Skip to content

Request.ClientIPAddresses does not contain expected IP addresses #3133

Closed
#3134
Closed
Request.ClientIPAddresses does not contain expected IP addresses#3133
#3134
Labels
bugSomething isn't working
@dadrus

Description

@dadrus
dadrus
opened on Mar 22, 2026

Preflight checklist

  • I agree to follow this project's Code of Conduct.
  • I have read and am following this repository's Contribution Guidelines."
  • I could not find a solution in the existing issues, docs, nor discussions.

Describe the bug

There appears to be a regression in heimdall 0.17.11 affecting CEL expressions that rely on Request.ClientIPAddresses. At least, the following CEL expression used to work with 0.17.1 Request.ClientIPAddresses[0] in networks(...)

How can the bug be reproduced

  1. Checkout the tag v0.17.1
  2. Update the configuration of heimdall in kubernetes based examples by adding a cel authorizer config as shown below
  3. Update the ruleset used by the echo-service in kubernetes based examples by adding a rule which uses the new configuration as also shown in the configuration section below.
  4. Start the e.g., the traefik based example: just install-traefik-gw-demo
  5. Send a request: curl -vk --resolve echo-app.local:443:${SERVICE_IP} https://echo-app.local/celConfigure a CEL authorizer using:
  6. Observe that authorization works as expected
  7. Checkout the tag v0.17.11
  8. Apply the same configuration and repeat the same request
  9. Observe that authorization now fails

Relevant log output

{"_level_name":"INFO","version":"1.1","host":"heimdall-694d466457-tm5xj","_error":"authorization error: Not authorized","timestamp":1774170212,"level":6,"short_message":"Pipeline step execution failed"}

Relevant configuration

# in modules/heimdall/config/heimdall.yaml
# add the following to the configured authorizers
- id: cel
  type: cel
  config:
    expressions:
      - expression: "false == true"

# in modules/echo-app/manifests/rules.yaml
# add the following the the end of the ruleset
- id: test:cel
  match:
    routes:
      - path: /cel
    methods: [ GET, POST ]
    execute:
      - authorizer: cel
        config:
          expressions:
            - expression: |
                # note that 172.18.0.0/24 is my host network
                # it may differ in your case
                Request.ClientIPAddresses[0] in networks("172.18.0.0/24")
              message: "Not authorized"
      - finalizer: create_jwt

Version

0.17.11

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions