Skip to content

Commit b6bcc0c

Browse files
mhofstettersayboras
mhofstetter
authored and
sayboras
committed
ciliumenvoyconfig: use explicit label use-original-src-address
Currently, the presence of an OwnerReference referencing an Ingress or Gateway (Gateway API) resource is the indicator whether Ciliums BPF metadata listener filter in Envoy should be configured to use the original source address or not. Referencing an Ingress or Gateway: don't use original source address Not referencing an Ingress or Gateway: use original source address With the removal of the OwnerReferences on the shared CiliumEnvoyConfig in case of a shared Cilium Ingress, this check no longer works as expected. Therefore, this commit introduces an explicit internal annotation `cilium.io/use-original-source-address` on the CiliumEnvoyConfig. Usages like the Cilium Ingress controller can set this annotation accordingly. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
1 parent 40ce49e commit b6bcc0c

File tree

7 files changed

+121
-40
lines changed

7 files changed

+121
-40
lines changed

operator/pkg/model/translation/gateway-api/translator_fixture_test.go

Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -106,6 +106,9 @@ var basicHTTPListenersCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyConfig{
106106
ObjectMeta: metav1.ObjectMeta{
107107
Name: "cilium-gateway-my-gateway",
108108
Namespace: "default",
109+
Labels: map[string]string{
110+
"cilium.io/use-original-source-address": "false",
111+
},
109112
OwnerReferences: []metav1.OwnerReference{
110113
{
111114
APIVersion: "gateway.networking.k8s.io/v1",
@@ -194,6 +197,9 @@ var basicTLSListenersCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyConfig{
194197
ObjectMeta: metav1.ObjectMeta{
195198
Name: "cilium-gateway-my-gateway",
196199
Namespace: "default",
200+
Labels: map[string]string{
201+
"cilium.io/use-original-source-address": "false",
202+
},
197203
OwnerReferences: []metav1.OwnerReference{
198204
{
199205
APIVersion: "gateway.networking.k8s.io/v1",
@@ -304,6 +310,9 @@ var simpleSameNamespaceHTTPListenersCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyCon
304310
ObjectMeta: metav1.ObjectMeta{
305311
Name: "cilium-gateway-same-namespace",
306312
Namespace: "gateway-conformance-infra",
313+
Labels: map[string]string{
314+
"cilium.io/use-original-source-address": "false",
315+
},
307316
OwnerReferences: []metav1.OwnerReference{
308317
{
309318
APIVersion: "gateway.networking.k8s.io/v1",
@@ -388,6 +397,9 @@ var crossNamespaceHTTPListenersCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyConfig{
388397
ObjectMeta: metav1.ObjectMeta{
389398
Name: "cilium-gateway-backend-namespaces",
390399
Namespace: "gateway-conformance-infra",
400+
Labels: map[string]string{
401+
"cilium.io/use-original-source-address": "false",
402+
},
391403
OwnerReferences: []metav1.OwnerReference{
392404
{
393405
APIVersion: "gateway.networking.k8s.io/v1",
@@ -485,6 +497,9 @@ var exactPathMatchingHTTPListenersCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyConfi
485497
ObjectMeta: metav1.ObjectMeta{
486498
Name: "cilium-gateway-same-namespace",
487499
Namespace: "gateway-conformance-infra",
500+
Labels: map[string]string{
501+
"cilium.io/use-original-source-address": "false",
502+
},
488503
OwnerReferences: []metav1.OwnerReference{
489504
{
490505
APIVersion: "gateway.networking.k8s.io/v1",
@@ -694,6 +709,9 @@ var headerMatchingHTTPCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyConfig{
694709
ObjectMeta: metav1.ObjectMeta{
695710
Name: "cilium-gateway-same-namespace",
696711
Namespace: "gateway-conformance-infra",
712+
Labels: map[string]string{
713+
"cilium.io/use-original-source-address": "false",
714+
},
697715
OwnerReferences: []metav1.OwnerReference{
698716
{
699717
APIVersion: "gateway.networking.k8s.io/v1",
@@ -994,6 +1012,9 @@ var hostnameIntersectionHTTPListenersCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyCo
9941012
ObjectMeta: metav1.ObjectMeta{
9951013
Name: "cilium-gateway-httproute-hostname-intersection",
9961014
Namespace: "gateway-conformance-infra",
1015+
Labels: map[string]string{
1016+
"cilium.io/use-original-source-address": "false",
1017+
},
9971018
OwnerReferences: []metav1.OwnerReference{
9981019
{
9991020
APIVersion: "gateway.networking.k8s.io/v1",
@@ -1230,6 +1251,9 @@ var listenerHostNameMatchingCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyConfig{
12301251
ObjectMeta: metav1.ObjectMeta{
12311252
Name: "cilium-gateway-httproute-listener-hostname-matching",
12321253
Namespace: "gateway-conformance-infra",
1254+
Labels: map[string]string{
1255+
"cilium.io/use-original-source-address": "false",
1256+
},
12331257
