From 99672071f4028c48423a3d0a5865312aa5b700a3 Mon Sep 17 00:00:00 2001
From: Rudrakh Panigrahi <rudrakh97@gmail.com>
Date: Wed, 23 Oct 2024 12:28:55 +0530
Subject: [PATCH] support setting trusted CIDRs

Signed-off-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
---
 api/v1alpha1/clienttrafficpolicy_types.go         | 15 +++++++++++++--
 api/v1alpha1/zz_generated.deepcopy.go             |  5 +++++
 ...teway.envoyproxy.io_clienttrafficpolicies.yaml | 12 ++++++++++--
 site/content/en/latest/api/extension_types.md     |  4 +++-
 site/content/en/news/releases/notes/current.md    |  2 ++
 site/content/zh/latest/api/extension_types.md     |  4 +++-
 6 files changed, 36 insertions(+), 6 deletions(-)
 create mode 100644 site/content/en/news/releases/notes/current.md

diff --git a/api/v1alpha1/clienttrafficpolicy_types.go b/api/v1alpha1/clienttrafficpolicy_types.go
index 63b2c91fb2e..eb96d358327 100644
--- a/api/v1alpha1/clienttrafficpolicy_types.go
+++ b/api/v1alpha1/clienttrafficpolicy_types.go
@@ -237,14 +237,25 @@ type ClientIPDetectionSettings struct {
 }
 
 // XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
+// Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
+// for more details.
 type XForwardedForSettings struct {
 	// NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
 	// headers to trust when determining the origin client's IP address.
-	// Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
-	// for more details.
+	// Only one of NumTrustedHops and TrustedCIDRs can be set.
 	//
 	// +optional
 	NumTrustedHops *uint32 `json:"numTrustedHops,omitempty"`
+
+	// TrustedCIDRs is a list of trusted CIDRs to trust when
+	// evaluating the remote IP address to determine the original client's IP address.
+	// Only one of NumTrustedHops and TrustedCIDRs can be set.
+	//
+	// +optional
+	// +kubebuilder:validation:MinItems=1
+	// +kubebuilder:validation:ItemsFormat=cidr
+	// +notImplementedHide
+	TrustedCIDRs []string `json:"trustedCIDRs,omitempty"`
 }
 
 // CustomHeaderExtensionSettings provides configuration for determining the client IP address for a request based on
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index f2cf9072fa6..d800e7ccfcb 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -5574,6 +5574,11 @@ func (in *XForwardedForSettings) DeepCopyInto(out *XForwardedForSettings) {
 		*out = new(uint32)
 		**out = **in
 	}
+	if in.TrustedCIDRs != nil {
+		in, out := &in.TrustedCIDRs, &out.TrustedCIDRs
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new XForwardedForSettings.
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
index 3e626f3f88a..b1a06dd6384 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
@@ -85,10 +85,18 @@ spec:
                         description: |-
                           NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP
                           headers to trust when determining the origin client's IP address.
-                          Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
-                          for more details.
+                          Only one of NumTrustedHops and TrustedCIDRs can be set.
                         format: int32
                         type: integer
+                      trustedCIDRs:
+                        description: |-
+                          TrustedCIDRs is a list of trusted CIDRs to trust when
+                          evaluating the remote IP address to determine the original client's IP address.
+                          Only one of NumTrustedHops and TrustedCIDRs can be set.
+                        items:
+                          type: string
+                        minItems: 1
+                        type: array
                     type: object
                 type: object
                 x-kubernetes-validations:
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index f90ee0702ad..cf8109e37e1 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -4250,13 +4250,15 @@ _Appears in:_
 
 
 XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
+Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
+for more details.
 
 _Appears in:_
 - [ClientIPDetectionSettings](#clientipdetectionsettings)
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
-| `numTrustedHops` | _integer_ |  false  | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP<br />headers to trust when determining the origin client's IP address.<br />Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for<br />for more details. |
+| `numTrustedHops` | _integer_ |  false  | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP<br />headers to trust when determining the origin client's IP address.<br />Only one of NumTrustedHops and TrustedCIDRs can be set. |
 
 
 #### ZipkinTracingProvider
diff --git a/site/content/en/news/releases/notes/current.md b/site/content/en/news/releases/notes/current.md
new file mode 100644
index 00000000000..6e30cda48cf
--- /dev/null
+++ b/site/content/en/news/releases/notes/current.md
@@ -0,0 +1,2 @@
+---
+title: "current"
diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md
index f90ee0702ad..cf8109e37e1 100644
--- a/site/content/zh/latest/api/extension_types.md
+++ b/site/content/zh/latest/api/extension_types.md
@@ -4250,13 +4250,15 @@ _Appears in:_
 
 
 XForwardedForSettings provides configuration for using X-Forwarded-For headers for determining the client IP address.
+Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
+for more details.
 
 _Appears in:_
 - [ClientIPDetectionSettings](#clientipdetectionsettings)
 
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
-| `numTrustedHops` | _integer_ |  false  | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP<br />headers to trust when determining the origin client's IP address.<br />Refer to https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for<br />for more details. |
+| `numTrustedHops` | _integer_ |  false  | NumTrustedHops controls the number of additional ingress proxy hops from the right side of XFF HTTP<br />headers to trust when determining the origin client's IP address.<br />Only one of NumTrustedHops and TrustedCIDRs can be set. |
 
 
 #### ZipkinTracingProvider