From 52831e6f897a50a45f826cd13ebd3c06c304eec3 Mon Sep 17 00:00:00 2001 From: Rudrakh Panigrahi Date: Mon, 11 Nov 2024 14:37:37 +0530 Subject: [PATCH] feat:support configuring xff trusted cidrs Signed-off-by: Rudrakh Panigrahi --- internal/ir/xds.go | 93 +++++++++++-------- internal/xds/translator/listener.go | 23 +++++ .../in/xds-ir/client-ip-detection.yaml | 20 ++++ .../xds-ir/client-ip-detection.clusters.yaml | 18 ++++ .../xds-ir/client-ip-detection.endpoints.yaml | 12 +++ .../xds-ir/client-ip-detection.listeners.yaml | 45 +++++++++ .../xds-ir/client-ip-detection.routes.yaml | 14 +++ 7 files changed, 184 insertions(+), 41 deletions(-) diff --git a/internal/ir/xds.go b/internal/ir/xds.go index 5103d3ea81a3..986407947b07 100644 --- a/internal/ir/xds.go +++ b/internal/ir/xds.go @@ -33,47 +33,49 @@ const ( ) var ( - ErrListenerNameEmpty = errors.New("field Name must be specified") - ErrListenerAddressInvalid = errors.New("field Address must be a valid IP address") - ErrListenerPortInvalid = errors.New("field Port specified is invalid") - ErrHTTPListenerHostnamesEmpty = errors.New("field Hostnames must be specified with at least a single hostname entry") - ErrTCPRouteSNIsEmpty = errors.New("field SNIs must be specified with at least a single server name entry") - ErrTLSServerCertEmpty = errors.New("field ServerCertificate must be specified") - ErrTLSPrivateKey = errors.New("field PrivateKey must be specified") - ErrRouteNameEmpty = errors.New("field Name must be specified") - ErrHTTPRouteHostnameEmpty = errors.New("field Hostname must be specified") - ErrDestinationNameEmpty = errors.New("field Name must be specified") - ErrDestEndpointHostInvalid = errors.New("field Address must be a valid IP or FQDN address") - ErrDestEndpointPortInvalid = errors.New("field Port specified is invalid") - ErrDestEndpointUDSPortInvalid = errors.New("field Port must not be specified for Unix Domain Socket address") - ErrDestEndpointUDSHostInvalid = errors.New("field Host must not be specified for Unix Domain Socket address") - ErrStringMatchConditionInvalid = errors.New("only one of the Exact, Prefix, SafeRegex or Distinct fields must be set") - ErrStringMatchInvertDistinctInvalid = errors.New("only one of the Invert or Distinct fields can be set") - ErrStringMatchNameIsEmpty = errors.New("field Name must be specified") - ErrDirectResponseStatusInvalid = errors.New("only HTTP status codes 100 - 599 are supported for DirectResponse") - ErrRedirectUnsupportedStatus = errors.New("only HTTP status codes 301 and 302 are supported for redirect filters") - ErrRedirectUnsupportedScheme = errors.New("only http and https are supported for the scheme in redirect filters") - ErrHTTPPathModifierDoubleReplace = errors.New("redirect filter cannot have a path modifier that supplies more than one of fullPathReplace, prefixMatchReplace and regexMatchReplace") - ErrHTTPPathModifierNoReplace = errors.New("redirect filter cannot have a path modifier that does not supply either fullPathReplace, prefixMatchReplace or regexMatchReplace") - ErrHTTPPathRegexModifierNoSetting = errors.New("redirect filter cannot have a path modifier that does not supply either fullPathReplace, prefixMatchReplace or regexMatchReplace") - ErrHTTPHostModifierDoubleReplace = errors.New("redirect filter cannot have a host modifier that supplies more than one of Hostname, Header and Backend") - ErrAddHeaderEmptyName = errors.New("header modifier filter cannot configure a header without a name to be added") - ErrAddHeaderDuplicate = errors.New("header modifier filter attempts to add the same header more than once (case insensitive)") - ErrRemoveHeaderDuplicate = errors.New("header modifier filter attempts to remove the same header more than once (case insensitive)") - ErrLoadBalancerInvalid = errors.New("loadBalancer setting is invalid, only one setting can be set") - ErrHealthCheckTimeoutInvalid = errors.New("field HealthCheck.Timeout must be specified") - ErrHealthCheckIntervalInvalid = errors.New("field HealthCheck.Interval must be specified") - ErrHealthCheckUnhealthyThresholdInvalid = errors.New("field HealthCheck.UnhealthyThreshold should be greater than 