OwnerReferences: []metav1.OwnerReference{
12341258
{
12351259
APIVersion: "gateway.networking.k8s.io/v1",
@@ -1389,6 +1413,9 @@ var matchingAcrossHTTPListenersCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyConfig{
13891413
ObjectMeta: metav1.ObjectMeta{
13901414
Name: "cilium-gateway-same-namespace",
13911415
Namespace: "gateway-conformance-infra",
1416+
Labels: map[string]string{
1417+
"cilium.io/use-original-source-address": "false",
1418+
},
13921419
OwnerReferences: []metav1.OwnerReference{
13931420
{
13941421
APIVersion: "gateway.networking.k8s.io/v1",
@@ -1562,6 +1589,9 @@ var matchingHTTPListenersCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyConfig{
15621589
ObjectMeta: metav1.ObjectMeta{
15631590
Name: "cilium-gateway-same-namespace",
15641591
Namespace: "gateway-conformance-infra",
1592+
Labels: map[string]string{
1593+
"cilium.io/use-original-source-address": "false",
1594+
},
15651595
OwnerReferences: []metav1.OwnerReference{
15661596
{
15671597
APIVersion: "gateway.networking.k8s.io/v1",
@@ -1745,6 +1775,9 @@ var queryParamMatchingHTTPListenersCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyConf
17451775
ObjectMeta: metav1.ObjectMeta{
17461776
Name: "cilium-gateway-same-namespace",
17471777
Namespace: "gateway-conformance-infra",
1778+
Labels: map[string]string{
1779+
"cilium.io/use-original-source-address": "false",
1780+
},
17481781
OwnerReferences: []metav1.OwnerReference{
17491782
{
17501783
APIVersion: "gateway.networking.k8s.io/v1",
@@ -1936,6 +1969,9 @@ var methodMatchingHTTPListenersHTTPListenersCiliumEnvoyConfig = &ciliumv2.Cilium
19361969
ObjectMeta: metav1.ObjectMeta{
19371970
Name: "cilium-gateway-same-namespace",
19381971
Namespace: "gateway-conformance-infra",
1972+
Labels: map[string]string{
1973+
"cilium.io/use-original-source-address": "false",
1974+
},
19391975
OwnerReferences: []metav1.OwnerReference{
19401976
{
19411977
APIVersion: "gateway.networking.k8s.io/v1",
@@ -2172,6 +2208,9 @@ var requestHeaderModifierHTTPListenersCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyC
21722208
ObjectMeta: metav1.ObjectMeta{
21732209
Name: "cilium-gateway-same-namespace",
21742210
Namespace: "gateway-conformance-infra",
2211+
Labels: map[string]string{
2212+
"cilium.io/use-original-source-address": "false",
2213+
},
21752214
OwnerReferences: []metav1.OwnerReference{
21762215
{
21772216
APIVersion: "gateway.networking.k8s.io/v1",
@@ -2392,6 +2431,9 @@ var requestRedirectHTTPListenersCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyConfig{
23922431
ObjectMeta: metav1.ObjectMeta{
23932432
Name: "cilium-gateway-same-namespace",
23942433
Namespace: "gateway-conformance-infra",
2434+
Labels: map[string]string{
2435+
"cilium.io/use-original-source-address": "false",
2436+
},
23952437
OwnerReferences: []metav1.OwnerReference{
23962438
{
23972439
APIVersion: "gateway.networking.k8s.io/v1",
@@ -2636,6 +2678,9 @@ var responseHeaderModifierHTTPListenersCiliumEnvoyConfig = &ciliumv2.CiliumEnvoy
26362678
ObjectMeta: metav1.ObjectMeta{
26372679
Name: "cilium-gateway-same-namespace",
26382680
Namespace: "gateway-conformance-infra",
2681+
Labels: map[string]string{
2682+
"cilium.io/use-original-source-address": "false",
2683+
},
26392684
OwnerReferences: []metav1.OwnerReference{
26402685
{
26412686
APIVersion: "gateway.networking.k8s.io/v1",
@@ -2874,6 +2919,9 @@ var rewriteHostHTTPListenersCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyConfig{
28742919
ObjectMeta: metav1.ObjectMeta{
28752920
Name: "cilium-gateway-same-namespace",
28762921
Namespace: "gateway-conformance-infra",
2922+
Labels: map[string]string{
2923+
"cilium.io/use-original-source-address": "false",
2924+
},
28772925
OwnerReferences: []metav1.OwnerReference{
28782926
{
28792927
APIVersion: "gateway.networking.k8s.io/v1",
@@ -3085,6 +3133,9 @@ var rewritePathHTTPListenersCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyConfig{
30853133
ObjectMeta: metav1.ObjectMeta{
30863134
Name: "cilium-gateway-same-namespace",
30873135
Namespace: "gateway-conformance-infra",
3136+
Labels: map[string]string{
3137+
"cilium.io/use-original-source-address": "false",
3138+
},
30883139
OwnerReferences: []metav1.OwnerReference{
30893140
{
30903141
APIVersion: "gateway.networking.k8s.io/v1",
@@ -3291,6 +3342,9 @@ var mirrorHTTPListenersCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyConfig{
32913342
ObjectMeta: metav1.ObjectMeta{
32923343
Name: "cilium-gateway-same-namespace",
32933344
Namespace: "gateway-conformance-infra",
3345+
Labels: map[string]string{
3346+
"cilium.io/use-original-source-address": "false",
3347+
},
32943348
OwnerReferences: []metav1.OwnerReference{
32953349
{
32963350
APIVersion: "gateway.networking.k8s.io/v1",

