add support for preserving clientIP

Author: salonichf5

apis/v1alpha1/nginxproxy_types.go

@@ -53,6 +53,12 @@ type NginxProxySpec struct {
 	//
 	// +optional
 	Telemetry *Telemetry `json:"telemetry,omitempty"`
+	// RewriteClientIP defines configuration for rewriting the client IP to the original client's IP.
+	// +kubebuilder:validation:XValidation:message="if mode is set, trustedAddresses is a required field",rule="!(has(self.mode) && !has(self.trustedAddresses))"
+	//
+	// +optional
+	//nolint:lll
+	RewriteClientIP *RewriteClientIP `json:"rewriteClientIP,omitempty"`
 	// DisableHTTP2 defines if http2 should be disabled for all servers.
 	// Default is false, meaning http2 will be enabled for all servers.
 	//
@@ -114,3 +120,56 @@ type TelemetryExporter struct {
 	// +kubebuilder:validation:Pattern=`^(?:http?:\/\/)?[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)*(?::\d{1,5})?$`
 	Endpoint string `json:"endpoint"`
 }
+
+// RewriteClientIP specifies the configuration for rewriting the client's IP address.
+type RewriteClientIP struct {
+	// Mode defines how NGINX will rewrite the client's IP address.
+	// Possible modes: ProxyProtocol, XForwardedFor.
+	//
+	// +optional
+	Mode *RewriteClientIPModeType `json:"mode,omitempty"`
+
+	// SetIPRecursively configures whether recursive search is used for selecting client's
+	// address from the X-Forwarded-For header and used in conjunction with TrustedAddresses.
+	// If enabled, NGINX will recurse on the values in X-Forwarded-Header from the end of
+	// array to start of array and select the first untrusted IP.
+	//
+	// +optional
+	SetIPRecursively *bool `json:"setIPRecursively,omitempty"`
+
+	// TrustedAddresses specifies the addresses that are trusted to send correct client IP information.
+	// If a request comes from a trusted address, NGINX will rewrite the client IP information,
+	// and forward it to the backend in the X-Forwarded-For* and X-Real-IP headers.
+	// This field is required if mode is set.
+	// +kubebuilder:validation:MaxItems=16
+	// +listType=atomic
+	//
+	//
+	// +optional
+	TrustedAddresses []TrustedAddress `json:"trustedAddresses,omitempty"`
+}
+
+// RewriteClientIPModeType defines how NGINX Gateway Fabric will determine the client's original IP address.
+// +kubebuilder:validation:Enum=ProxyProtocol;XForwardedFor
+type RewriteClientIPModeType string
+
+const (
+	// RewriteClientIPModeProxyProtocol configures NGINX to accept PROXY protocol and,
+	// set the client's IP address to the IP address in the PROXY protocol header.
+	// Sets the proxy_protocol parameter to the listen directive on all servers, and sets real_ip_header
+	// to proxy_protocol: https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header.
+	RewriteClientIPModeProxyProtocol RewriteClientIPModeType = "ProxyProtocol"
+
+	// RewriteClientIPModeXForwardedFor configures NGINX to set the client's IP address to the
+	// IP address in the X-Forwarded-For HTTP header.
+	// https://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header.
+	RewriteClientIPModeXForwardedFor RewriteClientIPModeType = "XForwardedFor"
+)
+
+// TrustedAddress is a string value representing a CIDR block.
+// Examples: 0.0.0.0/0
+//
+// +kubebuilder:validation:Pattern=`^(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}(?:\/(?:[0-9]|[12][0-9]|3[0-2]))?|(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}(?:\/(?:[0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?)$`
+//
+//nolint:lll
+type TrustedAddress string

