Skip to content

feat: GeoIP#8453

Merged
zhaohuabing merged 13 commits intoenvoyproxy:mainfrom
zhaohuabing:geoip-impl
Mar 24, 2026
Merged

feat: GeoIP#8453
zhaohuabing merged 13 commits intoenvoyproxy:mainfrom
zhaohuabing:geoip-impl

Conversation

@zhaohuabing
Copy link
Copy Markdown
Member

@zhaohuabing zhaohuabing commented Mar 9, 2026
edited
Loading

Implements: #4412 #8002

@zhaohuabing zhaohuabing requested a review from a team as a code owner March 9, 2026 06:44
@zhaohuabing zhaohuabing marked this pull request as draft March 9, 2026 06:44
@netlify
Copy link
Copy Markdown

netlify Bot commented Mar 9, 2026
edited
Loading

Deploy Preview for cerulean-figolla-1f9435 canceled.

Name Link
🔨 Latest commit 85668e6
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69c21fe3df9fd500085793f6

@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 9, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 72.49284% with 96 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.30%. Comparing base (a049df2) to head (85668e6).
⚠️ Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
internal/xds/translator/geoip.go 69.28% 25 Missing and 22 partials ⚠️
internal/xds/translator/authorization.go 52.70% 23 Missing and 12 partials ⚠️
internal/gatewayapi/securitypolicy.go 89.58% 6 Missing and 4 partials ⚠️
internal/ir/xds.go 80.95% 2 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8453      +/-   ##
==========================================
- Coverage   74.35%   74.30%   -0.05%     
==========================================
  Files         242      243       +1     
  Lines       37811    38143     +332     
==========================================
+ Hits        28113    28344     +231     
- Misses       7748     7809      +61     
- Partials     1950     1990      +40

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@zhaohuabing zhaohuabing force-pushed the geoip-impl branch 10 times, most recently from 7ca9aa7 to 7c55f37 Compare March 12, 2026 06:43
@zhaohuabing zhaohuabing marked this pull request as ready for review March 12, 2026 06:46
@zhaohuabing zhaohuabing force-pushed the geoip-impl branch 4 times, most recently from eda5889 to 3b5d9d0 Compare March 13, 2026 08:03
@zhaohuabing zhaohuabing added this to the v1.8.0-rc.1 Release milestone Mar 17, 2026
@zhaohuabing
provider implementation
ba0101c 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

GeoIP implementation

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing
debug ipv6 failure
0fc3a17 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing
fix test
a54da7d 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing
disable geoIP test in IPv6
e739217 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
rudrakhp
rudrakhp reviewed Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@rudrakhp rudrakhp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some questions and minor comments

Comment thread .github/workflows/build_and_test.yaml Outdated
Comment thread internal/gatewayapi/securitypolicy.go
Comment thread internal/gatewayapi/securitypolicy.go
Comment thread ...nal/gatewayapi/testdata/securitypolicy-with-authorization-geoip-mixed-valid-invalid.out.yaml
@zhaohuabing
address comments
eb713e4 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing
Merge branch 'main' into geoip-impl
94aa58f 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing requested a review from a team March 18, 2026 14:42
arkodg
arkodg reviewed Mar 19, 2026
View reviewed changes
Comment thread internal/gatewayapi/securitypolicy.go Outdated
arkodg
arkodg reviewed Mar 19, 2026
View reviewed changes
Comment thread internal/gatewayapi/securitypolicy.go Outdated
@zhaohuabing
address comments
3e9368b 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing
Merge remote-tracking branch 'origin/main' into geoip-impl
315e3c7
@zhaohuabing
fix lint
5e6b216 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing requested review from arkodg and rudrakhp March 23, 2026 07:08
@zhaohuabing
simplify code
c844ee2 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing requested a review from a team March 23, 2026 15:56
@zhaohuabing
reuse direct response
545f5df 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing
simplify code
85668e6 
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing requested a review from a team March 24, 2026 05:30
@zhaohuabing zhaohuabing merged commit 3c2fc03 into envoyproxy:main Mar 24, 2026
59 of 62 checks passed
@zhaohuabing zhaohuabing deleted the geoip-impl branch March 24, 2026 08:43
@zhaohuabing zhaohuabing mentioned this pull request Mar 24, 2026
Merged
@sjoukedv
Copy link
Copy Markdown

sjoukedv commented Apr 4, 2026
edited
Loading

Hello @zhaohuabing , quick question regarding logging here before I file it as an issue. I was trying this out ahead of the 1.8.0 release, like this:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: default-gateway-proxy-config
  namespace: envoy-gateway-system
spec:
  ...  
  telemetry:
    accessLog:
      settings:
        - format:
            type: JSON
            json:
              ...
              geo_country_code: "%REQ(X-EG-INTERNAL-GEOIP-COUNTRY)%"

---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: geo-ip-protection
  namespace: envoy-gateway-system
spec:
  targetRefs: [
    ...
  ]

  authorization:
    defaultAction: Allow
    rules:
      - action: Deny
        principal:
          clientIPGeoLocations:
            - country: US

The rejection works fine, but I only see the geo_country_code populated in the access log when it actually is denied, not for requests that are allowed (but still had the country code looked up). Is this intended behaviour? Can we make it to always output the country code so we can story it for auditing purposes?

Side question; is there a reason why we would add -eg-internal- in the name of the header instead of just x-geoip-country?

It would be great if we also add region which is supported from the envoy filter?

@sjoukedv sjoukedv mentioned this pull request Apr 15, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@arkodg arkodg arkodg approved these changes

@rudrakhp rudrakhp rudrakhp approved these changes

+1 more reviewer

@arko-oai arko-oai arko-oai approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v1.8.0-rc.1 Release

Development

Successfully merging this pull request may close these issues.

5 participants

@zhaohuabing @sjoukedv @arkodg @rudrakhp @arko-oai