustomHeader provides configuration for determining the client IP address for a request based on
+// a trusted custom HTTP header. This uses the the custom_header original IP detection extension.
+// Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
+// for more details.
+type CustomHeaderExtensionSettings struct {
+	// HeaderName of the of the header containing the original downstream remote address, if present.
+	//
+	// +kubebuilder:validation:MinLength=1
+	// +kubebuilder:validation:MaxLength=255
+	// +kubebuilder:validation:Pattern="^[A-Za-z0-9-]+$"
+	//
+	HeaderName string `json:"headerName"`
+	// RejectWithStatus is the HTTP response status to use when detection fails, if present. May be
+	// any valid HTTP response status code within the range 400-511 (inclusive).
+	//
+	// +kubebuilder:validation:Minimum=400
+	// +kubebuilder:validation:Maximum=511
+	//
+	// +optional
+	RejectWithStatus *uint32 `json:"rejectWithStatus,omitempty"`
+}
+
 // HTTP3Settings provides HTTP/3 configuration on the listener.
 type HTTP3Settings struct {
 }

@@ -48,6 +48,31 @@ spec:
                 description: ClientIPDetectionSettings provides configuration for
                   determining the original client IP address for requests.
                 properties:
+                  customHeader:
+                    description: CustomHeader provides configuration for determining
+                      the client IP address for a request based on a trusted custom
+                      HTTP header. This uses the the custom_header original IP detection
+                      extension. Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto
+                      for more details.
+                    properties:
+                      headerName:
+                        description: HeaderName of the of the header containing the
+                          original downstream remote address, if present.
+                        maxLength: 255
+                        minLength: 1
+                        pattern: ^[A-Za-z0-9-]+$
+                        type: string
+                      rejectWithStatus:
+                        description: RejectWithStatus is the HTTP response status
+                          to use when detection fails, if present. May be any valid
+                          HTTP response status code within the range 400-511 (inclusive).
+                        format: int32
+                        maximum: 511
+                        minimum: 400
+                        type: integer
+                    required:
+                    - headerName
+                    type: object
                   xForwardedFor:
                     description: XForwardedForSettings provides configuration for
                       using X-Forwarded-For headers for determining the client IP
@@ -63,6 +88,9 @@ spec:
                         type: integer
                     type: object
                 type: object
+                x-kubernetes-validations:
+                - message: customHeader cannot be used in conjunction xForwardedFor
+                  rule: '!(has(self.xForwardedFor) && has(self.customHeader))'
               enableProxyProtocol:
                 description: EnableProxyProtocol interprets the ProxyProtocol header
                   and adds the Client Address into the X-Forwarded-For header. Note

@@ -3,7 +3,7 @@ clientTrafficPolicies:
   kind: ClientTrafficPolicy
   metadata:
     namespace: envoy-gateway
-    name: target-gateway-1
+    name: target-gateway-1-http-1
   spec:
     clientIPDetection:
       xForwardedFor:
@@ -13,6 +13,23 @@ clientTrafficPolicies:
       kind: Gateway
       name: gateway-1
       namespace: envoy-gateway
+      sectionName: http-1
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: ClientTrafficPolicy
+  metadata:
+    namespace: envoy-gateway
+    name: target-gateway-1-http-2
+  spec:
+    clientIPDetection:
+      customHeader:
+        headerName: "x-client-ip-address"
+        rejectWithStatus: 403
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: gateway-1
+      namespace: envoy-gateway
+      sectionName: http-2
 gateways:
 - apiVersion: gateway.networking.k8s.io/v1
   kind: Gateway
@@ -28,3 +45,16 @@ gateways:
       allowedRoutes:
         namespaces:
           from: Same
+    - name: http-2
+      protocol: HTTP
+      port: 8082
+      allowedRoutes:
+        namespaces:
+          from: Same
+    - name: http-3
+      protocol: HTTP
+      port: 8083
+      allowedRoutes:
+        namespaces:
+          from: Same
+
@@ -3,7 +3,7 @@ clientTrafficPolicies:
   kind: ClientTrafficPolicy
   metadata:
     creationTimestamp: null
-    name: target-gateway-1
+    name: target-gateway-1-http-1
     namespace: envoy-gateway
   spec:
     clientIPDetection:
@@ -14,6 +14,31 @@ clientTrafficPolicies:
       kind: Gateway
       name: gateway-1
       namespace: envoy-gateway
+      sectionName: http-1
+  status:
+    conditions:
+    - lastTransitionTime: null
+      message: ClientTrafficPolicy has been accepted.
