GatewayAPI supports to setting the number of trusted loadbalancer hops

Signed-off-by: chaunceyjiang <chaunceyjiang@gmail.com>
cilium · Mar 5, 2024 · 7c7ae03 · 7c7ae03
1 parent bebb6be
commit 7c7ae03
Show file tree

Hide file tree

Showing 31 changed files with 265 additions and 68 deletions.
diff --git a/Documentation/cmdref/cilium-operator-alibabacloud.md b/Documentation/cmdref/cilium-operator-alibabacloud.md
diff --git a/Documentation/cmdref/cilium-operator-alibabacloud_hive.md b/Documentation/cmdref/cilium-operator-alibabacloud_hive.md
diff --git a/Documentation/cmdref/cilium-operator-alibabacloud_hive_dot-graph.md b/Documentation/cmdref/cilium-operator-alibabacloud_hive_dot-graph.md
diff --git a/Documentation/cmdref/cilium-operator-aws.md b/Documentation/cmdref/cilium-operator-aws.md
diff --git a/Documentation/cmdref/cilium-operator-aws_hive.md b/Documentation/cmdref/cilium-operator-aws_hive.md
diff --git a/Documentation/cmdref/cilium-operator-aws_hive_dot-graph.md b/Documentation/cmdref/cilium-operator-aws_hive_dot-graph.md
diff --git a/Documentation/cmdref/cilium-operator-azure.md b/Documentation/cmdref/cilium-operator-azure.md
diff --git a/Documentation/cmdref/cilium-operator-azure_hive.md b/Documentation/cmdref/cilium-operator-azure_hive.md
diff --git a/Documentation/cmdref/cilium-operator-azure_hive_dot-graph.md b/Documentation/cmdref/cilium-operator-azure_hive_dot-graph.md
diff --git a/Documentation/cmdref/cilium-operator-generic.md b/Documentation/cmdref/cilium-operator-generic.md
diff --git a/Documentation/cmdref/cilium-operator-generic_hive.md b/Documentation/cmdref/cilium-operator-generic_hive.md
diff --git a/Documentation/cmdref/cilium-operator-generic_hive_dot-graph.md b/Documentation/cmdref/cilium-operator-generic_hive_dot-graph.md
diff --git a/Documentation/cmdref/cilium-operator.md b/Documentation/cmdref/cilium-operator.md
diff --git a/Documentation/cmdref/cilium-operator_hive.md b/Documentation/cmdref/cilium-operator_hive.md
diff --git a/Documentation/cmdref/cilium-operator_hive_dot-graph.md b/Documentation/cmdref/cilium-operator_hive_dot-graph.md
diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst
diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md
diff --git a/install/kubernetes/cilium/templates/cilium-configmap.yaml b/install/kubernetes/cilium/templates/cilium-configmap.yaml
@@ -274,6 +274,7 @@ data:
   enable-gateway-api: "true"
   enable-gateway-api-secrets-sync: {{ .Values.gatewayAPI.secretsNamespace.sync | quote }}
   enable-gateway-api-proxy-protocol: {{ .Values.gatewayAPI.enableProxyProtocol | quote }}
+  gateway-api-xff-num-trusted-hops: {{ .Values.gatewayAPI.xffNumTrustedHops | quote }}
   gateway-api-secrets-namespace: {{ .Values.gatewayAPI.secretsNamespace.name | quote }}
   gateway-api-hostnetwork-enabled: {{ .Values.gatewayAPI.hostNetwork.enabled | quote }}
   gateway-api-hostnetwork-nodelabelselector: {{ include "mapToString" .Values.gatewayAPI.hostNetwork.nodes.matchLabels | quote }}

diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
diff --git a/install/kubernetes/cilium/values.yaml.tmpl b/install/kubernetes/cilium/values.yaml.tmpl
@@ -692,6 +692,8 @@ gatewayAPI:
   enabled: false
   # -- Enable proxy protocol for all GatewayAPI listeners. Note that _only_ Proxy protocol traffic will be accepted once this is enabled.
   enableProxyProtocol: false
+  # -- The number of additional GatewayAPI proxy hops from the right side of the HTTP header to trust when determining the origin client's IP address.
+  xffNumTrustedHops: 0
   # -- SecretsNamespace is the namespace in which envoy SDS will retrieve TLS secrets from.
   secretsNamespace:
     # -- Create secrets namespace for Gateway API.