diff --git a/api/v1alpha1/clienttrafficpolicy_types.go b/api/v1alpha1/clienttrafficpolicy_types.go
index 63b2c91fb2ec..15a4588d932c 100644
--- a/api/v1alpha1/clienttrafficpolicy_types.go
+++ b/api/v1alpha1/clienttrafficpolicy_types.go
@@ -237,14 +237,26 @@ type ClientIPDetectionSettings struct {
}
// XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
+// Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
+// for more details.
+// +kubebuilder:validation:XValidation:rule="(has(self.numTrustedHops) && !has(self.trustedCIDRs)) || (!has(self.numTrustedHops) && has(self.trustedCIDRs))", message="only one of numTrustedHops or trustedCIDRs must be set"
type XForwardedForSettings struct {
// NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
// headers to trust when determining the origin client's IP address.
- // Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
- // for more details.
+ // Only one of NumTrustedHops and TrustedCIDRs must be set.
//
// +optional
NumTrustedHops *uint32 `json:"numTrustedHops,omitempty"`
+
+ // TrustedCIDRs is a list of trusted CIDRs to trust when
+ // evaluating the remote IP address to determine the original client's IP address.
+ // Only one of NumTrustedHops and TrustedCIDRs must be set.
+ //
+ // +optional
+ // +kubebuilder:validation:MinItems=1
+ // +kubebuilder:validation:ItemsFormat=cidr
+ // +notImplementedHide
+ TrustedCIDRs []string `json:"trustedCIDRs,omitempty"`
}
// CustomHeaderExtensionSettings provides configuration for determining the client IP address for a request based on
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index f2cf9072fa62..d800e7ccfcb0 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -5574,6 +5574,11 @@ func (in *XForwardedForSettings) DeepCopyInto(out *XForwardedForSettings) {
*out = new(uint32)
**out = **in
}
+ if in.TrustedCIDRs != nil {
+ in, out := &in.TrustedCIDRs, &out.TrustedCIDRs
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new XForwardedForSettings.
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
index 3e626f3f88ad..36249c9c7c41 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
@@ -85,11 +85,24 @@ spec:
description: |-
NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
- Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
- for more details.
+ Only one of NumTrustedHops and TrustedCIDRs must be set.
format: int32
type: integer
+ trustedCIDRs:
+ description: |-
+ TrustedCIDRs is a list of trusted CIDRs to trust when
+ evaluating the remote IP address to determine the original client's IP address.
+ Only one of NumTrustedHops and TrustedCIDRs must be set.
+ items:
+ type: string
+ minItems: 1
+ type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of numTrustedHops or trustedCIDRs must be
+ set
+ rule: (has(self.numTrustedHops) && !has(self.trustedCIDRs))
+ || (!has(self.numTrustedHops) && has(self.trustedCIDRs))
type: object
x-kubernetes-validations:
- message: customHeader cannot be used in conjunction with xForwardedFor
diff --git a/release-notes/current.yaml b/release-notes/current.yaml
index 524802636e68..53137fccad38 100644
--- a/release-notes/current.yaml
+++ b/release-notes/current.yaml
@@ -1,4 +1,4 @@
-date: Pending
+date: October 24, 2024
# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs.
breaking changes: |
@@ -10,7 +10,7 @@ security updates: |
# New features or capabilities added in this release.
new features: |
- - Add a new feature here
+ - api: support setting trusted CIDRs
# Fixes for bugs identified in previous versions.
bug fixes: |
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index f90ee0702ad9..56e49458ba0f 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -4250,13 +4250,15 @@ _Appears in:_
XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
+Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
+for more details.
_Appears in:_
- [ClientIPDetectionSettings](#clientipdetectionsettings)
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details. |
+| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Only one of NumTrustedHops and TrustedCIDRs must be set. |
#### ZipkinTracingProvider
diff --git a/site/content/en/news/releases/notes/current.md b/site/content/en/news/releases/notes/current.md
new file mode 100644
index 000000000000..df62060a0ce8
--- /dev/null
+++ b/site/content/en/news/releases/notes/current.md
@@ -0,0 +1,7 @@
+---
+title: "current"
+publishdate: 2024-10-24
+---
+
+Date: October 24, 2024
+
diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md
index f90ee0702ad9..56e49458ba0f 100644
--- a/site/content/zh/latest/api/extension_types.md
+++ b/site/content/zh/latest/api/extension_types.md
@@ -4250,13 +4250,15 @@ _Appears in:_
XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
+Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
+for more details.
_Appears in:_
- [ClientIPDetectionSettings](#clientipdetectionsettings)
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details. |
+| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Only one of NumTrustedHops and TrustedCIDRs must be set. |
#### ZipkinTracingProvider