Support for disabling xff header append

[luvk1412]

EG by default sets use-remote-address to true currently at

gateway/internal/xds/translator/listener.go

Line 242 in 14f687f

useRemoteAddress := true

while in envoy this is false by default. My understanding is that as eg is supposed to be the first L7 layer for downstream traffic, hence this has been set to true.

However in our use case eg is not the first L7 layer, rather its aws ALB due to which ALB private ip gets appended to xff header which we don't want. Hence we want this to be false or an option to set skip_xff_append to true. So it would be nice to have an api to set above two fields.

For anyone else facing the same issue for now you can use below jsonPatch in EnvoyPatchPolicy:

  jsonPatches:
    - type: "type.googleapis.com/envoy.config.listener.v3.Listener"
      # The listener name is of the form <GatewayNamespace>/<GatewayName>/<GatewayListenerName>
      name: staging/eg-staging/http
      operation:
        op: add
        path: "/default_filter_chain/filters/0/typed_config/skip_xff_append"
        value: true

[arkodg]

is this because the upstream is expecting a single value in XFF or unable to parse the XFF ?

[luvk1412]

upstream doesn't want trusted values in XFF, basically the values which are of our infra, @arkodg. Upstreams can parse, but the logic that right most has to be ignored has to be added in all upstreams.

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.