update api

Signed-off-by: Huabing (Robin) Zhao <[email protected]>

Author: zhaohuabing

api/v1alpha1/authorization_types.go

@@ -72,7 +72,7 @@ type Operation struct {
 // or any other identity that can be extracted from a custom header.
 // If there are multiple principal types, all principals must match for the rule to match.
 //
-// +kubebuilder:validation:XValidation:rule="(has(self.clientCIDRs) || has(self.jwt) || has(self.headers))",message="at least one of clientCIDRs, jwt, or headers must be specified"
+// +kubebuilder:validation:XValidation:rule="(has(self.clientCIDRs) || has(self.jwt) || has(self.headers) || has(self.geoLocation))",message="at least one of clientCIDRs, jwt, headers, or geoLocation must be specified"
 type Principal struct {
 	// ClientCIDRs are the IP CIDR ranges of the client.
 	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
@@ -110,6 +110,46 @@ type Principal struct {
 	// +kubebuilder:validation:MinItems=1
 	// +kubebuilder:validation:MaxItems=256
 	Headers []AuthorizationHeaderMatch `json:"headers,omitempty"`
+
+	// GeoLocation authorizes the request based on geolocation metadata derived from the client IP.
+	//
+	// +optional
+	// +notImplementedHide
+	GeoLocation *GeoLocationPrincipal `json:"geoLocation,omitempty"`
+}
+
+// GeoLocationPrincipal specifies geolocation-based match criteria for authorization.
+//
+// +kubebuilder:validation:XValidation:rule="(has(self.countries) || has(self.regions) || has(self.cities) || has(self.asns) || has(self.anonymous))",message="at least one of countries, regions, cities, asns, or anonymous must be specified"
+type GeoLocationPrincipal struct {
+	// Countries is a list of ISO 3166-1 alpha-2 country codes.
+	//
+	// +optional
+	// +kubebuilder:validation:MinItems=1
+	Countries []string `json:"countries,omitempty"`
+
+	// Regions refines matching to ISO 3166-2 subdivisions.
+	//
+	// +optional
+	// +kubebuilder:validation:MinItems=1
+	Regions []GeoIPRegion `json:"regions,omitempty"`
+
+	// Cities refines matching to specific city names.
+	//
+	// +optional
+	// +kubebuilder:validation:MinItems=1
+	Cities []GeoIPCity `json:"cities,omitempty"`
+
+	// ASNs matches the autonomous system numbers associated with the client IP.
+	//
+	// +optional
+	// +kubebuilder:validation:MinItems=1
+	ASNs []uint32 `json:"asns,omitempty"`
+
+	// Anonymous matches anonymous network detection signals.
+	//
+	// +optional
+	Anonymous *GeoIPAnonymousMatch `json:"anonymous,omitempty"`
 }
 
 // AuthorizationHeaderMatch specifies how to match against the value of an HTTP header within a authorization rule.

api/v1alpha1/envoyproxy_types.go

@@ -77,6 +77,11 @@ type EnvoyProxySpec struct {
 	// +optional
 	RoutingType *RoutingType `json:"routingType,omitempty"`
 
+	// GeoIP defines shared GeoIP provider configuration for this EnvoyProxy fleet.
+	//
+	// +optional
+	GeoIP *EnvoyProxyGeoIP `json:"geoIP,omitempty"`
+
 	// ExtraArgs defines additional command line options that are provided to Envoy.
 	// More info: https://www.envoyproxy.io/docs/envoy/latest/operations/cli#command-line-options
 	// Note: some command line options are used internally(e.g. --log-level) so they cannot be provided here.
@@ -182,6 +187,12 @@ type EnvoyProxySpec struct {
 	LuaValidation *LuaValidation `json:"luaValidation,omitempty"`
 }
 
+// EnvoyProxyGeoIP defines shared GeoIP provider settings for EnvoyProxy.
+type EnvoyProxyGeoIP struct {
+	// Provider defines the GeoIP provider configuration used by GeoIP filter instances.
+	Provider GeoIPProvider `json:"provider"`
+}
+
 // +kubebuilder:validation:Enum=Strict;InsecureSyntax;Disabled
 type LuaValidation string
 
