support use-remote-address

config/200-config.yaml

@@ -72,6 +72,10 @@ data:
     # right side of the x-forwarded-for HTTP header to trust.
     trusted-hops-count: "0"
 
+    # Configures the connection manager to use the real remote address
+    # of the client connection when determining internal versus external origin and manipulating various headers.
+    use-remote-address: "false"
+
     # Specifies the cipher suites for TLS external listener.
     # Use ',' separated values like "ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-CHACHA20-POLY1305"
     # The default uses the default cipher suites of the envoy version.

pkg/config/config.go

@@ -69,6 +69,10 @@ const (
 	// right side of the x-forwarded-for HTTP header to trust.
 	trustedHopsCount = "trusted-hops-count"
 
+	// useRemoteAddress Configure the connection manager to use the real remote address
+	// of the client connection when determining internal versus external origin and manipulating various headers.
+	useRemoteAddress = "use-remote-address"
+
 	// CipherSuites is the cipher suites for TLS external listener.
 	cipherSuites = "cipher-suites"
 )

pkg/config/configmap.go

@@ -63,6 +63,7 @@ func DefaultConfig() *Kourier {
 		TrustedHopsCount:           0,
 		CipherSuites:               nil,
 		EnableCryptoMB:             false,
+		UseRemoteAddress:           false,
 	}
 }
 
@@ -76,6 +77,7 @@ func NewConfigFromMap(configMap map[string]string) (*Kourier, error) {
 		cm.AsString(clusterCert, &nc.ClusterCertSecret),
 		cm.AsDuration(IdleTimeoutKey, &nc.IdleTimeout),
 		cm.AsUint32(trustedHopsCount, &nc.TrustedHopsCount),
+		cm.AsBool(useRemoteAddress, &nc.UseRemoteAddress),
 		cm.AsStringSet(cipherSuites, &nc.CipherSuites),
 		cm.AsBool(enableCryptoMB, &nc.EnableCryptoMB),
 		asTracing(TracingCollectorFullEndpoint, &nc.Tracing),
@@ -149,6 +151,9 @@ type Kourier struct {
 	// TrustedHopsCount configures the number of additional ingress proxy hops from the
 	// right side of the x-forwarded-for HTTP header to trust.
 	TrustedHopsCount uint32
+	// UseRemoteAddress configures the connection manager to use the real remote address
+	// of the client connection when determining internal versus external origin and manipulating various headers.
+	UseRemoteAddress bool
 	// EnableCryptoMB specifies whether Kourier enable CryptoMB private provider to accelerate
 	// TLS handshake. The default value is "false".
 	EnableCryptoMB bool

pkg/config/configmap_test.go

@@ -144,6 +144,15 @@ func TestKourierConfig(t *testing.T) {
 		data: map[string]string{
 			TracingCollectorFullEndpoint: "",
 		},
+	}, {
+		name: "Enable use remote address",
+		want: &Kourier{
+			EnableServiceAccessLogging: true,
+			UseRemoteAddress:           true,
+		},
+		data: map[string]string{
+			useRemoteAddress: "true",
+		},
 	}}
 
 	for _, tt := range configTests {

pkg/envoy/api/http_connection_manager.go

@@ -72,6 +72,7 @@ func NewHTTPConnectionManager(routeConfigName string, kourierConfig *config.Kour
 		},
 		StreamIdleTimeout: durationpb.New(idleTimeout),
 		XffNumTrustedHops: kourierConfig.TrustedHopsCount,
+		UseRemoteAddress:  &wrapperspb.BoolValue{Value: kourierConfig.UseRemoteAddress},
 	}
 
 	if enableProxyProtocol {

pkg/envoy/api/http_connection_manager_test.go

@@ -148,3 +148,13 @@ func TestNewHTTPConnectionManagerWithTrustedHops(t *testing.T) {
 		})
 	}
 }
+
+func TestNewHTTPConnectionManagerWithUseRemoteAddress(t *testing.T) {
+	kourierConfig := config.Kourier{
+		EnableServiceAccessLogging: false,
+		UseRemoteAddress:           true,
+		IdleTimeout:                0 * time.Second,
+	}
+	connManager := NewHTTPConnectionManager("test", &kourierConfig)
+	assert.Check(t, connManager.UseRemoteAddress.Value == true)
+}