Closed jakobmoellerdev closed 1 year ago
Related to #13492
This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale due to the lack of recent activity. It will soon be closed if no further activity occurs. Thank you for your contributions.
This issue or PR has been automatically marked as stale due to the lack of recent activity. Thank you for your contributions.
This bot triages issues and PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
If you think that I work incorrectly, kindly raise an issue with the problem.
/lifecycle stale
This issue or PR has been automatically marked as stale due to the lack of recent activity. Thank you for your contributions.
This bot triages issues and PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
If you think that I work incorrectly, kindly raise an issue with the problem.
/lifecycle stale
This can be closed as it is available in Kyma version 2.10 see https://github.com/kyma-project/kyma/issues/15865
Description
During investigation of https://github.com/kyma-incubator/reconciler/issues/959 we noticed that our Audit Logs stopped working correctly due to us not being able to read out X-Forwarded-For headers anymore. This is apparently a regression as we previously used X-Envoy-External-Address to fetch our IP. I aligned with @veichtj and it seems that we currently do not have support for this from the Istio managed by Kyma. Nevertheless XFF is a common feature for all applications requiring direct access to Client IP Addresses and Certificates and should be supported.
Expected result
I expect XFF Headers to be supported by propagating them to the application through https://istio.io/latest/docs/ops/configuration/traffic-management/network-topologies/#configuring-x-forwarded-for-headers or something similar
Actual result
No XFF Headers are set and can be read inside a Kyma Cluster.
Steps to reproduce
A detailed deployment for reproduction is available in the linked issue. You will need to have access to an audit log instance or an application that is able to read out XFF headers. This can be replicated, e.g. by sending requests via KCP CLI or any other external application calling the control-plane
Troubleshooting
I have discussed with the Istio team on the solution and debugged the issue to verify that the IP headers are missing. The missing IP causes Bad Request (400) responses on the SAP Audit Log Service, so it is easy to spot for us.
The troubleshooting was tried on the KCP where I opened up a Issue for supporting XFF independant of the kyma project development (closely related): https://github.com/kyma-project/control-plane/issues/1490