knative-extensions · knative-prow · Sep 23, 2024 · Sep 20, 2024 · Sep 20, 2024 · skonto
diff --git a/config/200-config.yaml b/config/200-config.yaml
@@ -72,6 +72,10 @@ data:
     # right side of the x-forwarded-for HTTP header to trust.
     trusted-hops-count: "0"
 
+    # Configures the connection manager to use the real remote address
+    # of the client connection when determining internal versus external origin and manipulating various headers.
+    use-remote-address: "false"
+
     # Specifies the cipher suites for TLS external listener.
     # Use ',' separated values like "ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-CHACHA20-POLY1305"
     # The default uses the default cipher suites of the envoy version.

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -69,6 +69,10 @@ const (
 	// right side of the x-forwarded-for HTTP header to trust.
 	trustedHopsCount = "trusted-hops-count"
 
+	// useRemoteAddress Configure the connection manager to use the real remote address
+	// of the client connection when determining internal versus external origin and manipulating various headers.
+	useRemoteAddress = "use-remote-address"
+
 	// CipherSuites is the cipher suites for TLS external listener.
 	cipherSuites = "cipher-suites"
 )

diff --git a/pkg/config/configmap.go b/pkg/config/configmap.go
@@ -63,6 +63,7 @@ func DefaultConfig() *Kourier {
 		TrustedHopsCount:           0,
 		CipherSuites:               nil,
 		EnableCryptoMB:             false,
+		UseRemoteAddress:           false,
 	}
 }
 
@@ -76,6 +77,7 @@ func NewConfigFromMap(configMap map[string]string) (*Kourier, error) {
 		cm.AsString(clusterCert, &nc.ClusterCertSecret),
 		cm.AsDuration(IdleTimeoutKey, &nc.IdleTimeout),
 		cm.AsUint32(trustedHopsCount, &nc.TrustedHopsCount),
+		cm.AsBool(useRemoteAddress, &nc.UseRemoteAddress),
 		cm.AsStringSet(cipherSuites, &nc.CipherSuites),
 		cm.AsBool(enableCryptoMB, &nc.EnableCryptoMB),
 		asTracing(TracingCollectorFullEndpoint, &nc.Tracing),
@@ -149,6 +151,9 @@ type Kourier struct {
 	// TrustedHopsCount configures the number of additional ingress proxy hops from the
 	// right side of the x-forwarded-for HTTP header to trust.
 	TrustedHopsCount uint32
+	// UseRemoteAddress configures the connection manager to use the real remote address
+	// of the client connection when determining internal versus external origin and manipulating various headers.
+	UseRemoteAddress bool
 	// EnableCryptoMB specifies whether Kourier enable CryptoMB private provider to accelerate
 	// TLS handshake. The default value is "false".
 	EnableCryptoMB bool

diff --git a/pkg/config/configmap_test.go b/pkg/config/configmap_test.go
@@ -144,6 +144,15 @@ func TestKourierConfig(t *testing.T) {
 		data: map[string]string{
 			TracingCollectorFullEndpoint: "",
 		},
+	}, {
+		name: "Enable use remote address",
+		want: &Kourier{
+			EnableServiceAccessLogging: true,
+			UseRemoteAddress:           true,
+		},
+		data: map[string]string{
+			useRemoteAddress: "true",
+		},
 	}}
 
 	for _, tt := range configTests {

diff --git a/pkg/envoy/api/http_connection_manager.go b/pkg/envoy/api/http_connection_manager.go
@@ -72,6 +72,7 @@ func NewHTTPConnectionManager(routeConfigName string, kourierConfig *config.Kour
 		},
 		StreamIdleTimeout: durationpb.New(idleTimeout),
 		XffNumTrustedHops: kourierConfig.TrustedHopsCount,
+		UseRemoteAddress:  &wrapperspb.BoolValue{Value: kourierConfig.UseRemoteAddress},
 	}
 
 	if enableProxyProtocol {

diff --git a/pkg/envoy/api/http_connection_manager_test.go b/pkg/envoy/api/http_connection_manager_test.go
@@ -40,7 +40,7 @@ func TestNewHTTPConnectionManagerWithoutAccessLogWithoutProxyProtocol(t *testing
 	}
 	connManager := NewHTTPConnectionManager("test", &kourierConfig)
 	assert.Check(t, len(connManager.AccessLog) == 0)
-	assert.Check(t, connManager.UseRemoteAddress == nil)
+	assert.Check(t, connManager.UseRemoteAddress.Value == false)
 }
 
 func TestNewHTTPConnectionManagerWithAccessLogWithoutProxyProtocol(t *testing.T) {
@@ -50,7 +50,7 @@ func TestNewHTTPConnectionManagerWithAccessLogWithoutProxyProtocol(t *testing.T)
 		IdleTimeout:                0 * time.Second,
 	}
 	connManager := NewHTTPConnectionManager("test", &kourierConfig)
-	assert.Check(t, connManager.UseRemoteAddress == nil)
+	assert.Check(t, connManager.UseRemoteAddress.Value == false)
 	accessLog := connManager.AccessLog[0]
 	accessLogPathAny := accessLog.ConfigType.(*envoy_config_filter_accesslog_v3.AccessLog_TypedConfig).TypedConfig
 	fileAccesLog := &fileaccesslog.FileAccessLog{}
@@ -148,3 +148,13 @@ func TestNewHTTPConnectionManagerWithTrustedHops(t *testing.T) {
 		})
 	}
 }
+
+func TestNewHTTPConnectionManagerWithUseRemoteAddress(t *testing.T) {
+	kourierConfig := config.Kourier{
+		EnableServiceAccessLogging: false,
+		UseRemoteAddress:           true,
+		IdleTimeout:                0 * time.Second,
+	}
+	connManager := NewHTTPConnectionManager("test", &kourierConfig)
+	assert.Check(t, connManager.UseRemoteAddress.Value == true)
+}