Forward the client IP to Vault Pods instead of ingress pod ip

I have deployed a vault cluster on k8s.
When i try to authenticat with bound_cidrs using approle, but it refuses the access because the vault pod is seing that request is comming from the ingress pod.

  • source address “192.168.X.X” unauthorized by CIDR restrictions on the role: %!w()

Can you please help me with setting up a way to transfert the ip address of the client to the pods ?
I have seen that x forwarded ip is a good option but didn’t found a way to implement it.

You’ll need to configure this behavior in the listeners block within your Vault server configuration.

Vault supports the proxy_protocol or x_forwarded_for.

I believe proxy_protocol is recommended over x_forwarded_for if your environment supports it.

Sorry, but do you have an exemple of the configuration of listeners to use the proxy_protocol or x_forwarded_for in in the case of kubernetes ingress ?

listener "tcp" {
  # <-- SNIP -->
  x_forwarded_for_authorized_addrs = ","

The x_forwarded_for_authorized_addrs string should be a comma separated list of CIDRs that you’re seeing in your Vault logs that are masking your true source IPs (i.e., gateway/load balancer IPs). Proxy protocol configuration is similar.

In either case it may be necessary to look at the other available options to configure for your environment. I’ve not used Kubernetes much so I can’t comment on what you should typically expect to see from a networking standpoint there. In my case, when I set these options up, it took a little experimentation and outside reading to get it working as desired.