Add externalTrafficPolicy to CaddyConfig for client IP preservation

When set to 'Local', the L4 LoadBalancer skips SNAT and preserves the
real client source IP. Without this, X-Forwarded-For only contains
internal GKE node IPs regardless of trustedProxies configuration.

Required for correct client IP detection in applications behind Caddy
on GKE Autopilot with L4 LoadBalancer (which is the default service type).

Usage in server.yaml:
  caddy:
    enable: true
    externalTrafficPolicy: Local
    trustedProxies:
      - 10.0.0.0/8
      - 173.245.48.0/20

Author: Cre-eD

pkg/clouds/k8s/types.go

@@ -47,6 +47,9 @@ type CaddyConfig struct {
 	UseSSL           *bool      `json:"useSSL,omitempty" yaml:"useSSL,omitempty"`                     // whether to use ssl by default (default: true)
 	// Deployment name override for existing Caddy deployments (used when adopting clusters)
 	DeploymentName *string `json:"deploymentName,omitempty" yaml:"deploymentName,omitempty"` // override deployment name when adopting existing Caddy
+	// ExternalTrafficPolicy for LoadBalancer service. "Local" preserves client source IP
+	// (required for correct X-Forwarded-For when behind L4 LB). Default: "Cluster".
+	ExternalTrafficPolicy *string `json:"externalTrafficPolicy,omitempty" yaml:"externalTrafficPolicy,omitempty"`
 }
 
 type DisruptionBudget struct {

pkg/clouds/pulumi/kubernetes/caddy.go

@@ -250,7 +250,8 @@ func DeployCaddyService(ctx *sdk.Context, caddy CaddyDeployment, input api.Resou
 		SecretVolumes:       caddy.SecretVolumes,       // Cloud credentials volumes (e.g., GCP service account)
 		SecretVolumeOutputs: caddy.SecretVolumeOutputs, // Pulumi outputs for secret volumes
 		SecretEnvs:          secretEnvs,                // Secret environment variables
-		VPA:                 caddy.VPA,                 // Vertical Pod Autoscaler configuration for Caddy
+		VPA:                   caddy.VPA,                 // Vertical Pod Autoscaler configuration for Caddy
+		ExternalTrafficPolicy: lo.FromPtr(caddy.CaddyConfig).ExternalTrafficPolicy,
 		Images: []*ContainerImage{
 			{
 				Container: caddyContainer,

pkg/clouds/pulumi/kubernetes/deployment.go

@@ -45,6 +45,7 @@ type Args struct {
 	VPA                    *k8s.VPAConfig     // Vertical Pod Autoscaler configuration
 	ReadinessProbe         *k8s.CloudRunProbe // Global readiness probe configuration
 	LivenessProbe          *k8s.CloudRunProbe // Global liveness probe configuration
+	ExternalTrafficPolicy  *string            // "Local" preserves client IP on LoadBalancer services
 }
 
 func DeploySimpleContainer(ctx *sdk.Context, args Args, opts ...sdk.ResourceOption) (*SimpleContainer, error) {
@@ -236,8 +237,9 @@ func DeploySimpleContainer(ctx *sdk.Context, args Args, opts ...sdk.ResourceOpti
 		NodeSelector:           args.NodeSelector,
 		Affinity:               args.Affinity,
 		Sidecars:               args.Sidecars,
-		VPA:                    args.VPA,              // Pass VPA configuration to SimpleContainer
-		Scale:                  args.Deployment.Scale, // Pass Scale configuration to SimpleContainer
+		VPA:                      args.VPA,                      // Pass VPA configuration to SimpleContainer
+		Scale:                    args.Deployment.Scale,         // Pass Scale configuration to SimpleContainer
+		ExternalTrafficPolicy:    args.ExternalTrafficPolicy,
 		PodDisruption: lo.If(args.Deployment.DisruptionBudget != nil, args.Deployment.DisruptionBudget).Else(&k8s.DisruptionBudget{
 			MinAvailable: lo.ToPtr(1),
 		}),

pkg/clouds/pulumi/kubernetes/simple_container.go

@@ -112,7 +112,8 @@ type SimpleContainerArgs struct {
 	NodeSelector      map[string]string            `json:"nodeSelector" yaml:"nodeSelector"`
 	Affinity          *k8s.AffinityRules           `json:"affinity" yaml:"affinity"`
 	IngressContainer  *k8s.CloudRunContainer       `json:"ingressContainer" yaml:"ingressContainer"`
-	ServiceType       *string                      `json:"serviceType" yaml:"serviceType"`
+	ServiceType              *string                      `json:"serviceType" yaml:"serviceType"`
+	ExternalTrafficPolicy    *string                      `json:"externalTrafficPolicy" yaml:"externalTrafficPolicy"`
 	ProvisionIngress  bool                         `json:"provisionIngress" yaml:"provisionIngress"`
 	Headers           *k8s.Headers                 `json:"headers" yaml:"headers"`
 	Volumes           []k8s.SimpleTextVolume       `json:"volumes" yaml:"volumes"`
@@ -589,11 +590,7 @@ ${proto}://${domain} {
 				Labels:      sdk.ToStringMap(appLabels),
 				Annotations: sdk.ToStringMap(serviceAnnotations),
 			},
-			Spec: &corev1.ServiceSpecArgs{
-				Selector: sdk.ToStringMap(appLabels),
-				Ports:    servicePorts,
-				Type:     serviceType,
-			},
+			Spec: serviceSpec(appLabels, servicePorts, serviceType, args.ExternalTrafficPolicy),
 		}, opts...)
 		if err != nil {
 			return nil, err
@@ -850,6 +847,21 @@ func createVPA(ctx *sdk.Context, args *SimpleContainerArgs, deploymentName, name
 	return nil
 }
 