+      reason: Accepted
+      status: "True"
+      type: Accepted
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: ClientTrafficPolicy
+  metadata:
+    creationTimestamp: null
+    name: target-gateway-1-http-2
+    namespace: envoy-gateway
+  spec:
+    clientIPDetection:
+      customHeader:
+        headerName: x-client-ip-address
+        rejectWithStatus: 403
+    targetRef:
+      group: gateway.networking.k8s.io
+      kind: Gateway
+      name: gateway-1
+      namespace: envoy-gateway
+      sectionName: http-2
   status:
     conditions:
     - lastTransitionTime: null
@@ -37,6 +62,18 @@ gateways:
       name: http-1
       port: 8081
       protocol: HTTP
+    - allowedRoutes:
+        namespaces:
+          from: Same
+      name: http-2
+      port: 8082
+      protocol: HTTP
+    - allowedRoutes:
+        namespaces:
+          from: Same
+      name: http-3
+      port: 8083
+      protocol: HTTP
   status:
     listeners:
     - attachedRoutes: 0
@@ -62,6 +99,52 @@ gateways:
         kind: HTTPRoute
       - group: gateway.networking.k8s.io
         kind: GRPCRoute
+    - attachedRoutes: 0
+      conditions:
+      - lastTransitionTime: null
+        message: Sending translated listener configuration to the data plane
+        reason: Programmed
+        status: "True"
+        type: Programmed
+      - lastTransitionTime: null
+        message: Listener has been successfully translated
+        reason: Accepted
+        status: "True"
+        type: Accepted
+      - lastTransitionTime: null
+        message: Listener references have been resolved
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
+      name: http-2
+      supportedKinds:
+      - group: gateway.networking.k8s.io
+        kind: HTTPRoute
+      - group: gateway.networking.k8s.io
+        kind: GRPCRoute
+    - attachedRoutes: 0
+      conditions:
+      - lastTransitionTime: null
+        message: Sending translated listener configuration to the data plane
+        reason: Programmed
+        status: "True"
+        type: Programmed
+      - lastTransitionTime: null
+        message: Listener has been successfully translated
+        reason: Accepted
+        status: "True"
+        type: Accepted
+      - lastTransitionTime: null
+        message: Listener references have been resolved
+        reason: ResolvedRefs
+        status: "True"
+        type: ResolvedRefs
+      name: http-3
+      supportedKinds:
+      - group: gateway.networking.k8s.io
+        kind: HTTPRoute
+      - group: gateway.networking.k8s.io
+        kind: GRPCRoute
 infraIR:
   envoy-gateway/gateway-1:
     proxy:
@@ -73,6 +156,20 @@ infraIR:
           name: http-1
           protocol: HTTP
           servicePort: 8081
+      - address: null
+        name: envoy-gateway/gateway-1/http-2
+        ports:
+        - containerPort: 8082
+          name: http-2
+          protocol: HTTP
+          servicePort: 8082
+      - address: null
+        name: envoy-gateway/gateway-1/http-3
+        ports:
+        - containerPort: 8083
+          name: http-3
+          protocol: HTTP
+          servicePort: 8083
       metadata:
         labels:
           gateway.envoyproxy.io/owning-gateway-name: gateway-1
@@ -96,3 +193,25 @@ xdsIR:
         escapedSlashesAction: UnescapeAndRedirect
         mergeSlashes: true
       port: 8081
+    - address: 0.0.0.0
+      clientIPDetection:
+        customHeader:
+          headerName: x-client-ip-address
+          rejectWithStatus: 403
+      hostnames:
+      - '*'
+      isHTTP2: false
+      name: envoy-gateway/gateway-1/http-2
+      path:
+        escapedSlashesAction: UnescapeAndRedirect
+        mergeSlashes: true
+      port: 8082
+    - address: 0.0.0.0
+      hostnames:
+      - '*'
+      isHTTP2: false
+      name: envoy-gateway/gateway-1/http-3
+      path:
+        escapedSlashesAction: UnescapeAndRedirect
+        mergeSlashes: true
+      port: 8083