Option to disable automatic X-Forwarded-For append/add

[lextiz]

What type of PR is this?

api: add ClientTrafficPolicy option to disable automatic X-Forwarded-For append

What this PR does / why we need it:

This PR adds a new ClientTrafficPolicy option to disable Envoy Gateway’s automatic appending of the downstream address to the X-Forwarded-For header.

Today, EG appends to X-Forwarded-For in both the default HTTP connection manager path and the XFF original IP detection path, without a user-facing way to turn that off. This change exposes a policy-level switch and wires it through to the relevant Envoy settings while preserving existing behavior by default.

The motivation is similar to #8527, which made x-forwarded-host behavior configurable.

Which issue(s) this PR fixes:

No issue exists

Release Notes: Yes

[netlify]

✅ Deploy Preview for cerulean-figolla-1f9435 canceled.

Name	Link
🔨 Latest commit	7dac72a
🔍 Latest deploy log	https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69c92c9c596cbc00080c81d8

[rudrakhp]

When use_remote_address is true, XFF is already skipped.

[rudrakhp]

And if you are setting it to false for using client ip detection then it should be set in the extension not in HCM

[rudrakhp]

gateway/internal/xds/translator/listener.go

Lines 182 to 187 in 3c2fc03

	xffHeaderConfigAny, _ = proto.ToAnyWithValidation(&xffv3.XffConfig{
	XffTrustedCidrs: &xffv3.XffTrustedCidrs{
	Cidrs: trustedCidrs,
	},
	SkipXffAppend: wrapperspb.Bool(false),
	})

[lextiz]

Thanks for the review! I have removed the HCM-level setting entirely and keep SkipXffAppend only in the XFF original IP detection extension config.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.35%. Comparing base (b1d7302) to head (7dac72a).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8576      +/-   ##
==========================================
+ Coverage   74.29%   74.35%   +0.05%     
==========================================
  Files         243      243              
  Lines       38155    38156       +1     
==========================================
+ Hits        28347    28369      +22     
+ Misses       7815     7799      -16     
+ Partials     1993     1988       -5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[lextiz]

@rudrakhp Is there a chance that this change would make it to v1.8?

[rudrakhp]

Suggested change

	DisableXForwardedFor bool `json:"disableXForwardedFor,omitempty" yaml:"disableXForwardedFor,omitempty"`
	DisableXForwardedForAppend bool `json:"disableXForwardedForAppend,omitempty" yaml:"disableXForwardedFor,omitempty"`

[lextiz]

Done

[rudrakhp]

Check if this logic in xffNumTrustedHops() is affected by change in appending behavior. For this we can write a E2E test with XFF append disabled and using num trusted hops.

[lextiz]

Done

[lextiz]

@rudrakhp Could you please approve running the ci-checks?

[rudrakhp]

Wondering about the value proposition here. XFF is appended only if XFF settings in client IP detection is set in CTP. You do this only if downstream is trusted and XFF is reliable. If downstream is NOT trusted (assuming that is why you want to skip appending it's IP to the XFF) then why would you trust the XFF header sent by the downstream? There is no point in configuring XFF based client IP detection.
cc: @envoyproxy/gateway-maintainers

[lextiz]

@rudrakhp @Ido-Itz One of the use cases could be using Envoy as egress: outbound traffic to external destinations in some cases should be free of information like internal pod IPs.

@rudrakhp The conformance and e2e failures seem to be flaky issues, seen in main and other PRs.