+// serviceSpec builds a ServiceSpecArgs, optionally setting ExternalTrafficPolicy
+// when the service type is LoadBalancer. "Local" preserves the client source IP
+// by skipping SNAT — required for correct X-Forwarded-For behind an L4 LB.
+func serviceSpec(appLabels map[string]string, ports corev1.ServicePortArray, serviceType sdk.StringInput, externalTrafficPolicy *string) *corev1.ServiceSpecArgs {
+	spec := &corev1.ServiceSpecArgs{
+		Selector: sdk.ToStringMap(appLabels),
+		Ports:    ports,
+		Type:     serviceType,
+	}
+	if externalTrafficPolicy != nil {
+		spec.ExternalTrafficPolicy = sdk.StringPtr(*externalTrafficPolicy)
+	}
+	return spec
+}
+
 func ToImagePullSecretName(deploymentName string) string {
 	return fmt.Sprintf("%s-docker-config", deploymentName)
 }

pkg/clouds/pulumi/kubernetes/simple_container_advanced_test.go

@@ -660,3 +660,91 @@ func TestSimpleContainer_ServiceTypeVariations(t *testing.T) {
 		})
 	}
 }
+
+func TestServiceSpec_ExternalTrafficPolicy(t *testing.T) {
+	RegisterTestingT(t)
+
+	t.Run("nil policy uses default", func(t *testing.T) {
+		spec := serviceSpec(
+			map[string]string{"app": "test"},
+			corev1.ServicePortArray{},
+			sdk.String("LoadBalancer"),
+			nil,
+		)
+		Expect(spec).ToNot(BeNil())
+		Expect(spec.ExternalTrafficPolicy).To(BeNil())
+	})
+
+	t.Run("Local policy is set", func(t *testing.T) {
+		policy := "Local"
+		spec := serviceSpec(
+			map[string]string{"app": "test"},
+			corev1.ServicePortArray{},
+			sdk.String("LoadBalancer"),
+			&policy,
+		)
+		Expect(spec).ToNot(BeNil())
+		Expect(spec.ExternalTrafficPolicy).ToNot(BeNil())
+	})
+
+	t.Run("Cluster policy is set", func(t *testing.T) {
+		policy := "Cluster"
+		spec := serviceSpec(
+			map[string]string{"app": "test"},
+			corev1.ServicePortArray{},
+			sdk.String("ClusterIP"),
+			&policy,
+		)
+		Expect(spec).ToNot(BeNil())
+		Expect(spec.ExternalTrafficPolicy).ToNot(BeNil())
+	})
+}
+
+func TestSimpleContainer_ExternalTrafficPolicy(t *testing.T) {
+	RegisterTestingT(t)
+
+	t.Run("LoadBalancer with Local traffic policy", func(t *testing.T) {
+		mocks := NewSimpleContainerMocks()
+
+		err := pulumi.RunErr(func(ctx *pulumi.Context) error {
+			policy := "Local"
+			args := &SimpleContainerArgs{
+				Namespace:  "traffic-test",
+				Service:    "traffic-test",
+				ScEnv:      "test",
+				Deployment: "traffic-deployment",
+				Replicas:   1,
+				Log:        logger.New(),
+
+				IngressContainer: &k8s.CloudRunContainer{
+					Name:     "traffic-container",
+					Ports:    []int{8080},
+					MainPort: lo.ToPtr(8080),
+				},
+				ServiceType:           lo.ToPtr("LoadBalancer"),
+				ExternalTrafficPolicy: &policy,
+
+				Containers: []corev1.ContainerArgs{
+					{
+						Name:  sdk.String("traffic-container"),
+						Image: sdk.String("nginx:latest"),
+						Ports: corev1.ContainerPortArray{
+							&corev1.ContainerPortArgs{
+								ContainerPort: sdk.Int(8080),
+							},
+						},
+					},
+				},
+			}
+
+			sc, err := NewSimpleContainer(ctx, args)
+			Expect(err).ToNot(HaveOccurred())
+			Expect(sc).ToNot(BeNil())
+			Expect(sc.Service).ToNot(BeNil())
+
+			return nil
+		}, pulumi.WithMocks("project", "stack", mocks))
+
+		Expect(err).ToNot(HaveOccurred())
+	})
+}