operator/pkg/model/translation/ingress/dedicated_ingress_fixture_test.go

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -285,6 +285,9 @@ var defaultBackendListenersCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyConfig{
285285
ObjectMeta: metav1.ObjectMeta{
286286
Name: "cilium-ingress-random-namespace-load-balancing",
287287
Namespace: "random-namespace",
288+
Labels: map[string]string{
289+
"cilium.io/use-original-source-address": "false",
290+
},
288291
},
289292
Spec: ciliumv2.CiliumEnvoyConfigSpec{
290293
Services: []*ciliumv2.ServiceListener{
@@ -429,6 +432,9 @@ var hostRulesListenersCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyConfig{
429432
ObjectMeta: metav1.ObjectMeta{
430433
Name: "cilium-ingress-random-namespace-host-rules",
431434
Namespace: "random-namespace",
435+
Labels: map[string]string{
436+
"cilium.io/use-original-source-address": "false",
437+
},
432438
},
433439
Spec: ciliumv2.CiliumEnvoyConfigSpec{
434440
Services: []*ciliumv2.ServiceListener{
@@ -708,6 +714,9 @@ var pathRulesListenersCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyConfig{
708714
ObjectMeta: metav1.ObjectMeta{
709715
Name: "cilium-ingress-random-namespace-path-rules",
710716
Namespace: "random-namespace",
717+
Labels: map[string]string{
718+
"cilium.io/use-original-source-address": "false",
719+
},
711720
},
712721
Spec: ciliumv2.CiliumEnvoyConfigSpec{
713722
Services: []*ciliumv2.ServiceListener{
@@ -888,6 +897,9 @@ var proxyProtoListenersCiliumEnvoyConfig = &ciliumv2.CiliumEnvoyConfig{
888897
ObjectMeta: metav1.ObjectMeta{
889898
Name: "cilium-ingress-random-namespace-load-balancing",
890899
Namespace: "random-namespace",
900+
Labels: map[string]string{
901+
"cilium.io/use-original-source-address": "false",
902+
},
891903
},
892904
Spec: ciliumv2.CiliumEnvoyConfigSpec{
893905
Services: []*ciliumv2.ServiceListener{

operator/pkg/model/translation/translator.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ import (
1313
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
1414

1515
"github.com/cilium/cilium/operator/pkg/model"
16+
"github.com/cilium/cilium/pkg/k8s"
1617
ciliumv2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
1718
"github.com/cilium/cilium/pkg/slices"
1819
)
@@ -65,6 +66,9 @@ func (i *defaultTranslator) Translate(model *model.Model) (*ciliumv2.CiliumEnvoy
6566
ObjectMeta: metav1.ObjectMeta{
6667
Name: i.name,
6768
Namespace: i.namespace,
69+
Labels: map[string]string{
70+
k8s.UseOriginalSourceAddressLabel: "false",
71+
},
6872
},
6973
}
7074

pkg/k8s/labels.go

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,11 @@ import (
1616
"github.com/cilium/cilium/pkg/option"
1717
)
1818

19+
// UseOriginalSourceAddressLabel is the k8s label that can be added to a
20+
// `CiliumEnvoyConfig`. This way the Cilium BPF Metadata listener filter is configured
21+
// to use the original source address when extracting the metadata for a request.
22+
const UseOriginalSourceAddressLabel = "cilium.io/use-original-source-address"
23+
1924
const (
2025
// AnnotationIstioSidecarStatus is the annotation added by Istio into a pod
2126
// when it is injected with a sidecar proxy.
@@ -36,12 +41,10 @@ const (
3641
DefaultSidecarIstioProxyImageRegexp = "cilium/istio_proxy"
3742
)
3843