@@ -246,7 +257,7 @@ type FilterPosition struct {
 }
 
 // EnvoyFilter defines the type of Envoy HTTP filter.
-// +kubebuilder:validation:Enum=envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.ext_authz;envoy.filters.http.api_key_auth;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.stateful_session;envoy.filters.http.buffer;envoy.filters.http.lua;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit;envoy.filters.http.grpc_web;envoy.filters.http.grpc_stats;envoy.filters.http.custom_response;envoy.filters.http.credential_injector;envoy.filters.http.compressor;envoy.filters.http.dynamic_forward_proxy
+// +kubebuilder:validation:Enum=envoy.filters.http.health_check;envoy.filters.http.fault;envoy.filters.http.cors;envoy.filters.http.ext_authz;envoy.filters.http.api_key_auth;envoy.filters.http.basic_auth;envoy.filters.http.oauth2;envoy.filters.http.jwt_authn;envoy.filters.http.stateful_session;envoy.filters.http.buffer;envoy.filters.http.lua;envoy.filters.http.ext_proc;envoy.filters.http.wasm;envoy.filters.http.geoip;envoy.filters.http.rbac;envoy.filters.http.local_ratelimit;envoy.filters.http.ratelimit;envoy.filters.http.grpc_web;envoy.filters.http.grpc_stats;envoy.filters.http.custom_response;envoy.filters.http.credential_injector;envoy.filters.http.compressor;envoy.filters.http.dynamic_forward_proxy
 type EnvoyFilter string
 
 const (
@@ -284,6 +295,9 @@ const (
 	// EnvoyFilterWasm defines the Envoy HTTP WebAssembly filter.
 	EnvoyFilterWasm EnvoyFilter = "envoy.filters.http.wasm"
 
+	// EnvoyFilterGeoIP defines the Envoy HTTP GeoIP filter.
+	EnvoyFilterGeoIP EnvoyFilter = "envoy.filters.http.geoip"
+
 	// EnvoyFilterLua defines the Envoy HTTP Lua filter.
 	EnvoyFilterLua EnvoyFilter = "envoy.filters.http.lua"
 

api/v1alpha1/geoip_types.go

@@ -5,68 +5,6 @@
 
 package v1alpha1
 
-// GeoIP defines GeoIP enrichment and access control configuration.
-type GeoIP struct {
-	// Source configures how the client IP is extracted before being passed to the provider.
-	// If unset, Envoy falls back to using the immediate downstream connection address.
-	//
-	// +optional
-	Source *GeoIPSource `json:"source,omitempty"`
-
-	// Provider defines the GeoIP provider configuration.
-	Provider GeoIPProvider `json:"provider"`
-
-	// Access defines the GeoIP based access control configuration.
-	//
-	// +optional
-	Access *GeoIPAccessControl `json:"access,omitempty"`
-}
-
-// GeoIPSource configures how Envoy determines the client IP address that is passed to the provider.
-// +kubebuilder:validation:XValidation:rule="self.type == 'XFF' ? has(self.xff) && !has(self.header) : self.type == 'Header' ? has(self.header) && !has(self.xff) : true",message="When type is XFF, xff must be set (and header unset). When type is Header, header must be set (and xff unset)."
-type GeoIPSource struct {
-	// +kubebuilder:validation:Enum=XFF;Header
-	// +kubebuilder:validation:Required
-	Type GeoIPSourceType `json:"type"`
-
-	// XFF configures extraction based on the X-Forwarded-For header chain.
-	//
-	// +optional
-	XFF *GeoIPXFFSource `json:"xff,omitempty"`
-
-	// Header configures extraction from a custom header.
-	//
-	// +optional
-	Header *GeoIPHeaderSource `json:"header,omitempty"`
-}
-
-// GeoIPSourceType enumerates supported client IP sources.
-type GeoIPSourceType string
-
-const (
-	// GeoIPSourceTypeXFF instructs Envoy to honor the X-Forwarded-For header count.
-	GeoIPSourceTypeXFF GeoIPSourceType = "XFF"
-	// GeoIPSourceTypeHeader instructs Envoy to read a custom request header.
-	GeoIPSourceTypeHeader GeoIPSourceType = "Header"
-)
-
-// GeoIPXFFSource configures trusted hop count for XFF parsing.
-type GeoIPXFFSource struct {
-	// TrustedHops defines the number of trusted hops from the right side of XFF.
-	// Defaults to 0 when unset.
-	//
-	// +optional
-	TrustedHops *uint32 `json:"trustedHops,omitempty"`
-}
-
-// GeoIPHeaderSource configures extraction from a custom header.
-type GeoIPHeaderSource struct {
-	// HeaderName is the HTTP header that carries the client IP.
-	//
-	// +kubebuilder:validation:MinLength=1
-	HeaderName string `json:"headerName"`
-}
-
 // GeoIPProvider defines provider-specific settings.
 // +kubebuilder:validation:XValidation:rule="self.type == 'MaxMind' ? has(self.MaxMind) : true",message="MaxMind must be set when type is MaxMind"
 type GeoIPProvider struct {
@@ -123,42 +61,6 @@ type GeoIPMaxMind struct {
 	AnonymousIPDBPath *string `json:"anonymousIpDbPath,omitempty"`
 }
 
