Add integration test for gateway topology using X-Forwarded-For (isti…

…o#30509)

Co-authored-by: Jacob Delgado <[email protected]>

pkg/test/framework/features/features.yaml

@@ -43,6 +43,7 @@ features:
  mirroring:
  ingress:
  loadbalancing:
+ topology:
  ratelimit:
  envoy:
  original-source-ip:

tests/integration/pilot/common/routing.go

@@ -627,6 +627,61 @@ spec:
  return cases
 }
 
+func XFFGatewayCase(apps *EchoDeployments) []TrafficTestCase {
+ cases := []TrafficTestCase{}
+
+ destinationSets := []echo.Instances{
+ apps.PodA,
+ }
+
+ for _, d := range destinationSets {
+ d := d
+ if len(d) == 0 {
+ continue
+ }
+ fqdn := d[0].Config().FQDN()
+ cases = append(cases, TrafficTestCase{
+ name: d[0].Config().Service,
+ config: httpGateway("*") + httpVirtualService("gateway", fqdn, d[0].Config().PortByName("http").ServicePort),
+ skip: false,
+ call: apps.Ingress.CallEchoWithRetryOrFail,
+ opts: echo.CallOptions{
+ Port: &echo.Port{
+ Protocol: protocol.HTTP,
+ },
+ Headers: map[string][]string{
+ "X-Forwarded-For": {"56.5.6.7, 72.9.5.6, 98.1.2.3"},
+ "Host": {fqdn},
+ },
+ Validator: echo.ValidatorFunc(
+ func(response echoclient.ParsedResponses, _ error) error {
+ return response.Check(func(_ int, response *echoclient.ParsedResponse) error {
+ externalAddress, ok := response.RawResponse["X-Envoy-External-Address"]
+ if !ok {
+ return fmt.Errorf("missing X-Envoy-External-Address Header")
+ }
+ if err := ExpectString(externalAddress, "72.9.5.6", "envoy-external-address header"); err != nil {
+ return err
+ }
+ xffHeader, ok := response.RawResponse["X-Forwarded-For"]
+ if !ok {
+ return fmt.Errorf("missing X-Forwarded-For Header")
+ }
+
+ xffIPs := strings.Split(xffHeader, ",")
+ if len(xffIPs) != 4 {
+ return fmt.Errorf("did not receive expected 4 hosts in X-Forwarded-For header")
+ }
+
+ return ExpectString(strings.TrimSpace(xffIPs[1]), "72.9.5.6", "ip in xff header")
+ })
+ }),
+ },
+ })
+ }
+ return cases
+}
+
 // serviceCases tests overlapping Services. There are a few cases.
 // Consider we have our base service B, with service port P and target port T
 // 1) Another service, B', with P -> T. In this case, both the listener and the cluster will conflict.

tests/integration/pilot/gateway_topology/gw_topology_test.go

@@ -0,0 +1,69 @@
+// +build integ
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gwtopology
+
+import (
+ "testing"
+
+ "istio.io/istio/pkg/test/framework"
+ "istio.io/istio/pkg/test/framework/components/istio"
+ "istio.io/istio/pkg/test/framework/resource"
+ "istio.io/istio/tests/integration/pilot/common"
+)
+
+var (
+ i istio.Instance
+ apps = &common.EchoDeployments{}
+)
+
+func TestMain(m *testing.M) {
+ framework.
+ NewSuite(m).
+ Setup(istio.Setup(&i, func(ctx resource.Context, cfg *istio.Config) {
+ cfg.ControlPlaneValues = `
+meshConfig:
+ defaultConfig:
+ gatewayTopology:
+ numTrustedProxies: 2`
+ })).
+ Setup(func(ctx resource.Context) error {
+ return common.SetupApps(ctx, i, apps)
+ }).
+ Run()
+}
+
+func TestTraffic(t *testing.T) {
+ framework.
+ NewTest(t).
+ Features("traffic.ingress.topology").
+ Run(func(ctx framework.TestContext) {
+ runXFFTrafficTests(ctx, apps)
+ })
+}
+
+func runXFFTrafficTests(ctx framework.TestContext, apps *common.EchoDeployments) {
+ cases := map[string][]common.TrafficTestCase{
+ "xff": common.XFFGatewayCase(apps),
+ }
+
+ for name, tts := range cases {
+ ctx.NewSubTest(name).Run(func(ctx framework.TestContext) {
+ for _, tt := range tts {
+ tt.Run(ctx, apps.Namespace.Name())
+ }
+ })
+ }
+}