ROX-29399: Directional external-IPs

[ovalenti]

Description

Add an attribute to the runtime-configuration to set in which direction the external-IPs are enabled.

The possible options for the new direction attribute are INGRESS, EGRESS and BOTH.

By default (when the attribute is missing) the behavior is to enable in both directions.

Example:

networking:
  externalIps:
    enabled: DISABLED
    direction: INGRESS

The related proto changes are in stackrox/stackrox#15373

Checklist

• Investigated and inspected CI test results
• Updated documentation accordingly

Automated testing

• Added unit tests
• Added integration tests
• Added regression tests

Testing

Preliminary tests in #2140 tend to show that the behavior is as expected.

I did some manual testing and could show that setting direction: INGRESS normalized the outgoing connections.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 55.88235% with 30 lines in your changes missing coverage. Please review.

Project coverage is 28.82%. Comparing base (bdf2090) to head (75384fb).
Report is 12 commits behind head on master.

✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
collector/lib/ExternalIPsConfig.cpp	48.64%	19 Missing ⚠️
collector/lib/ConnTracker.cpp	73.68%	0 Missing and 5 partials ⚠️
collector/lib/NetworkStatusNotifier.cpp	20.00%	2 Missing and 2 partials ⚠️
collector/lib/CollectorConfig.cpp	0.00%	1 Missing ⚠️
collector/lib/CollectorConfig.h	50.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2130      +/-   ##
==========================================
+ Coverage   28.52%   28.82%   +0.30%     
==========================================
  Files          94       96       +2     
  Lines        5757     5797      +40     
  Branches     2547     2550       +3     
==========================================
+ Hits         1642     1671      +29     
- Misses       3393     3408      +15     
+ Partials      722      718       -4     

Flag	Coverage Δ
collector-unit-tests	28.82% <55.88%> (+0.30%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Molter73]

Only a partial review, mostly refactorings that would be nice to see

[Molter73]

Finished going through the PR, changes look good apart from the pending comment in my previous review.

[sourcery-ai]

Hey @ovalenti - I've reviewed your changes - here's some feedback:

• Refactor the large manual test loop in TestExternalIPsConfigChangeEnableEgress into a parameterized TEST_P for clarity and maintainability.
• Extract common logic from the ingress/egress branches in CloseConnectionsOnExternalIPsConfigChange to reduce duplication and simplify predicate construction.
• Simplify ExternalIPsConfig constructor by mapping the proto direction directly to the enum (e.g., with a small helper) to reduce the switch verbosity.

Here's what I looked at during the review

• 🟡 General issues: 1 issue found
• 🟢 Security: all looks good
• 🟡 Testing: 1 issue found
• 🟡 Complexity: 1 issue found
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Molter73]

Overall looks good, just a couple more comments on readability, but we should be able to merge soon

[Molter73]

LGTM!

[Molter73]

Still LGTM, just a minor comment on ordering in an example.

[JoukoVirtanen]

Please explain what manual testing you did in the PR description.

[JoukoVirtanen]

LGTM!