CFP: cilium ingress should have an option to set the number of trusted loadbalancer hops

[chaunceyjiang]

1. Add a new global config item that sets the number of trusted hops for external load balancers for Ingress (or Gateway API) config. Default to 0, which produces the current behavior.
2. Plumb that value to the relevant Envoy configs so that it takes effect for all ingress listeners. (As opposed to Layer 7 policy enforcement listeners)

Fixes: #24292

Please ensure your pull request adheres to the following guidelines:

• For first time contributors, read Submitting a pull request
• All code is covered by unit and/or runtime tests where feasible.
• All commits contain a well written commit description including a title,
  description and a Fixes: #XXX line if the commit addresses a particular
  GitHub issue.
• If your commit description contains a Fixes: <commit-id> tag, then
  please add the commit author[s] as reviewer[s] to this issue.
• All commits are signed off. See the section Developer’s Certificate of Origin
• Provide a title or release-note blurb suitable for the release notes.
• Are you a user of Cilium? Please add yourself to the Users doc
• Thanks for contributing!

Fixes: #issue-number

cilium ingress should have an option to set the number of trusted loadbalancer hops

[chaunceyjiang]

/cc @christarazi @meyskens @joamaki Please take a look. Thanks~

[youngnick]

Thanks for this PR @chaunceyjiang, the changes look good, but could you add some tests in envoy_http_connection_manager_test.go and envoy_listener_test.go? Just basic ones that ensure that the default is set correctly, and setting a separate value is also correct?

[chaunceyjiang]

could you add some tests in envoy_http_connection_manager_test.go and envoy_listener_test.go? Just basic ones that ensure that the default is set correctly, and setting a separate value is also correct?

Hi @youngnick Done. PATL. Thanks~

[meyskens]

Assigned @youngnick here for sig-servicemesh as my work cycles on this area are currently limited

[chaunceyjiang]

@meyskens Thanks~

[chaunceyjiang]

Hi @youngnick, could you help me with triggering E2E testing?

[chaunceyjiang]

Hi, @joamaki Ready for review , Please take a look. Thanks~

[youngnick]

/test

[chaunceyjiang]

📋 Test Report
❌ 2/45 tests failed (2/288 actions), 10 tests skipped, 1 scenarios skipped:
Test [no-policies]:
  ❌ no-policies/pod-to-service/curl-2: cilium-test/client2-646b88fb9b-fms7m (10.0.1.220) -> cilium-test/echo-other-node (echo-other-node:8080)
Test [allow-all-except-world]:
  ❌ allow-all-except-world/pod-to-service/curl-2: cilium-test/client2-646b88fb9b-fms7m (10.0.1.220) -> cilium-test/echo-other-node (echo-other-node:8080)
Error: Process completed with exit code 1.

It seems GitHub is having troubles.

[youngnick]

/test ci-ipsec-upgrade

[chaunceyjiang]

/test ci-ipsec-upgrade

Thanks~ @youngnick It seems like this action has no effect. （The time does not match.）

[chaunceyjiang]

Friendly ping @youngnick , Can you help me re-trigger the GitHub action again?

[lmb]

I've triggered a run for you. Since the check is not marked as required we can merge without it being green. What's still missing is review from @joamaki