apis/v1alpha1/zz_generated.deepcopy.go

@@ -263,8 +263,8 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `nginx.config` | The configuration for the data plane that is contained in the NginxProxy resource. | object | `{}` |
 | `nginx.extraVolumeMounts` | extraVolumeMounts are the additional volume mounts for the nginx container. | list | `[]` |
 | `nginx.image.pullPolicy` |  | string | `"Always"` |
-| `nginx.image.repository` | The NGINX image to use. | string | `"ghcr.io/nginxinc/nginx-gateway-fabric/nginx"` |
-| `nginx.image.tag` |  | string | `"edge"` |
+| `nginx.image.repository` | The NGINX image to use. | string | `"gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric/nginx"` |
+| `nginx.image.tag` |  | string | `"sa.choudhary"` |
 | `nginx.lifecycle` | The lifecycle of the nginx container. | object | `{}` |
 | `nginx.plus` | Is NGINX Plus image being used | bool | `false` |
 | `nginx.usage.clusterName` | The display name of the Kubernetes cluster in the NGINX Plus usage reporting server. | string | `""` |
@@ -279,8 +279,8 @@ The following table lists the configurable parameters of the NGINX Gateway Fabri
 | `nginxGateway.gatewayControllerName` | The name of the Gateway controller. The controller name must be of the form: DOMAIN/PATH. The controller's domain is gateway.nginx.org. | string | `"gateway.nginx.org/nginx-gateway-controller"` |
 | `nginxGateway.gwAPIExperimentalFeatures.enable` | Enable the experimental features of Gateway API which are supported by NGINX Gateway Fabric. Requires the Gateway APIs installed from the experimental channel. | bool | `false` |
 | `nginxGateway.image.pullPolicy` |  | string | `"Always"` |
-| `nginxGateway.image.repository` | The NGINX Gateway Fabric image to use | string | `"ghcr.io/nginxinc/nginx-gateway-fabric"` |
-| `nginxGateway.image.tag` |  | string | `"edge"` |
+| `nginxGateway.image.repository` | The NGINX Gateway Fabric image to use | string | `"gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric"` |
+| `nginxGateway.image.tag` |  | string | `"sa.choudhary"` |
 | `nginxGateway.kind` | The kind of the NGINX Gateway Fabric installation - currently, only deployment is supported. | string | `"deployment"` |
 | `nginxGateway.leaderElection.enable` | Enable leader election. Leader election is used to avoid multiple replicas of the NGINX Gateway Fabric reporting the status of the Gateway API resources. If not enabled, all replicas of NGINX Gateway Fabric will update the statuses of the Gateway API resources. | bool | `true` |
 | `nginxGateway.leaderElection.lockName` | The name of the leader election lock. A Lease object with this name will be created in the same Namespace as the controller. | string | Autogenerated if not set or set to "". |

charts/nginx-gateway-fabric/README.md

@@ -52,8 +52,8 @@ nginxGateway:
 
   image:
     # -- The NGINX Gateway Fabric image to use
-    repository: ghcr.io/nginxinc/nginx-gateway-fabric
-    tag: edge
+    repository: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric
+    tag: sa.choudhary
     pullPolicy: Always
 
   securityContext:
@@ -81,8 +81,8 @@ nginxGateway:
 nginx:
   image:
     # -- The NGINX image to use.
-    repository: ghcr.io/nginxinc/nginx-gateway-fabric/nginx
-    tag: edge
+    repository: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric/nginx
+    tag: sa.choudhary
     pullPolicy: Always
 
   # -- Is NGINX Plus image being used
@@ -93,6 +93,10 @@ nginx:
     {}
     # disableHTTP2: false
     # ipFamily: dual
+    # rewriteClientIP:
+    #   mode: "ProxyProtocol"
+    #   trustedAddresses: ["0.0.0.0/0"]
+    #   setIPRecursively: true
     # telemetry:
     #   exporter:
     #     endpoint: otel-collector.default.svc:4317

