Add source.nat.ip

[stuartnelson3]

Motivation/summary

as per the ECS team's recommendation, store the address provided in proxy headers forwarded, x-real-ip, x-forwarded-for under source.{ip,port} and client.{ip,port}; store the source ip addr in source.nat.ip

Checklist

• Update CHANGELOG.asciidoc
• Update package changelog.yml (only if changes to apmpackage have been made)
• Documentation has been updated

How to test these changes

1. start apm-server
2. ingest events with an X-Forwarded-For header
3. confirm the document has source.nat.ip fields

Related issues

closes #7029

[apmmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-03-18T11:36:54.737+0000

• Duration: 26 min 19 sec

Test stats 🧪

Test	Results
Failed	0
Passed	3926
Skipped	13
Total	3939

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /hey-apm : Run the hey-apm benchmark.

• /package : Generate and publish the docker images.

• /test windows : Build & tests on Windows.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[stuartnelson3]

Are there other places where I need to apply the request's metadata to the APMEvent, besides beater/otlp/clientmetadata.go and beater/api/mux.go?

[simitt]

Looking at https://github.com/elastic/ecs/blob/main/schemas/source.yml#L148 and #7029 (comment):

The ECS team recommend that we store the originating client's IP in source.ip and client.ip, and the network peer (proxy) IP in source.nat.ip. If there are no forwarded headers, then source.ip and client.ip will be the network peer IP, and there will be no source.nat.ip address. The naming is a bit odd, but it sounds like the best option we have at the moment.

My understanding from that is

• request with Headers (forwarded, x-real-ip, x-forwarded-for), set the source.ip and client.ip to the IP address of these headers (in the defined order) and set source.nat.ip to the requests IP address, potentially expected to be pointing to a proxy.
• request without Headers: source.ip and client.ip are set to the request's IP address, and the assumption is that no proxy was used in between, so leave the source.nat.ip empty.

I believe you summarized (and implemented) this the other way around. Please take another look at Andrew's comment and let me know if my understanding makes sense to you.

[stuartnelson3]

@simitt thank you for the clarification!

[stuartnelson3]

how do i run make check-approvals for systemtests/?

[simitt]

how do i run make check-approvals for systemtests/?

First run the systemtests and then run make check-approvals from root; if there are differences they should get picked up.

[simitt]

Looks good! (apart from the failing system tests)

[axw]

Please update doc comments & PR description (for commit message) before merging. Otherwise, also with the caveat of failing system test, LGTM. Thanks :)

[axw]

doc comments are still reversed

[stuartnelson3]

@stuartnelson3 because systemtest has its own module, ./... in the repo root won't list it. You have to be in the systemtest directory.

@axw I'm running them from within the systemtest folder, but keep getting the error about not finding the apm package

~/w/a/systemtest (source-nat-ip %^)
# go test ./...
go: downloading github.com/docker/distribution v2.8.1+incompatible
2022/03/17 08:06:13 INFO: starting stack containers...
Pulling elasticsearch (docker.elastic.co/elasticsearch/elasticsearch:8.2.0-9bac538c-SNAPSHOT)...
8.2.0-9bac538c-SNAPSHOT: Pulling from elasticsearch/elasticsearch
Digest: sha256:096d3c0178276a9e4964a096efd6875dabd93391832474c90b864bddb21f39b5
Status: Downloaded newer image for docker.elastic.co/elasticsearch/elasticsearch:8.2.0-9bac538c-SNAPSHOT
Pulling kibana (docker.elastic.co/kibana/kibana:8.2.0-9bac538c-SNAPSHOT)...
8.2.0-9bac538c-SNAPSHOT: Pulling from kibana/kibana
Digest: sha256:2a94e73c164e4660e55ebeac348364f51403b277a3b92123fa136f5981ec7a8c
Status: Downloaded newer image for docker.elastic.co/kibana/kibana:8.2.0-9bac538c-SNAPSHOT
Pulling fleet-server (docker.elastic.co/beats/elastic-agent:8.2.0-9bac538c-SNAPSHOT)...
8.2.0-9bac538c-SNAPSHOT: Pulling from beats/elastic-agent
Digest: sha256:f019e4370810332ae13b3293572165a5826bb3b5efddbecdc76909e7aa59eefb
Status: Downloaded newer image for docker.elastic.co/beats/elastic-agent:8.2.0-9bac538c-SNAPSHOT
Recreating apm-server_elasticsearch_1 ... 
apm-server_package-registry_1 is up-to-date
Recreating apm-server_elasticsearch_1 ... done
Recreating apm-server_kibana_1        ... 
Recreating apm-server_kibana_1        ... done
Recreating apm-server_fleet-server_1  ... 
Recreating apm-server_fleet-server_1  ... done
2022/03/17 08:11:31 Waiting for fleet-server container (1da90ee5a622d28c4e7726ef67b2bd77a21a9d7c80b03e6060d0b083f943fcba) to become healthy
2022/03/17 08:11:51 INFO: cleaning up Elasticsearch...
2022/03/17 08:11:51 INFO: setting up fleet...
2022/03/17 08:11:54 could not find package 'apm'
FAIL	github.com/elastic/apm-server/systemtest	341.083s
ok  	github.com/elastic/apm-server/systemtest/apmservertest	84.052s
?   	github.com/elastic/apm-server/systemtest/benchtest	[no test files]
?   	github.com/elastic/apm-server/systemtest/cmd/apmbench	[no test files]
?   	github.com/elastic/apm-server/systemtest/cmd/runapm	[no test files]
?   	github.com/elastic/apm-server/systemtest/estest	[no test files]
?   	github.com/elastic/apm-server/systemtest/fleettest	[no test files]
FAIL

any ideas what I should check?

[axw]

@stuartnelson3 sorry, I just totally misread your error message before. I think you might need to run make build-package, and docker-compose restart package-registry.

[stuartnelson3]

the systemtests are getting killed after 11min on my machine, i'll take another look into this tomorrow (or try running it on an aws vm)

[cla-checker-service]

💚 CLA has been signed

[mergify]

This pull request is now in conflicts. Could you fix it @stuartnelson3? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b source-nat-ip upstream/source-nat-ip
git merge upstream/main
git push upstream source-nat-ip

[apmmachine]

💔 Build Failed

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-03-18T11:36:53.595+0000

• Duration: 0 min 11 sec

Pipeline error

This error is likely related to the pipeline itself. Please go to the traditional console output here" You will see the error (either a wrong syntax or configuration)

[axw]

Verified with 8.2.0-BC1:

• sent some RUM events with no special headers, confirmed the peer IP address was stored in source.ip and client.ip as-is, and no source.nat.ip address was recorded
• sent some RUM events with X-Real-IP, confirmed the X-Real-IP address was stored in source.ip and client.ip, and the peer address was stored in source.nat.ip

[mergify]

This pull request does not have a backport label. Could you fix it @stuartnelson3? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-7.x is the label to automatically backport to the 7.x branch.
• backport-7./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.