feat:support configuring xff trusted cidrs

[rudrakhp]

What type of PR is this?

feat:support configuring xff trusted cidrs

What this PR does / why we need it:

Implement API introduced in #4500

Which issue(s) this PR fixes:

Refer #4489

Release Notes: No

[codecov]

Codecov Report

Attention: Patch coverage is 81.57895% with 7 lines in your changes missing coverage. Please review.

Project coverage is 66.71%. Comparing base (3ec3d43) to head (d0301e0).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/ir/xds.go	0.00%	6 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4702      +/-   ##
==========================================
- Coverage   66.71%   66.71%   -0.01%     
==========================================
  Files         211      211              
  Lines       32811    32846      +35     
==========================================
+ Hits        21891    21913      +22     
- Misses       9591     9600       +9     
- Partials     1329     1333       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[arkodg]

hey @rudrakhp can we add an e2e for this in this PR, or can you confirm this works by testing manually (and e2e can be added in a follow up)

[rudrakhp]

@arkodg I tried to use original IP detection extension's xff_num_trusted_hops instead of the same param in the parent HCM filter (which is on deprecation path according to envoy community). But looks like it's breaking RBAC somehow (this e2e was failing). Started a thread envoyproxy/envoy#37140 to understand this further.
Meanwhile only using xff_trusted_cidrs in the new extension to ensure no change in NumTrustedHops behaviour. Just an FYI in case we might decide to use the extension for NumTrustedHops as well in the future which will require us to fix this.
I will add E2E for trusted CIDRs in this PR to ensure functionality.

[zhaohuabing]

@arkodg I tried to use original IP detection extension's xff_num_trusted_hops instead of the same param in the parent HCM filter (which is on deprecation path according to envoy community). But looks like it's breaking RBAC somehow (this e2e was failing). Started a thread envoyproxy/envoy#37140 to understand this further. Meanwhile only using xff_trusted_cidrs in the new extension to ensure no change in NumTrustedHops behaviour. Just an FYI in case we might decide to use the extension for NumTrustedHops as well in the future which will require us to fix this. I will add E2E for trusted CIDRs in this PR to ensure functionality.

@rudrakhp This is probably related to envoyproxy/envoy#34241

[zhaohuabing]

@rudrakhp

But due to known issues mentioned earlier, not able to move legacy num trusted hops to the new extension. Moving PR to draft till the envoy issue is resolved.

To move this PR ahead, We probably could modify the existing RBAC e2e.

numTrustedHops: 2

gateway/test/e2e/testdata/authorization-client-ip.yaml

Line 94 in 2a10d47

numTrustedHops: 1

But I'm not sure which behavior is correct, the HCM xff_num_trusted_hops or the xff extension.

[zhaohuabing]

Raised a PR envoyproxy/envoy#37780 to seek help from the Enovy maintainers.

[rudrakhp]

To move this PR ahead, We probably could modify the existing RBAC e2e.

Not sure if that's the right thing to do, isn't it essentially changing behaviour for EGW users, probably breaking?

[arkodg]

can we use net.ParseCIDR here to derive prefix and mask ?

[arkodg]

since skipXffAppend: false exists, we will maintain backwards compatibility where the gateway ip will be appended to the off ?

[rudrakhp]

Yes, when use_remote_address: true was used earlier, HCM's skip_xff_append was used, which defaults to false (see this).
When moving to to the extension and setting use_remote_address: false, we will have to set the extension's skip_xff_append to false explicitly since it defaults to true (see this).

[zhaohuabing]

LGTM. Thank you for your patience and for adding this valuable feature!

[arkodg]

LGTM thanks !