charts/nginx-gateway-fabric/values.yaml

@@ -62,6 +62,44 @@ spec:
                 - ipv4
                 - ipv6
                 type: string
+              rewriteClientIP:
+                description: RewriteClientIP defines configuration for rewriting the
+                  client IP to the original client's IP.
+                properties:
+                  mode:
+                    description: |-
+                      Mode defines how NGINX will rewrite the client's IP address.
+                      Possible modes: ProxyProtocol, XForwardedFor.
+                    enum:
+                    - ProxyProtocol
+                    - XForwardedFor
+                    type: string
+                  setIPRecursively:
+                    description: |-
+                      SetIPRecursively configures whether recursive search is used for selecting client's
+                      address from the X-Forwarded-For header and used in conjunction with TrustedAddresses.
+                      If enabled, NGINX will recurse on the values in X-Forwarded-Header from the end of
+                      array to start of array and select the first untrusted IP.
+                    type: boolean
+                  trustedAddresses:
+                    description: |-
+                      TrustedAddresses specifies the addresses that are trusted to send correct client IP information.
+                      If a request comes from a trusted address, NGINX will rewrite the client IP information,
+                      and forward it to the backend in the X-Forwarded-For* and X-Real-IP headers.
+                      This field is required if mode is set.
+                    items:
+                      description: |-
+                        TrustedAddress is a string value representing a CIDR block.
+                        Examples: 0.0.0.0/0
+                      pattern: ^(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}(?:\/(?:[0-9]|[12][0-9]|3[0-2]))?|(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}(?:\/(?:[0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?)$
+                      type: string
+                    maxItems: 16
+                    type: array
+                    x-kubernetes-list-type: atomic
+                type: object
+                x-kubernetes-validations:
+                - message: if mode is set, trustedAddresses is a required field
+                  rule: '!(has(self.mode) && !has(self.trustedAddresses))'
               telemetry:
                 description: Telemetry specifies the OpenTelemetry configuration.
                 properties:

config/crd/bases/gateway.nginx.org_nginxproxies.yaml

@@ -45,7 +45,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        image: ghcr.io/nginxinc/nginx-gateway-fabric:edge
+        image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric:sa.choudhary
         imagePullPolicy: Always
         name: nginx-gateway
         ports:
@@ -82,7 +82,7 @@ spec:
           mountPath: /var/run/nginx
         - name: nginx-includes
           mountPath: /etc/nginx/includes
-      - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge
+      - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric/nginx:sa.choudhary
         imagePullPolicy: Always
         name: nginx
         ports:

config/tests/static-deployment.yaml

@@ -217,7 +217,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        image: ghcr.io/nginxinc/nginx-gateway-fabric:edge
+        image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric:sa.choudhary
         imagePullPolicy: Always
         name: nginx-gateway
         ports:
@@ -256,7 +256,7 @@ spec:
           name: nginx-run
         - mountPath: /etc/nginx/includes
           name: nginx-includes
-      - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge
+      - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric/nginx:sa.choudhary
         imagePullPolicy: Always
         name: nginx
         ports:

deploy/aws-nlb/deploy.yaml

@@ -214,7 +214,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        image: ghcr.io/nginxinc/nginx-gateway-fabric:edge
+        image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric:sa.choudhary
         imagePullPolicy: Always
         name: nginx-gateway
         ports:
@@ -253,7 +253,7 @@ spec:
           name: nginx-run
         - mountPath: /etc/nginx/includes
           name: nginx-includes
-      - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge
+      - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric/nginx:sa.choudhary
         imagePullPolicy: Always
         name: nginx
         ports:

