GeoIP support for envoy gateway

[zetaab]

Description: we would like to use GeoIP support with envoy gateway. It seems that envoyproxy itself supports that already https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/geoip_filter

What could be the correct place for this configuration? I am thinking could it fit under securitypolicy? basically this is similar stuff that "authorization" has, but no idea should it be under authorization or just under securitypolicy spec

[arkodg]

cc @nezdolik

[zetaab]

geoip databases are pretty large, so I think the envoy gateway should download the database from normal http url and then somehow upload that to envoyproxy? Wasm uses http, but envoyproxy handles the download https://github.com/envoyproxy/gateway/blob/main/api/v1alpha1/wasm_types.go#L74

perhaps that geoip plugin in envoyproxy could handle the download from http_uri, but it needs envoyproxy changes.

[nezdolik]

Currently Envoyproxy expects the databases to be present at configured location on startup, so Envoy Gateway (infra module?) could download the databases prior to spinning up Envoyproxies.

What could be the correct place for this configuration? I am thinking could it fit under securitypolicy?

Logically it does not belong to SecurityPolicy (API allowing system administrators to configure authentication and authorization policies to the traffic entering the gateway).

@zetaab feel free to raise feature request to envoyproxy repo.

[zetaab]

imo, it does belong to securitypolicy api. If we have like 2 apis: https://foobar.com and https://huuh.com. We want that https://huh.com allows all traffic from everywhere and we want limit https://foobar.com only for instance to allow Sweden. What could be the better place for that? In securitypolicy api we can already configure do we allow or deny ip addresses, this is kind of similar stuff but with countries in it?

[nezdolik]

@zetaab from that perspective yes, if you bundle geolocation feature with rbac. But geolocation filter on its own just appends geolocation information to the request.

[zetaab]

@nezdolik right. So basically geoip filter should be before rbac (securitypolicy authorization) and then in authorization we should have possibility deny/allow by header for instance. If authorization is not used, then geoip headers are just applied to the request and forwarded.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.