0") - ErrHealthCheckHealthyThresholdInvalid = errors.New("field HealthCheck.HealthyThreshold should be greater than 0") - ErrHealthCheckerInvalid = errors.New("health checker setting is invalid, only one health checker can be set") - ErrHCHTTPHostInvalid = errors.New("field HTTPHealthChecker.Host should be specified") - ErrHCHTTPPathInvalid = errors.New("field HTTPHealthChecker.Path should be specified") - ErrHCHTTPMethodInvalid = errors.New("only one of the GET, HEAD, POST, DELETE, OPTIONS, TRACE, PATCH of HTTPHealthChecker.Method could be set") - ErrHCHTTPExpectedStatusesInvalid = errors.New("field HTTPHealthChecker.ExpectedStatuses should be specified") - ErrHealthCheckPayloadInvalid = errors.New("one of Text, Binary fields must be set in payload") - ErrHTTPStatusInvalid = errors.New("HTTPStatus should be in [200,600)") - ErrOutlierDetectionBaseEjectionTimeInvalid = errors.New("field OutlierDetection.BaseEjectionTime must be specified") - ErrOutlierDetectionIntervalInvalid = errors.New("field OutlierDetection.Interval must be specified") + ErrListenerNameEmpty = errors.New("field Name must be specified") + ErrListenerAddressInvalid = errors.New("field Address must be a valid IP address") + ErrListenerPortInvalid = errors.New("field Port specified is invalid") + ErrHTTPListenerHostnamesEmpty = errors.New("field Hostnames must be specified with at least a single hostname entry") + ErrTCPRouteSNIsEmpty = errors.New("field SNIs must be specified with at least a single server name entry") + ErrTLSServerCertEmpty = errors.New("field ServerCertificate must be specified") + ErrTLSPrivateKey = errors.New("field PrivateKey must be specified") + ErrRouteNameEmpty = errors.New("field Name must be specified") + ErrHTTPRouteHostnameEmpty = errors.New("field Hostname must be specified") + ErrDestinationNameEmpty = errors.New("field Name must be specified") + ErrDestEndpointHostInvalid = errors.New("field Address must be a valid IP or FQDN address") + ErrDestEndpointPortInvalid = errors.New("field Port specified is invalid") + ErrDestEndpointUDSPortInvalid = errors.New("field Port must not be specified for Unix Domain Socket address") + ErrDestEndpointUDSHostInvalid = errors.New("field Host must not be specified for Unix Domain Socket address") + ErrStringMatchConditionInvalid = errors.New("only one of the Exact, Prefix, SafeRegex or Distinct fields must be set") + ErrStringMatchInvertDistinctInvalid = errors.New("only one of the Invert or Distinct fields can be set") + ErrStringMatchNameIsEmpty = errors.New("field Name must be specified") + ErrDirectResponseStatusInvalid = errors.New("only HTTP status codes 100 - 599 are supported for DirectResponse") + ErrRedirectUnsupportedStatus = errors.New("only HTTP status codes 301 and 302 are supported for redirect filters") + ErrRedirectUnsupportedScheme = errors.New("only http and https are supported for the scheme in redirect filters") + ErrHTTPPathModifierDoubleReplace = errors.New("redirect filter cannot have a path modifier that supplies more than one of fullPathReplace, prefixMatchReplace and regexMatchReplace") + ErrHTTPPathModifierNoReplace = errors.New("redirect filter cannot have a path modifier that does not supply either fullPathReplace, prefixMatchReplace or regexMatchReplace") + ErrHTTPPathRegexModifierNoSetting = errors.New("redirect filter cannot have a path modifier that does not supply either fullPathReplace, prefixMatchReplace or regexMatchReplace") + ErrHTTPHostModifierDoubleReplace = errors.New("redirect filter cannot have a host modifier that supplies more than one of Hostname, Header and Backend") + ErrAddHeaderEmptyName = errors.New("header modifier filter cannot configure a header without a name to be added") + ErrAddHeaderDuplicate = errors.New("header modifier filter attempts to add the same header more than once (case insensitive)") + ErrRemoveHeaderDuplicate = errors.New("header modifier filter attempts to remove the same header more than once (case insensitive)") + ErrLoadBalancerInvalid = errors.New("loadBalancer setting is invalid, only one setting can be set") + ErrHealthCheckTimeoutInvalid = errors.New("field HealthCheck.Timeout must