Skip to content

Commit

Permalink
feat: Suppress 'X-Envoy' headers and pass-through the upstream 'Serve…
Browse files Browse the repository at this point in the history 
…r' header by default (envoyproxy#2585)

* Implement and update tests for the default header transformations.

Signed-off-by: Lior Okman <[email protected]>

* Make 'gen-check' happy

Signed-off-by: Lior Okman <[email protected]>

---------

Signed-off-by: Lior Okman <[email protected]>
  • Loading branch information
@liorokman
liorokman authored Feb 13, 2024
1 parent 6884f8d commit 988d4ed
Show file tree
Hide file tree
Showing 82 changed files with 387 additions and 14 deletions.
4 changes: 4 additions & 0 deletions internal/cmd/egctl/testdata/translate/out/default-resources.all.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -803,6 +803,7 @@ xds:
- name: envoy.filters.http.router
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
suppressEnvoyHeaders: true
mergeSlashes: true
normalizePath: true
pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
Expand All @@ -811,6 +812,7 @@ xds:
ads: {}
resourceApiVersion: V3
routeConfigName: default/eg/http
serverHeaderTransformation: PASS_THROUGH
statPrefix: http
upgradeConfigs:
- upgradeType: websocket
Expand Down Expand Up @@ -869,6 +871,7 @@ xds:
- name: envoy.filters.http.router
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
suppressEnvoyHeaders: true
mergeSlashes: true
normalizePath: true
pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
Expand All @@ -877,6 +880,7 @@ xds:
ads: {}
resourceApiVersion: V3
routeConfigName: default/eg/grpc
serverHeaderTransformation: PASS_THROUGH
statPrefix: http
useRemoteAddress: true
name: default/eg/grpc
Expand Down
2 changes: 2 additions & 0 deletions internal/cmd/egctl/testdata/translate/out/envoy-patch-policy.all.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,6 +199,7 @@ xds:
- name: envoy.filters.http.router
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
suppressEnvoyHeaders: true
mergeSlashes: true
normalizePath: true
pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
Expand All @@ -207,6 +208,7 @@ xds:
ads: {}
resourceApiVersion: V3
routeConfigName: default/eg/http
serverHeaderTransformation: PASS_THROUGH
statPrefix: http
upgradeConfigs:
- upgradeType: websocket
Expand Down
8 changes: 6 additions & 2 deletions internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -553,7 +553,8 @@
{
"name": "envoy.filters.http.router",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router",
"suppressEnvoyHeaders": true
}
}
],
Expand All @@ -567,6 +568,7 @@
},
"routeConfigName": "default/eg/http"
},
"serverHeaderTransformation": "PASS_THROUGH",
"statPrefix": "http",
"upgradeConfigs": [
{
Expand Down Expand Up @@ -660,7 +662,8 @@
{
"name": "envoy.filters.http.router",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router",
"suppressEnvoyHeaders": true
}
}
],
Expand All @@ -674,6 +677,7 @@
},
"routeConfigName": "default/eg/grpc"
},
"serverHeaderTransformation": "PASS_THROUGH",
"statPrefix": "http",
"useRemoteAddress": true
}
Expand Down
4 changes: 4 additions & 0 deletions internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.all.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -329,6 +329,7 @@ xds:
- name: envoy.filters.http.router
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
suppressEnvoyHeaders: true
mergeSlashes: true
normalizePath: true
pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
Expand All @@ -337,6 +338,7 @@ xds:
ads: {}
resourceApiVersion: V3
routeConfigName: default/eg/http
serverHeaderTransformation: PASS_THROUGH
statPrefix: http
upgradeConfigs:
- upgradeType: websocket
Expand Down Expand Up @@ -395,6 +397,7 @@ xds:
- name: envoy.filters.http.router
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
suppressEnvoyHeaders: true
mergeSlashes: true
normalizePath: true
pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
Expand All @@ -403,6 +406,7 @@ xds:
ads: {}
resourceApiVersion: V3
routeConfigName: default/eg/grpc
serverHeaderTransformation: PASS_THROUGH
statPrefix: http
useRemoteAddress: true
name: default/eg/grpc
Expand Down
4 changes: 4 additions & 0 deletions internal/cmd/egctl/testdata/translate/out/from-gateway-api-to-xds.listener.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ xds:
- name: envoy.filters.http.router
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
suppressEnvoyHeaders: true
mergeSlashes: true
normalizePath: true
pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
Expand All @@ -54,6 +55,7 @@ xds:
ads: {}
resourceApiVersion: V3
routeConfigName: default/eg/http
serverHeaderTransformation: PASS_THROUGH
statPrefix: http
upgradeConfigs:
- upgradeType: websocket
Expand Down Expand Up @@ -112,6 +114,7 @@ xds:
- name: envoy.filters.http.router
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
suppressEnvoyHeaders: true
mergeSlashes: true
normalizePath: true
pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
Expand All @@ -120,6 +123,7 @@ xds:
ads: {}
resourceApiVersion: V3
routeConfigName: default/eg/grpc
serverHeaderTransformation: PASS_THROUGH
statPrefix: http
useRemoteAddress: true
name: default/eg/grpc
Expand Down
4 changes: 3 additions & 1 deletion internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -430,7 +430,8 @@
{
"name": "envoy.filters.http.router",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
"@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router",
"suppressEnvoyHeaders": true
}
}
],
Expand All @@ -444,6 +445,7 @@
},
"routeConfigName": "envoy-gateway-system/eg/http"
},
"serverHeaderTransformation": "PASS_THROUGH",
"statPrefix": "http",
"upgradeConfigs": [
{
Expand Down
2 changes: 2 additions & 0 deletions internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.all.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -256,6 +256,7 @@ xds:
- name: envoy.filters.http.router
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
suppressEnvoyHeaders: true
mergeSlashes: true
normalizePath: true
pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
Expand All @@ -264,6 +265,7 @@ xds:
ads: {}
resourceApiVersion: V3
routeConfigName: envoy-gateway-system/eg/http
serverHeaderTransformation: PASS_THROUGH
statPrefix: http
upgradeConfigs:
- upgradeType: websocket
Expand Down
2 changes: 2 additions & 0 deletions internal/cmd/egctl/testdata/translate/out/jwt-single-route-single-match-to-xds.listener.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ xds:
- name: envoy.filters.http.router
typedConfig:
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
suppressEnvoyHeaders: true
mergeSlashes: true
normalizePath: true
pathWithEscapedSlashesAction: UNESCAPE_AND_REDIRECT
Expand All @@ -71,6 +72,7 @@ xds:
ads: {}
resourceApiVersion: V3
routeConfigName: envoy-gateway-system/eg/http
serverHeaderTransformation: PASS_THROUGH
statPrefix: http
upgradeConfigs:
- upgradeType: websocket
Expand Down
4 changes: 3 additions & 1 deletion internal/gatewayapi/clienttrafficpolicy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -415,7 +415,9 @@ func translateListenerHeaderSettings(headerSettings *egv1a1.HeaderSettings, http
if headerSettings == nil {
return
}
httpIR.SuppressEnvoyHeaders = true
httpIR.Headers = &ir.HeaderSettings{
EnableEnvoyHeaders: ptr.Deref(headerSettings.EnableEnvoyHeaders, false),
}
}

