envoy: add support for bind_config bootstrap options (#2772)

* envoy: add support for bind_config bootstrap options * only add upstream bind config options to individual policy clusters * update docs for new Envoy keys Co-authored-by: alexfornuto <alex@fornuto.com>
2025-08-03 08:50:42 +02:00 · 2021-12-01 13:02:49 -07:00 · 2021-12-01 13:02:49 -07:00 · bd0a5389bf
commit bd0a5389bf
parent 1bfdae4e12
9 changed files with 115 additions and 15 deletions
--- a/config/envoyconfig/clusters_test.go
+++ b/config/envoyconfig/clusters_test.go
@ -6,10 +6,12 @@ import (
 	"os"
 	"path/filepath"
 	"testing"
+	"time"

 	envoy_config_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/volatiletech/null/v9"
 	"google.golang.org/protobuf/types/known/wrapperspb"

 	"github.com/pomerium/pomerium/config"
@ -828,6 +830,56 @@ func Test_validateClusters(t *testing.T) {
 	}
 }

+func Test_bindConfig(t *testing.T) {
+	ctx, clearTimeout := context.WithTimeout(context.Background(), time.Second*10)
+	defer clearTimeout()
+
+	b := New("local-grpc", "local-http", filemgr.NewManager(), nil)
+	t.Run("no bind config", func(t *testing.T) {
+		cluster, err := b.buildPolicyCluster(ctx, &config.Options{}, &config.Policy{
+			From: "https://from.example.com",
+			To:   mustParseWeightedURLs(t, "https://to.example.com"),
+		})
+		assert.NoError(t, err)
+		assert.Nil(t, cluster.UpstreamBindConfig)
+	})
+	t.Run("freebind", func(t *testing.T) {
+		cluster, err := b.buildPolicyCluster(ctx, &config.Options{
+			EnvoyBindConfigFreebind: null.BoolFrom(true),
+		}, &config.Policy{
+			From: "https://from.example.com",
+			To:   mustParseWeightedURLs(t, "https://to.example.com"),
+		})
+		assert.NoError(t, err)
+		testutil.AssertProtoJSONEqual(t, `
+			{
+				"freebind": true,
+				"sourceAddress": {
+					"address": "0.0.0.0",
+					"portValue": 0
+				}
+			}
+		`, cluster.UpstreamBindConfig)
+	})
+	t.Run("source address", func(t *testing.T) {
+		cluster, err := b.buildPolicyCluster(ctx, &config.Options{
+			EnvoyBindConfigSourceAddress: "192.168.0.1",
+		}, &config.Policy{
+			From: "https://from.example.com",
+			To:   mustParseWeightedURLs(t, "https://to.example.com"),
+		})
+		assert.NoError(t, err)
+		testutil.AssertProtoJSONEqual(t, `
+			{
+				"sourceAddress": {
+					"address": "192.168.0.1",
+					"portValue": 0
+				}
+			}
+		`, cluster.UpstreamBindConfig)
+	})
+}
+
 func mustParseWeightedURLs(t *testing.T, urls ...string) []config.WeightedURL {
 	wu, err := config.ParseWeightedUrls(urls...)
 	require.NoError(t, err)