-// GeoIPAccessControl defines GeoIP-based allow/deny lists.
-type GeoIPAccessControl struct {
-	// DefaultAction defines how to handle requests that do not match any rule or lack GeoIP data.
-	// Defaults to Allow when unset.
-	//
-	// +optional
-	DefaultAction *AuthorizationAction `json:"defaultAction,omitempty"`
-
-	// Rules evaluated in order. The first matching rule's action applies.
-	//
-	// +optional
-	Rules []GeoIPRule `json:"rules,omitempty"`
-}
-
-// GeoIPRule defines a single GeoIP allow/deny rule.
-// +kubebuilder:validation:XValidation:rule="has(self.countries) || has(self.regions) || has(self.cities)",message="At least one of countries, regions, or cities must be specified"
-type GeoIPRule struct {
-	// Action is reused from Authorization rules (Allow or Deny).
-	Action AuthorizationAction `json:"action"`
-
-	// Countries is a list of ISO 3166-1 alpha-2 country codes.
-	//
-	// +optional
-	Countries []string `json:"countries,omitempty"`
-
-	// Regions refines matching to ISO 3166-2 subdivisions.
-	//
-	// +optional
-	Regions []GeoIPRegion `json:"regions,omitempty"`
-
-	// Cities refines matching to specific city names.
-	//
-	// +optional
-	Cities []GeoIPCity `json:"cities,omitempty"`
-}
-
 // GeoIPRegion selects a region within a country.
 // +kubebuilder:validation:XValidation:rule="has(self.countryCode) && has(self.regionCode)",message="countryCode and regionCode must both be set"
 type GeoIPRegion struct {
@@ -193,3 +95,31 @@ type GeoIPCity struct {
 	// +kubebuilder:validation:MinLength=1
 	CityName string `json:"cityName"`
 }
+
+// GeoIPAnonymousMatch matches anonymous network signals emitted by the GeoIP provider.
+type GeoIPAnonymousMatch struct {
+	// IsAnonymous matches whether the client IP is considered anonymous.
+	//
+	// +optional
+	IsAnonymous *bool `json:"isAnonymous,omitempty"`
+
+	// IsVPN matches whether the client IP is detected as VPN.
+	//
+	// +optional
+	IsVPN *bool `json:"isVPN,omitempty"`
+
+	// IsHosting matches whether the client IP belongs to a hosting provider.
+	//
+	// +optional
+	IsHosting *bool `json:"isHosting,omitempty"`
+
+	// IsTor matches whether the client IP belongs to a Tor exit node.
+	//
+	// +optional
+	IsTor *bool `json:"isTor,omitempty"`
+
+	// IsProxy matches whether the client IP belongs to a public proxy.
+	//
+	// +optional
+	IsProxy *bool `json:"isProxy,omitempty"`
+}

api/v1alpha1/securitypolicy_types.go

@@ -82,12 +82,6 @@ type SecurityPolicySpec struct {
 	// +optional
 	ExtAuth *ExtAuth `json:"extAuth,omitempty"`
 
-	// GeoIP defines the configuration for GeoIP based request enrichment and access control.
-	//
-	// +optional
-	// +notImplementedHide
-	GeoIP *GeoIP `json:"geoip,omitempty"`
-
 	// Authorization defines the authorization configuration.
 	//
 	// +optional