func translateHTTP1Settings(http1Settings *egv1a1.HTTP1Settings, httpIR *ir.HTTPListener) error {
Expand Down
35 changes: 35 additions & 0 deletions internal/gatewayapi/testdata/clienttrafficpolicy-headers.in.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
clientTrafficPolicies:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
namespace: envoy-gateway
name: target-gateway-1
spec:
headers:
enableEnvoyHeaders: true
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: gateway-1
namespace: envoy-gateway
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
namespace: envoy-gateway
name: gateway-1
spec:
gatewayClassName: envoy-gateway-class
listeners:
- name: http-1
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: Same
- name: http-2
protocol: HTTP
port: 8080
allowedRoutes:
namespaces:
from: Same
143 changes: 143 additions & 0 deletions internal/gatewayapi/testdata/clienttrafficpolicy-headers.out.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,143 @@
clientTrafficPolicies:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
metadata:
creationTimestamp: null
name: target-gateway-1
namespace: envoy-gateway
spec:
headers:
enableEnvoyHeaders: true
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: gateway-1
namespace: envoy-gateway
status:
conditions:
- lastTransitionTime: null
message: ClientTrafficPolicy has been accepted.
reason: Accepted
status: "True"
type: Accepted
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
creationTimestamp: null
name: gateway-1
namespace: envoy-gateway
spec:
gatewayClassName: envoy-gateway-class
listeners:
- allowedRoutes:
namespaces:
from: Same
name: http-1
port: 80
protocol: HTTP
- allowedRoutes:
namespaces:
from: Same
name: http-2
port: 8080
protocol: HTTP
status:
listeners:
- attachedRoutes: 0
conditions:
- lastTransitionTime: null
message: Sending translated listener configuration to the data plane
reason: Programmed
status: "True"
type: Programmed
- lastTransitionTime: null
message: Listener has been successfully translated
reason: Accepted
status: "True"
type: Accepted
- lastTransitionTime: null
message: Listener references have been resolved
reason: ResolvedRefs
status: "True"
type: ResolvedRefs
name: http-1
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- group: gateway.networking.k8s.io
kind: GRPCRoute
- attachedRoutes: 0
conditions:
- lastTransitionTime: null
message: Sending translated listener configuration to the data plane
reason: Programmed
status: "True"
type: Programmed
- lastTransitionTime: null
message: Listener has been successfully translated
reason: Accepted
status: "True"
type: Accepted
- lastTransitionTime: null
message: Listener references have been resolved
reason: ResolvedRefs
status: "True"
type: ResolvedRefs
name: http-2
supportedKinds:
- group: gateway.networking.k8s.io
kind: HTTPRoute
- group: gateway.networking.k8s.io
kind: GRPCRoute
infraIR:
envoy-gateway/gateway-1:
proxy:
listeners:
- address: null
name: envoy-gateway/gateway-1/http-1
ports:
- containerPort: 10080
name: http-1
protocol: HTTP
servicePort: 80
- address: null
name: envoy-gateway/gateway-1/http-2
ports:
- containerPort: 8080
name: http-2
protocol: HTTP
servicePort: 8080
metadata:
labels:
gateway.envoyproxy.io/owning-gateway-name: gateway-1
gateway.envoyproxy.io/owning-gateway-namespace: envoy-gateway
name: envoy-gateway/gateway-1
xdsIR:
envoy-gateway/gateway-1:
accessLog:
text:
- path: /dev/stdout
http:
- address: 0.0.0.0
headers:
enableEnvoyHeaders: true
hostnames:
- '*'
isHTTP2: false
name: envoy-gateway/gateway-1/http-1
path:
escapedSlashesAction: UnescapeAndRedirect
mergeSlashes: true
port: 10080
- address: 0.0.0.0
headers:
enableEnvoyHeaders: true
hostnames:
- '*'
isHTTP2: false
name: envoy-gateway/gateway-1/http-2
path:
escapedSlashesAction: UnescapeAndRedirect
mergeSlashes: true
port: 8080
Loading

0 comments on commit 988d4ed

Please sign in to comment.