From dfd2457bb648be771ab96ab7d4b463dcb8bbde29 Mon Sep 17 00:00:00 2001 From: Joe Kralicky Date: Tue, 14 Jan 2025 16:51:04 -0500 Subject: [PATCH] envoy: add internal_address_config to address deprecation warning (#5425) --- config/envoyconfig/filters.go | 1 + config/envoyconfig/http_connection_manager.go | 22 ++++++++++++++ config/envoyconfig/outbound.go | 9 +----- .../main_http_connection_manager_filter.json | 30 ++++++++++++++++++- .../metrics_http_connection_manager.json | 30 ++++++++++++++++++- 5 files changed, 82 insertions(+), 10 deletions(-) diff --git a/config/envoyconfig/filters.go b/config/envoyconfig/filters.go index 2292f73e4..e4c593b5e 100644 --- a/config/envoyconfig/filters.go +++ b/config/envoyconfig/filters.go @@ -47,6 +47,7 @@ func ExtAuthzFilter(grpcClientTimeout *durationpb.Duration) *envoy_extensions_fi func HTTPConnectionManagerFilter( httpConnectionManager *envoy_extensions_filters_network_http_connection_manager.HttpConnectionManager, ) *envoy_config_listener_v3.Filter { + applyGlobalHTTPConnectionManagerOptions(httpConnectionManager) return &envoy_config_listener_v3.Filter{ Name: "envoy.filters.network.http_connection_manager", ConfigType: &envoy_config_listener_v3.Filter_TypedConfig{ diff --git a/config/envoyconfig/http_connection_manager.go b/config/envoyconfig/http_connection_manager.go index 5d956b373..f2fc51961 100644 --- a/config/envoyconfig/http_connection_manager.go +++ b/config/envoyconfig/http_connection_manager.go @@ -8,6 +8,7 @@ import ( envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" envoy_config_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" envoy_http_connection_manager "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3" + "google.golang.org/protobuf/types/known/wrapperspb" "github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/internal/httputil" @@ -120,3 +121,24 @@ func (b *Builder) buildLocalReplyConfig( }}, }, nil } + +func applyGlobalHTTPConnectionManagerOptions(hcm *envoy_http_connection_manager.HttpConnectionManager) { + if hcm.InternalAddressConfig == nil { + // see doc comment on InternalAddressConfig for details + hcm.InternalAddressConfig = &envoy_http_connection_manager.HttpConnectionManager_InternalAddressConfig{ + CidrRanges: []*envoy_config_core_v3.CidrRange{ + // localhost + {AddressPrefix: "127.0.0.1", PrefixLen: wrapperspb.UInt32(32)}, + {AddressPrefix: "::1", PrefixLen: wrapperspb.UInt32(128)}, + + // RFC1918 + {AddressPrefix: "10.0.0.0", PrefixLen: wrapperspb.UInt32(8)}, + {AddressPrefix: "192.168.0.0", PrefixLen: wrapperspb.UInt32(16)}, + {AddressPrefix: "172.16.0.0", PrefixLen: wrapperspb.UInt32(12)}, + + // RFC4193 + {AddressPrefix: "fd00::", PrefixLen: wrapperspb.UInt32(8)}, + }, + } + } +} diff --git a/config/envoyconfig/outbound.go b/config/envoyconfig/outbound.go index bcf0b93f7..541987746 100644 --- a/config/envoyconfig/outbound.go +++ b/config/envoyconfig/outbound.go @@ -42,7 +42,7 @@ func (b *Builder) buildOutboundListener(cfg *config.Config) (*envoy_config_liste func (b *Builder) buildOutboundHTTPConnectionManager() *envoy_config_listener_v3.Filter { rc := b.buildOutboundRouteConfiguration() - tc := marshalAny(&envoy_http_connection_manager.HttpConnectionManager{ + return HTTPConnectionManagerFilter(&envoy_http_connection_manager.HttpConnectionManager{ CodecType: envoy_http_connection_manager.HttpConnectionManager_AUTO, StatPrefix: "grpc_egress", // limit request first byte to last byte time @@ -56,13 +56,6 @@ func (b *Builder) buildOutboundHTTPConnectionManager() *envoy_config_listener_v3 HTTPRouterFilter(), }, }) - - return &envoy_config_listener_v3.Filter{ - Name: "envoy.filters.network.http_connection_manager", - ConfigType: &envoy_config_listener_v3.Filter_TypedConfig{ - TypedConfig: tc, - }, - } } func (b *Builder) buildOutboundRouteConfiguration() *envoy_config_route_v3.RouteConfiguration { diff --git a/config/envoyconfig/testdata/main_http_connection_manager_filter.json b/config/envoyconfig/testdata/main_http_connection_manager_filter.json index ca5d62958..859453cd4 100644 --- a/config/envoyconfig/testdata/main_http_connection_manager_filter.json +++ b/config/envoyconfig/testdata/main_http_connection_manager_filter.json @@ -186,6 +186,34 @@ } }, "useRemoteAddress": true, - "xffNumTrustedHops": 1 + "xffNumTrustedHops": 1, + "internalAddressConfig": { + "cidrRanges": [ + { + "addressPrefix": "127.0.0.1", + "prefixLen": 32 + }, + { + "addressPrefix": "::1", + "prefixLen": 128 + }, + { + "addressPrefix": "10.0.0.0", + "prefixLen": 8 + }, + { + "addressPrefix": "192.168.0.0", + "prefixLen": 16 + }, + { + "addressPrefix": "172.16.0.0", + "prefixLen": 12 + }, + { + "addressPrefix": "fd00::", + "prefixLen": 8 + } + ] + } } } diff --git a/config/envoyconfig/testdata/metrics_http_connection_manager.json b/config/envoyconfig/testdata/metrics_http_connection_manager.json index ed3156fa6..f0d19ce45 100644 --- a/config/envoyconfig/testdata/metrics_http_connection_manager.json +++ b/config/envoyconfig/testdata/metrics_http_connection_manager.json @@ -54,7 +54,35 @@ } ] }, - "statPrefix": "metrics" + "statPrefix": "metrics", + "internalAddressConfig": { + "cidrRanges": [ + { + "addressPrefix": "127.0.0.1", + "prefixLen": 32 + }, + { + "addressPrefix": "::1", + "prefixLen": 128 + }, + { + "addressPrefix": "10.0.0.0", + "prefixLen": 8 + }, + { + "addressPrefix": "192.168.0.0", + "prefixLen": 16 + }, + { + "addressPrefix": "172.16.0.0", + "prefixLen": 12 + }, + { + "addressPrefix": "fd00::", + "prefixLen": 8 + } + ] + } } } ],