be specified") + ErrHealthCheckIntervalInvalid = errors.New("field HealthCheck.Interval must be specified") + ErrHealthCheckUnhealthyThresholdInvalid = errors.New("field HealthCheck.UnhealthyThreshold should be greater than 0") + ErrHealthCheckHealthyThresholdInvalid = errors.New("field HealthCheck.HealthyThreshold should be greater than 0") + ErrHealthCheckerInvalid = errors.New("health checker setting is invalid, only one health checker can be set") + ErrHCHTTPHostInvalid = errors.New("field HTTPHealthChecker.Host should be specified") + ErrHCHTTPPathInvalid = errors.New("field HTTPHealthChecker.Path should be specified") + ErrHCHTTPMethodInvalid = errors.New("only one of the GET, HEAD, POST, DELETE, OPTIONS, TRACE, PATCH of HTTPHealthChecker.Method could be set") + ErrHCHTTPExpectedStatusesInvalid = errors.New("field HTTPHealthChecker.ExpectedStatuses should be specified") + ErrHealthCheckPayloadInvalid = errors.New("one of Text, Binary fields must be set in payload") + ErrHTTPStatusInvalid = errors.New("HTTPStatus should be in [200,600)") + ErrOutlierDetectionBaseEjectionTimeInvalid = errors.New("field OutlierDetection.BaseEjectionTime must be specified") + ErrOutlierDetectionIntervalInvalid = errors.New("field OutlierDetection.Interval must be specified") + ErrBothXForwardedForAndCustomHeaderInvalid = errors.New("only one of ClientIPDetection.XForwardedFor and ClientIPDetection.CustomHeader must be set") + ErrBothNumTrustedHopsAndTrustedCIDRsInvalid = errors.New("only one of ClientIPDetection.XForwardedFor.NumTrustedHops and ClientIPDetection.XForwardedFor.TrustedCIDRs must be set") redacted = []byte("[redacted]") ) @@ -348,6 +350,15 @@ func (h HTTPListener) Validate() error { errs = errors.Join(errs, err) } } + if h.ClientIPDetection != nil { + if h.ClientIPDetection.XForwardedFor != nil && h.ClientIPDetection.CustomHeader != nil { + errs = errors.Join(errs, ErrBothXForwardedForAndCustomHeaderInvalid) + } else if h.ClientIPDetection.XForwardedFor != nil { + if h.ClientIPDetection.XForwardedFor.NumTrustedHops != nil && h.ClientIPDetection.XForwardedFor.TrustedCIDRs != nil { + errs = errors.Join(errs, ErrBothNumTrustedHopsAndTrustedCIDRsInvalid) + } + } + } return errs } diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go index 9a68c5f3c1f4..b7c833bb7673 100644 --- a/internal/xds/translator/listener.go +++ b/internal/xds/translator/listener.go @@ -23,6 +23,7 @@ import ( early_header_mutationv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/http/early_header_mutation/header_mutation/v3" preservecasev3 "github.com/envoyproxy/go-control-plane/envoy/extensions/http/header_formatters/preserve_case/v3" customheaderv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/http/original_ip_detection/custom_header/v3" + xffv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/http/original_ip_detection/xff/v3" quicv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/quic/v3" tlsv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" typev3 "github.com/envoyproxy/go-control-plane/envoy/type/v3" @@ -141,6 +142,28 @@ func originalIPDetectionExtensions(clientIPDetection *ir.ClientIPDetectionSettin Name: "envoy.extensions.http.original_ip_detection.custom_header", TypedConfig: customHeaderConfigAny, }) + } else if clientIPDetection.XForwardedFor != nil && clientIPDetection.XForwardedFor.TrustedCIDRs != nil { + trustedCidrs := make([]*corev3.CidrRange, 0) + for _, cidr := range clientIPDetection.XForwardedFor.TrustedCIDRs { + parsedCidr := strings.Split(string(cidr), "/") + addressPrefix := parsedCidr[0] + prefixLen, _ := strconv.ParseUint(parsedCidr[1], 10, 32) + trustedCidrs = append(trustedCidrs, &corev3.CidrRange{ + AddressPrefix: addressPrefix, + PrefixLen: wrapperspb.UInt32(uint32(prefixLen)), + }) + } + xffHeaderConfigAny, _ := protocov.ToAnyWithValidation(&xffv3.XffConfig{ + XffTrustedCidrs: &xffv3.XffTrustedCidrs{ + Cidrs: trustedCidrs, + }, + SkipXffAppend: wrapperspb.Bool(false), + }) + + extensionConfig = append(extensionConfig, &corev3.TypedExtensionConfig{ + Name: "envoy.extensions.http.original_ip_detection.xff", + TypedConfig: xffHeaderConfigAny, + }) } return extensionConfig