deploy/azure/deploy.yaml

@@ -647,6 +647,44 @@ spec:
                 - ipv4
                 - ipv6
                 type: string
+              rewriteClientIP:
+                description: RewriteClientIP defines configuration for rewriting the
+                  client IP to the original client's IP.
+                properties:
+                  mode:
+                    description: |-
+                      Mode defines how NGINX will rewrite the client's IP address.
+                      Possible modes: ProxyProtocol, XForwardedFor.
+                    enum:
+                    - ProxyProtocol
+                    - XForwardedFor
+                    type: string
+                  setIPRecursively:
+                    description: |-
+                      SetIPRecursively configures whether recursive search is used for selecting client's
+                      address from the X-Forwarded-For header and used in conjunction with TrustedAddresses.
+                      If enabled, NGINX will recurse on the values in X-Forwarded-Header from the end of
+                      array to start of array and select the first untrusted IP.
+                    type: boolean
+                  trustedAddresses:
+                    description: |-
+                      TrustedAddresses specifies the addresses that are trusted to send correct client IP information.
+                      If a request comes from a trusted address, NGINX will rewrite the client IP information,
+                      and forward it to the backend in the X-Forwarded-For* and X-Real-IP headers.
+                      This field is required if mode is set.
+                    items:
+                      description: |-
+                        TrustedAddress is a string value representing a CIDR block.
+                        Examples: 0.0.0.0/0
+                      pattern: ^(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3}(?:\/(?:[0-9]|[12][0-9]|3[0-2]))?|(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}(?:\/(?:[0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?)$
+                      type: string
+                    maxItems: 16
+                    type: array
+                    x-kubernetes-list-type: atomic
+                type: object
+                x-kubernetes-validations:
+                - message: if mode is set, trustedAddresses is a required field
+                  rule: '!(has(self.mode) && !has(self.trustedAddresses))'
               telemetry:
                 description: Telemetry specifies the OpenTelemetry configuration.
                 properties:

deploy/crds.yaml

@@ -214,7 +214,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        image: ghcr.io/nginxinc/nginx-gateway-fabric:edge
+        image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric:sa.choudhary
         imagePullPolicy: Always
         name: nginx-gateway
         ports:
@@ -253,7 +253,7 @@ spec:
           name: nginx-run
         - mountPath: /etc/nginx/includes
           name: nginx-includes
-      - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge
+      - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric/nginx:sa.choudhary
         imagePullPolicy: Always
         name: nginx
         ports:

deploy/default/deploy.yaml

@@ -229,7 +229,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        image: ghcr.io/nginxinc/nginx-gateway-fabric:edge
+        image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric:sa.choudhary
         imagePullPolicy: Always
         name: nginx-gateway
         ports:
@@ -268,7 +268,7 @@ spec:
           name: nginx-run
         - mountPath: /etc/nginx/includes
           name: nginx-includes
-      - image: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:edge
+      - image: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:sa.choudhary
         imagePullPolicy: Always
         name: nginx
         ports:

deploy/experimental-nginx-plus/deploy.yaml

@@ -220,7 +220,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        image: ghcr.io/nginxinc/nginx-gateway-fabric:edge
+        image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric:sa.choudhary
         imagePullPolicy: Always
         name: nginx-gateway
         ports:
@@ -259,7 +259,7 @@ spec:
           name: nginx-run
         - mountPath: /etc/nginx/includes
           name: nginx-includes
-      - image: ghcr.io/nginxinc/nginx-gateway-fabric/nginx:edge
+      - image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric/nginx:sa.choudhary
         imagePullPolicy: Always
         name: nginx
         ports:

deploy/experimental/deploy.yaml

@@ -225,7 +225,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        image: ghcr.io/nginxinc/nginx-gateway-fabric:edge
+        image: gcr.io/f5-gcs-7899-ptg-ingrss-ctlr/nginx-gateway-fabric:sa.choudhary
         imagePullPolicy: Always
         name: nginx-gateway
         ports:
@@ -264,7 +264,7 @@ spec:
           name: nginx-run
         - mountPath: /etc/nginx/includes
           name: nginx-includes
-      - image: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:edge
+      - image: private-registry.nginx.com/nginx-gateway-fabric/nginx-plus:sa.choudhary
         imagePullPolicy: Always
         name: nginx
         ports: