Feat: Support for loadBalancerSourceRanges on the envoy service

[jaynis]

This PR adds support for loadBalancerSourceRanges on the envoy service. loadBalancerSourceRanges are used to specify firewall rules on the underlying load balancer of the kubernetes platform provider, if the provider supports this.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 64.52%. Comparing base (29946b0) to head (146f5d8).
Report is 54 commits behind head on main.

❗ Current head 146f5d8 differs from pull request most recent head f26c300. Consider uploading reports for the commit f26c300 to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2878      +/-   ##
==========================================
- Coverage   66.51%   64.52%   -1.99%     
==========================================
  Files         161      121      -40     
  Lines       22673    21405    -1268     
==========================================
- Hits        15080    13811    -1269     
- Misses       6720     6723       +3     
+ Partials      873      871       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[jaynis]

Failing tests seem to be related to #2269. Any idea how to overcome this?

[arkodg]

@jaynis this API may make sense since the knob is specific to LB
to immediately unblock yourself, suggest using the new patch field

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
  name: custom-proxy-config
  namespace: envoy-gateway-system
spec:
  logging:
    level:
      default: warn
  provider:
    kubernetes:
      envoyService:
        patch:
          value:
            spec:
              loadBalancerSourceRanges: 1.0.0.0/8
    type: Kubernetes

[arkodg]

/retest

[arkodg]

can we add a IP Address check in here

[zirain]

/retest

[arkodg]

hey @jaynis still working on this one ?

[jaynis]

Sorry totally forgot about this one. What kind of IP address check do you have in mind there?

[arkodg]

Sorry totally forgot about this one. What kind of IP address check do you have in mind there?

something like

gateway/api/v1alpha1/validation/envoyproxy_validate.go

Line 123 in d383ba5

if ip, err := netip.ParseAddr(*serviceLoadBalancerIP); err != nil || !ip.Unmap().Is4() {

[jaynis]

I have added a CEL validation rule to check whether all loadBalancerSourceRanges have a valid CIDR notation. But now I am hitting some kind of schema validation rule cost budget. Limiting the maximum number of items, as suggested in the error message, does not help either.

Any suggestions how to proceed here @arkodg? Should I simply remove the CEL validation again?

[arkodg]

schema validation rule cost budget

yah should be fine to rm CEL you've already added logic inside the validate method

[arkodg]

LGTM thanks !