Support envoy X-Forwarded-For trusted CIDRs

[larhauga]

Describe the feature request
Envoy has just merged support for configuring trusted CIDRs for X-Forwarded-For.
envoyproxy/envoy#31831

This feature will be an better alternative to numTrustedProxies which is available today. Only one of numTrustedProxies or xff_trusted_cidrs can be used.

The original client IP address can be determined from the x-forwarded-for header either by a fixed number of trusted hops, or by evaluating the client IP address against a list of trusted addresses.

This adds support for configuring a list of CIDRs in the xff original IP detection extension. The remote IP address is evaluated against these, and optionally recurses through XFF to find the last non-trusted address.

Additional Description:
This feature is generally used by people with a CDN in front of their edge proxy to ensure that XFF is only parsed when the remote connection comes from a CDN server.

Describe alternatives you've considered

Affected product area (please put an X in all that apply)

[ ] Ambient
[ ] Docs
[ ] Dual Stack
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[x] Extensions and Telemetry
[x] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure

Affected features (please put an X in all that apply)

[ ] Multi Cluster
[ ] Virtual Machine
[ ] Multi Control Plane

Additional context

[rudrakhp]

Hi is anyone working on this feature yet? I have a fair idea on the required changes and would like to contribute to this. Thanks!

[chlunde]

@rudrakhp that would be very cool, all I know is that neither me nor @larhauga is working on this.

[sridhargaddam]

/not-stale