39-
var (
40-
// SidecarIstioProxyImageRegexp is the regular expression matching
41-
// compatible Istio sidecar istio-proxy container image names.
42-
// This is set by the "sidecar-istio-proxy-image" configuration flag.
43-
SidecarIstioProxyImageRegexp = regexp.MustCompile(DefaultSidecarIstioProxyImageRegexp)
44-
)
44+
// SidecarIstioProxyImageRegexp is the regular expression matching
45+
// compatible Istio sidecar istio-proxy container image names.
46+
// This is set by the "sidecar-istio-proxy-image" configuration flag.
47+
var SidecarIstioProxyImageRegexp = regexp.MustCompile(DefaultSidecarIstioProxyImageRegexp)
4548

4649
// isInjectedWithIstioSidecarProxy returns whether the given pod has been
4750
// injected by Istio with a sidecar proxy that is compatible with Cilium.

pkg/k8s/watchers/cilium_clusterwide_envoy_config.go

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,10 @@ package watchers
66
import (
77
"context"
88

9+
"github.com/sirupsen/logrus"
10+
"k8s.io/apimachinery/pkg/util/wait"
11+
"k8s.io/client-go/tools/cache"
12+
913
"github.com/cilium/cilium/pkg/envoy"
1014
"github.com/cilium/cilium/pkg/k8s"
1115
cilium_v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
@@ -16,10 +20,6 @@ import (
1620
"github.com/cilium/cilium/pkg/loadbalancer"
1721
"github.com/cilium/cilium/pkg/logging/logfields"
1822
"github.com/cilium/cilium/pkg/option"
19-
20-
"github.com/sirupsen/logrus"
21-
"k8s.io/apimachinery/pkg/util/wait"
22-
"k8s.io/client-go/tools/cache"
2323
)
2424

2525
func (k *K8sWatcher) ciliumClusterwideEnvoyConfigInit(ctx context.Context, clientset client.Clientset) {
@@ -94,7 +94,7 @@ func (k *K8sWatcher) addCiliumClusterwideEnvoyConfig(ccec *cilium_v2.CiliumClust
9494
true,
9595
k.envoyConfigManager,
9696
len(ccec.Spec.Services) > 0,
97-
!isCiliumIngress(&ccec.ObjectMeta),
97+
useOriginalSourceAddress(&ccec.ObjectMeta),
9898
)
9999
if err != nil {
100100
scopedLog.WithError(err).Warn("Failed to add CiliumClusterwideEnvoyConfig: malformed Envoy config")
@@ -140,7 +140,7 @@ func (k *K8sWatcher) updateCiliumClusterwideEnvoyConfig(oldCCEC *cilium_v2.Ciliu
140140
false,
141141
k.envoyConfigManager,
142142
len(oldCCEC.Spec.Services) > 0,
143-
!isCiliumIngress(&oldCCEC.ObjectMeta),
143+
useOriginalSourceAddress(&oldCCEC.ObjectMeta),
144144
)
145145
if err != nil {
146146
scopedLog.WithError(err).Warn("Failed to update CiliumClusterwideEnvoyConfig: malformed old Envoy config")
@@ -153,7 +153,7 @@ func (k *K8sWatcher) updateCiliumClusterwideEnvoyConfig(oldCCEC *cilium_v2.Ciliu
153153
true,
154154
k.envoyConfigManager,
155155
len(newCCEC.Spec.Services) > 0,
156-
!isCiliumIngress(&newCCEC.ObjectMeta),
156+
useOriginalSourceAddress(&newCCEC.ObjectMeta),
157157
)
158158
if err != nil {
159159
scopedLog.WithError(err).Warn("Failed to update CiliumClusterwideEnvoyConfig: malformed new Envoy config")
@@ -199,7 +199,7 @@ func (k *K8sWatcher) deleteCiliumClusterwideEnvoyConfig(ccec *cilium_v2.CiliumCl
199199
false,
200200
k.envoyConfigManager,
201201
len(ccec.Spec.Services) > 0,
202-
!isCiliumIngress(&ccec.ObjectMeta),
202+
useOriginalSourceAddress(&ccec.ObjectMeta),
203203
)
204204
if err != nil {
205205
scopedLog.WithError(err).Warn("Failed to delete CiliumClusterwideEnvoyConfig: parsing rersource names failed")

0 commit comments

Comments
 (0)