egressgw: Stop CEGP parsing in case of non-empty invalid EgressIP

EgressIP field of CiliumEgressGatewayPolicy spec is optional, but if specified, it is used to SNAT egress traffic. Being an optional parameter, no error is logged in case the conversion to netip.Addr fails, and the field is silently ignored. To inform the user of the failure in setting the requested egress IP, fail the CEGP parsing in case of an invalid non-empty egress IP. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
aanm · Jun 7, 2024 · 037623d · 037623d
1 parent ec8e73a
commit 037623d
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/pkg/egressgateway/policy.go b/pkg/egressgateway/policy.go
@@ -230,12 +230,17 @@ func ParseCEGP(cegp *v2.CiliumEgressGatewayPolicy) (*PolicyConfig, error) {
 		return nil, fmt.Errorf("gateway configuration can't specify both an interface and an egress IP")
 	}
 
-	// EgressIP is not a required field, ignore the error if unable to parse.
-	addr, _ := netip.ParseAddr(egressGateway.EgressIP)
 	policyGwc := &policyGatewayConfig{
 		nodeSelector: api.NewESFromK8sLabelSelector("", egressGateway.NodeSelector),
 		iface:        egressGateway.Interface,
-		egressIP:     addr,
+	}
+	// EgressIP is not a required field, validate and parse it only if non-empty
+	if egressGateway.EgressIP != "" {
+		addr, err := netip.ParseAddr(egressGateway.EgressIP)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse egress IP %s: %w", egressGateway.EgressIP, err)
+		}
+		policyGwc.egressIP = addr
 	}
 
 	for _, cidrString := range destinationCIDRs {