envoy: add internal_address_config to address deprecation warning (#5425)

2025-04-28 18:06:34 +02:00 · 2025-01-14 16:51:04 -05:00 · 2025-01-14 16:51:04 -05:00 · dfd2457bb6
commit dfd2457bb6
parent 5ff53ef2b1
5 changed files with 82 additions and 10 deletions
--- a/config/envoyconfig/filters.go
+++ b/config/envoyconfig/filters.go
@ -47,6 +47,7 @@ func ExtAuthzFilter(grpcClientTimeout *durationpb.Duration) *envoy_extensions_fi
 func HTTPConnectionManagerFilter(
 	httpConnectionManager *envoy_extensions_filters_network_http_connection_manager.HttpConnectionManager,
 ) *envoy_config_listener_v3.Filter {
+	applyGlobalHTTPConnectionManagerOptions(httpConnectionManager)
 	return &envoy_config_listener_v3.Filter{
 		Name: "envoy.filters.network.http_connection_manager",
 		ConfigType: &envoy_config_listener_v3.Filter_TypedConfig{
--- a/config/envoyconfig/http_connection_manager.go
+++ b/config/envoyconfig/http_connection_manager.go
@ -8,6 +8,7 @@ import (
 	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	envoy_config_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
 	envoy_http_connection_manager "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
+	"google.golang.org/protobuf/types/known/wrapperspb"

 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/httputil"
@ -120,3 +121,24 @@ func (b *Builder) buildLocalReplyConfig(
 		}},
 	}, nil
 }
+
+func applyGlobalHTTPConnectionManagerOptions(hcm *envoy_http_connection_manager.HttpConnectionManager) {
+	if hcm.InternalAddressConfig == nil {
+		// see doc comment on InternalAddressConfig for details
+		hcm.InternalAddressConfig = &envoy_http_connection_manager.HttpConnectionManager_InternalAddressConfig{
+			CidrRanges: []*envoy_config_core_v3.CidrRange{
+				// localhost
+				{AddressPrefix: "127.0.0.1", PrefixLen: wrapperspb.UInt32(32)},
+				{AddressPrefix: "::1", PrefixLen: wrapperspb.UInt32(128)},
+
+				// RFC1918
+				{AddressPrefix: "10.0.0.0", PrefixLen: wrapperspb.UInt32(8)},
+				{AddressPrefix: "192.168.0.0", PrefixLen: wrapperspb.UInt32(16)},
+				{AddressPrefix: "172.16.0.0", PrefixLen: wrapperspb.UInt32(12)},
+
+				// RFC4193
+				{AddressPrefix: "fd00::", PrefixLen: wrapperspb.UInt32(8)},
+			},
+		}
+	}
+}
--- a/config/envoyconfig/outbound.go
+++ b/config/envoyconfig/outbound.go
@ -42,7 +42,7 @@ func (b *Builder) buildOutboundListener(cfg *config.Config) (*envoy_config_liste
 func (b *Builder) buildOutboundHTTPConnectionManager() *envoy_config_listener_v3.Filter {
 	rc := b.buildOutboundRouteConfiguration()

-	tc := marshalAny(&envoy_http_connection_manager.HttpConnectionManager{
+	return HTTPConnectionManagerFilter(&envoy_http_connection_manager.HttpConnectionManager{
 		CodecType:  envoy_http_connection_manager.HttpConnectionManager_AUTO,
 		StatPrefix: "grpc_egress",
 		// limit request first byte to last byte time
@ -56,13 +56,6 @@ func (b *Builder) buildOutboundHTTPConnectionManager() *envoy_config_listener_v3
 			HTTPRouterFilter(),
 		},
 	})
-
-	return &envoy_config_listener_v3.Filter{
-		Name: "envoy.filters.network.http_connection_manager",
-		ConfigType: &envoy_config_listener_v3.Filter_TypedConfig{
-			TypedConfig: tc,
-		},
-	}
 }

 func (b *Builder) buildOutboundRouteConfiguration() *envoy_config_route_v3.RouteConfiguration {
--- a/config/envoyconfig/testdata/main_http_connection_manager_filter.json
+++ b/config/envoyconfig/testdata/main_http_connection_manager_filter.json
@ -186,6 +186,34 @@
      }
    },
    "useRemoteAddress": true,
-    "xffNumTrustedHops": 1
+    "xffNumTrustedHops": 1,
+    "internalAddressConfig": {
+      "cidrRanges": [
+        {
+          "addressPrefix": "127.0.0.1",
+          "prefixLen": 32
+        },
+        {
+          "addressPrefix": "::1",
+          "prefixLen": 128
+        },
+        {
+          "addressPrefix": "10.0.0.0",
+          "prefixLen": 8
+        },
+        {
+          "addressPrefix": "192.168.0.0",
+          "prefixLen": 16
+        },
+        {
+          "addressPrefix": "172.16.0.0",
+          "prefixLen": 12
+        },
+        {
+          "addressPrefix": "fd00::",
+          "prefixLen": 8
+        }
+      ]
+    }
  }
 }
--- a/config/envoyconfig/testdata/metrics_http_connection_manager.json
+++ b/config/envoyconfig/testdata/metrics_http_connection_manager.json
@ -54,7 +54,35 @@
                }
              ]
            },
-            "statPrefix": "metrics"
+            "statPrefix": "metrics",
+            "internalAddressConfig": {
+              "cidrRanges": [
+                {
+                  "addressPrefix": "127.0.0.1",
+                  "prefixLen": 32
+                },
+                {
+                  "addressPrefix": "::1",
+                  "prefixLen": 128
+                },
+                {
+                  "addressPrefix": "10.0.0.0",
+                  "prefixLen": 8
+                },
+                {
+                  "addressPrefix": "192.168.0.0",
+                  "prefixLen": 16
+                },
+                {
+                  "addressPrefix": "172.16.0.0",
+                  "prefixLen": 12
+                },
+                {
+                  "addressPrefix": "fd00::",
+                  "prefixLen": 8
+                }
+              ]
+            }
          }
        }
      ],