feat: support enabling proxy protocol v2 for istio gateways

[joelmccoy]

Description

Istio's built-in PROXY protocol v2 setting (meshConfig.defaultConfig.gatewayTopology.proxyProtocol) only supports strict mode, which rejects any connection that doesn't carry a PP2 header. In-cluster mesh traffic to the gateway never includes a PP2 header, as mesh routing bypasses the upstream NLB. As a result, strict mode disrupts SSO flows, such as Grafana to Keycloak.

This PR introduces an opt-in proxyProtocol.enabled value in the per-gateway uds-istio-config chart. When enabled, it creates an EnvoyFilter that parses PROXY protocol v2 in permissive mode—allowing external NLB traffic with a PP2 header to be parsed while permitting in-cluster traffic without one.

Also adds new how-to guide explains when to enable PP2, the per-gateway scoping, and why it should not be combined with the istiod global setting.

Related Issue

• Closes CORE-526
• Closes CORE-493
• Unblocks INFRA-103
• Upstream: istio/istio#52490

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Other (security config, docs update, etc)

Steps to Validate

• set proxyProtocol.enabled: true and uds run to ensure this doesn't break local deployments (confirms permissive mode, since local k3d setup does not use PP2)

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide followed

[greptile-apps]

Greptile Summary

This PR adds opt-in PROXY protocol v2 (PP2) support for UDS Core Istio gateways by deploying an EnvoyFilter in permissive mode (allow_requests_without_proxy_protocol: true), solving the incompatibility between Istio's global strict-mode PP2 setting and in-cluster mesh traffic. It is scoped per-gateway via a new proxyProtocol.enabled value in the uds-istio-config Helm chart.

• Adds proxy-protocol-envoyfilter.yaml template that creates an EnvoyFilter with INSERT_FIRST on the LISTENER_FILTER chain when proxyProtocol.enabled: true, with explicit warnings in values.yaml about the source-IP spoofing trust boundary.
• Adds helm-unittest coverage for enabled/disabled states across tenant and admin gateways.
• Adds a comprehensive how-to guide with caution callouts, troubleshooting steps, and verification commands.

Confidence Score: 5/5

Safe to merge — the EnvoyFilter is opt-in (disabled by default), uses permissive mode to protect in-cluster traffic, and is properly scoped to individual gateway workloads.

The implementation is correct: INSERT_FIRST on LISTENER_FILTER ensures PP2 is parsed before TLS inspection, permissive mode keeps in-cluster mesh traffic working, and the EnvoyFilter workloadSelector scopes it tightly to the specific gateway pod. Tests cover all key render/no-render paths. Default is false, so existing deployments are unaffected.

No files require special attention.

Important Files Changed

Filename	Overview
src/istio/charts/uds-istio-config/templates/proxy-protocol-envoyfilter.yaml	New EnvoyFilter template correctly uses LISTENER_FILTER/INSERT_FIRST/permissive mode; workloadSelector and namespace are properly derived from chart values.
src/istio/charts/uds-istio-config/tests/proxy_protocol_envoyfilter_test.yaml	Helm unit tests cover disabled (no render), tenant, and admin gateway cases with thorough path assertions on all key EnvoyFilter fields.
src/istio/charts/uds-istio-config/values.yaml	Adds proxyProtocol.enabled defaulting to false with well-documented trust-boundary warnings; copyright year updated correctly to 2024-2026 per CLAUDE.md.
docs/how-to-guides/networking/configure-nlb-proxy-protocol.mdx	New how-to guide follows all style-rules conventions (GFM callout syntax, sentence-case headings, symptom/solution troubleshooting pattern, correct sidebar order 2.011).

Sequence Diagram

sequenceDiagram
    participant NLB as Upstream NLB
    participant EF as Envoy (proxy_protocol filter INSERT_FIRST, permissive)
    participant GW as Istio Gateway Listener
    participant Mesh as In-cluster Mesh Traffic

    NLB->>EF: TCP connection + PP2 header (real client IP)
    Note over EF: Parses PP2 header, extracts source IP
    EF->>GW: Forwards with source IP metadata
    GW-->>NLB: Response

    Mesh->>EF: TCP connection (no PP2 header)
    Note over EF: allow_requests_without_proxy_protocol=true, passes through
    EF->>GW: Forwards (mesh source IP unchanged)
    GW-->>Mesh: Response (SSO flows intact)

Loading

_{Reviews (3): Last reviewed commit: "chore: address feedback and callout admi..." | Re-trigger Greptile}

[Copilot]

Pull request overview

This PR adds an opt-in, per-gateway mechanism to parse PROXY protocol v2 in permissive mode for Istio ingress gateways, avoiding the breakage caused by Istio’s global strict-mode setting when in-cluster mesh traffic hits the gateway. It also adds chart-level unit tests and a new how-to guide documenting when and how to enable this safely.

Changes:

• Add proxyProtocol.enabled to uds-istio-config values and render a gated EnvoyFilter that installs Envoy’s proxy_protocol listener filter with allow_requests_without_proxy_protocol: true.
• Add helm-unittest coverage to ensure the EnvoyFilter is conditionally rendered and correctly scoped per gateway.
• Add a networking how-to guide explaining PP2 enablement, per-gateway scoping, and why it must not be combined with Istio’s global proxy protocol setting.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
src/istio/charts/uds-istio-config/values.yaml	Adds the proxyProtocol.enabled value and updates the copyright year range.
src/istio/charts/uds-istio-config/templates/proxy-protocol-envoyfilter.yaml	New EnvoyFilter template to enable permissive PP2 parsing per gateway.
src/istio/charts/uds-istio-config/tests/proxy_protocol_envoyfilter_test.yaml	New helm-unittest suite validating conditional rendering and selector scoping.
docs/how-to-guides/networking/configure-nlb-proxy-protocol.mdx	New guide documenting PP2 use cases, configuration, and verification steps.

[joelmccoy]

@greptileai review

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

[chance-coleman]

LGTM. Non-blocking style nit: Prerequisites should have a lead-in sentence per style guide.