diff --git a/internal/xds/translator/testdata/in/xds-ir/client-ip-detection.yaml b/internal/xds/translator/testdata/in/xds-ir/client-ip-detection.yaml index de3236a8622f..28305ee39fe2 100644 --- a/internal/xds/translator/testdata/in/xds-ir/client-ip-detection.yaml +++ b/internal/xds/translator/testdata/in/xds-ir/client-ip-detection.yaml @@ -52,3 +52,23 @@ http: customHeader: name: "x-my-custom-header" failClosed: true +- name: "fourth-listener" + address: "0.0.0.0" + port: 8084 + hostnames: + - "*" + routes: + - name: "fourth-route" + hostname: "*" + destination: + name: "fourth-route-dest" + settings: + - endpoints: + - host: "4.4.4.4" + port: 8084 + clientIPDetection: + xForwardedFor: + trustedCidrs: + - "192.168.1.0/24" + - "10.0.0.0/16" + - "172.16.0.0/12" diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml index b7a2badfead6..0a3d6ba340ec 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.clusters.yaml @@ -52,3 +52,21 @@ outlierDetection: {} perConnectionBufferLimitBytes: 32768 type: EDS +- circuitBreakers: + thresholds: + - maxRetries: 1024 + commonLbConfig: + localityWeightedLbConfig: {} + connectTimeout: 10s + dnsLookupFamily: V4_ONLY + edsClusterConfig: + edsConfig: + ads: {} + resourceApiVersion: V3 + serviceName: fourth-route-dest + ignoreHealthOnHostRemoval: true + lbPolicy: LEAST_REQUEST + name: fourth-route-dest + outlierDetection: {} + perConnectionBufferLimitBytes: 32768 + type: EDS diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.endpoints.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.endpoints.yaml index 59545ddec3ad..ad653a1de596 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.endpoints.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.endpoints.yaml @@ -34,3 +34,15 @@ loadBalancingWeight: 1 locality: region: third-route-dest/backend/0 +- clusterName: fourth-route-dest + endpoints: + - lbEndpoints: + - endpoint: + address: + socketAddress: + address: 4.4.4.4 + portValue: 8084 + loadBalancingWeight: 1 + loadBalancingWeight: 1 + locality: + region: fourth-route-dest/backend/0 diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml index 885e958a3e63..abf346cd9317 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.listeners.yaml @@ -109,3 +109,48 @@ name: third-listener name: third-listener perConnectionBufferLimitBytes: 32768 +- address: + socketAddress: + address: 0.0.0.0 + portValue: 8084 + defaultFilterChain: + filters: + - name: envoy.filters.network.http_connection_manager + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + commonHttpProtocolOptions: + headersWithUnderscoresAction: REJECT_REQUEST + http2ProtocolOptions: + initialConnectionWindowSize: 1048576 + initialStreamWindowSize: 65536 + maxConcurrentStreams: 100 + httpFilters: + - name: envoy.filters.http.router + typedConfig: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + suppressEnvoyHeaders: true + normalizePath: true + originalIpDetectionExtensions: + - name: envoy.extensions.http.original_ip_detection.xff + typedConfig: + '@type': type.googleapis.com/envoy.extensions.http.original_ip_detection.xff.v3.XffConfig + skipXffAppend: false + xffTrustedCidrs: + cidrs: + - addressPrefix: 192.168.1.0 + prefixLen: 24 + - addressPrefix: 10.0.0.0 + prefixLen: 16 + - addressPrefix: 172.16.0.0 + prefixLen: 12 + rds: + configSource: + ads: {} + resourceApiVersion: V3 + routeConfigName: fourth-listener + serverHeaderTransformation: PASS_THROUGH + statPrefix: http-8084 + useRemoteAddress: false + name: fourth-listener + name: fourth-listener + perConnectionBufferLimitBytes: 32768 diff --git a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.routes.yaml index 12a38a14ef88..a0e9171307d9 100644 --- a/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.routes.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/client-ip-detection.routes.yaml @@ -40,3 +40,17 @@ cluster: third-route-dest upgradeConfigs: - upgradeType: websocket +- ignorePortInHostMatching: true + name: fourth-listener + virtualHosts: + - domains: + - '*' + name: fourth-listener/* + routes: + - match: + prefix: / + name: fourth-route + route: + cluster: fourth-route-dest + upgradeConfigs: + - upgradeType: websocket