diff --git a/api/v1alpha1/clienttrafficpolicy_types.go b/api/v1alpha1/clienttrafficpolicy_types.go
index 63b2c91fb2e..3314db7f7c8 100644
--- a/api/v1alpha1/clienttrafficpolicy_types.go
+++ b/api/v1alpha1/clienttrafficpolicy_types.go
@@ -237,14 +237,26 @@ type ClientIPDetectionSettings struct {
}
// XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
+// Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
+// for more details.
+// +kubebuilder:validation:XValidation:rule="(has(self.numTrustedHops) && !has(self.trustedCIDRs)) || (!has(self.numTrustedHops) && has(self.trustedCIDRs))", message="either numTrustedHops or trustedCIDRs must be set"
type XForwardedForSettings struct {
// NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
// headers to trust when determining the origin client's IP address.
- // Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
- // for more details.
+ // Only one of NumTrustedHops and TrustedCIDRs must be set.
//
// +optional
NumTrustedHops *uint32 `json:"numTrustedHops,omitempty"`
+
+ // TrustedCIDRs is a list of trusted CIDRs to trust when
+ // evaluating the remote IP address to determine the original client's IP address.
+ // Only one of NumTrustedHops and TrustedCIDRs must be set.
+ //
+ // +optional
+ // +kubebuilder:validation:MinItems=1
+ // +kubebuilder:validation:ItemsFormat=cidr
+ // +notImplementedHide
+ TrustedCIDRs []string `json:"trustedCIDRs,omitempty"`
}
// CustomHeaderExtensionSettings provides configuration for determining the client IP address for a request based on
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index f2cf9072fa6..d800e7ccfcb 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -5574,6 +5574,11 @@ func (in *XForwardedForSettings) DeepCopyInto(out *XForwardedForSettings) {
*out = new(uint32)
**out = **in
}
+ if in.TrustedCIDRs != nil {
+ in, out := &in.TrustedCIDRs, &out.TrustedCIDRs
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new XForwardedForSettings.
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
index 3e626f3f88a..255ea1b28de 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
@@ -85,11 +85,23 @@ spec:
description: |-
NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
- Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
- for more details.
+ Only one of NumTrustedHops and TrustedCIDRs must be set.
format: int32
type: integer
+ trustedCIDRs:
+ description: |-
+ TrustedCIDRs is a list of trusted CIDRs to trust when
+ evaluating the remote IP address to determine the original client's IP address.
+ Only one of NumTrustedHops and TrustedCIDRs must be set.
+ items:
+ type: string
+ minItems: 1
+ type: array
type: object
+ x-kubernetes-validations:
+ - message: either numTrustedHops or trustedCIDRs must be set
+ rule: (has(self.numTrustedHops) && !has(self.trustedCIDRs))
+ || (!has(self.numTrustedHops) && has(self.trustedCIDRs))
type: object
x-kubernetes-validations:
- message: customHeader cannot be used in conjunction with xForwardedFor
diff --git a/release-notes/current.yaml b/release-notes/current.yaml
index 524802636e6..efa76d5a9cf 100644
--- a/release-notes/current.yaml
+++ b/release-notes/current.yaml
@@ -1,29 +1,5 @@
-date: Pending
-
-# Changes that are expected to cause an incompatibility with previous versions, such as deletions or modifications to existing APIs.
-breaking changes: |
- - Add a breaking change here
-
-# Updates addressing vulnerabilities, security flaws, or compliance requirements.
-security updates: |
- - Add a security update here
-
-# New features or capabilities added in this release.
-new features: |
- - Add a new feature here
-
-# Fixes for bugs identified in previous versions.
-bug fixes: |
- - Add a bug fix here
-
-# Enhancements that improve performance.
-performance improvements: |
- - Add a performance improvement here
-
-# Deprecated features or APIs.
-deprecations: |
- - Add a deprecation here
-
-# Other notable changes not covered by the above sections.
-Other changes: |
- - Add other changes here
+date: Oct 23, 2022
+changes:
+ - area: api
+ change: |
+ Support setting trusted CIDRs
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index f90ee0702ad..56e49458ba0 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -4250,13 +4250,15 @@ _Appears in:_
XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
+Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
+for more details.
_Appears in:_
- [ClientIPDetectionSettings](#clientipdetectionsettings)
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details. |
+| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Only one of NumTrustedHops and TrustedCIDRs must be set. |
#### ZipkinTracingProvider
diff --git a/site/content/en/news/releases/notes/current.md b/site/content/en/news/releases/notes/current.md
new file mode 100644
index 00000000000..63d3fa0b656
--- /dev/null
+++ b/site/content/en/news/releases/notes/current.md
@@ -0,0 +1,10 @@
+---
+title: "current"
+publishdate: 2022-10-23
+---
+
+Date: Oct 23, 2022
+
+## API
+- Support setting trusted CIDRs
+
diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md
index f90ee0702ad..56e49458ba0 100644
--- a/site/content/zh/latest/api/extension_types.md
+++ b/site/content/zh/latest/api/extension_types.md
@@ -4250,13 +4250,15 @@ _Appears in:_
XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
+Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
+for more details.
_Appears in:_
- [ClientIPDetectionSettings](#clientipdetectionsettings)
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
for more details. |
+| `numTrustedHops` | _integer_ | false | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
headers to trust when determining the origin client's IP address.
Only one of NumTrustedHops and TrustedCIDRs must be set. |
#### ZipkinTracingProvider