5579 extended http methods (#9633) (#9686)

* 5579 extended http methods (#9633) * Check-in before codegen * Initial commit Includes an e2e test and an attempt at implementing the fix. However, the test fails, so clearly the fix doesn't actually work * Get the implementation working Currently it's a bit of a hack as I just stuffed the functionality into the hcm plugin. I would like to move it elsewhere * Add plugin README * Move configuration to a new plugin * Codegen/formatting updates * Add makefile documentation on building docker images * Update projects/gloo/api/v1/options/header_validation/header_validation.proto Co-authored-by: Bernie Birnbaum <[email protected]> * Address some review comments Namely, remove the new plugin and stuff the functionality into the existing HCM plugin. Also, add a little more documentation on expected breaking changes when UHV is enabled. * Only allow header validation on gateway * Update documentation * Update protobuf API to use a oneof * Add unit test * Add changelog * Fix a compilation error * Add http/2 test * Revert "Add http/2 test" This reverts commit 28f0fe5. * Re-run codegen * Move changelog * Update e2e test documentation * Update API and documentation * Rename API to disable_method_validation * Rename custom_methods `oneof` to header_method_validation * Change disableMethodValidation to disableHttp1MethodValidation * Update a renamed proto variable * Update e2e test to use new framework * Fix some ginkgo methods * Remove duplicated test * Update projects/gloo/api/v1/options/header_validation/header_validation.proto Co-authored-by: Seth Heidkamp <[email protected]> * Add negative test to plugin unit test * Add an additional test * Re-run codegen --------- Co-authored-by: Bernie Birnbaum <[email protected]> Co-authored-by: Seth Heidkamp <[email protected]> Co-authored-by: Nathan Fudenberg <[email protected]> * Adding changelog file to new location * Deleting changelog file from old location --------- Co-authored-by: Bernie Birnbaum <[email protected]> Co-authored-by: Seth Heidkamp <[email protected]> Co-authored-by: Nathan Fudenberg <[email protected]> Co-authored-by: soloio-bulldozer[bot] <48420018+soloio-bulldozer[bot]@users.noreply.github.com> Co-authored-by: changelog-bot <changelog-bot>
kgateway-dev · Jun 26, 2024 · cc4f943 · cc4f943
1 parent 7d4fa08
commit cc4f943
Show file tree

Hide file tree

Showing 20 changed files with 721 additions and 195 deletions.
diff --git a/Makefile b/Makefile
@@ -48,6 +48,12 @@ VERSION ?= 1.0.1-dev
 
 SOURCES := $(shell find . -name "*.go" | grep -v test.go)
 
+# ATTENTION: when updating to a new major version of Envoy, check if
+# universal header validation has been enabled and if so, we expect
+# failures in `test/e2e/header_validation_test.go`
+# for more information, see https://github.com/solo-io/gloo/pull/9633
+# and
+# https://soloio.slab.com/posts/extended-http-methods-design-doc-40j7pjeu
 ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.30.2-patch2
 LDFLAGS := "-X github.com/solo-io/gloo/pkg/version.Version=$(VERSION)"
 GCFLAGS ?=
@@ -932,7 +938,7 @@ docker-push-%:
 	docker push $(IMAGE_REGISTRY)/$*:$(VERSION)
 
 .PHONY: docker-standard
-docker-standard: check-go-version
+docker-standard: check-go-version ## Build docker images (standard only)
 docker-standard: gloo-docker
 docker-standard: discovery-docker
 docker-standard: gloo-envoy-wrapper-docker
@@ -943,7 +949,7 @@ docker-standard: access-logger-docker
 docker-standard: kubectl-docker
 
 .PHONY: docker-distroless
-docker-distroless: check-go-version
+docker-distroless: check-go-version ## Build docker images (distroless only)
 docker-distroless: gloo-distroless-docker
 docker-distroless: discovery-distroless-docker
 docker-distroless: gloo-envoy-wrapper-distroless-docker
@@ -956,7 +962,7 @@ docker-distroless: kubectl-distroless-docker
 IMAGE_VARIANT ?= all
 # Build docker images using the defined IMAGE_REGISTRY, VERSION
 .PHONY: docker
-docker: check-go-version
+docker: check-go-version ## Build all docker images (standard and distroless)
 docker: # Standard images
 ifeq ($(IMAGE_VARIANT),$(filter $(IMAGE_VARIANT),all standard))
 docker: docker-standard

diff --git a/changelog/v1.17.0-rc8/5579-support-extended-http-methods.yaml b/changelog/v1.17.0-rc8/5579-support-extended-http-methods.yaml
@@ -0,0 +1,8 @@
+changelog:
+- type: NEW_FEATURE
+  issueLink: https://github.com/solo-io/gloo/issues/5579
+  resolvesIssue: true
+  description: >-
+    Enable Envoy to accept requests with extended HTTP methods (such as `LABEL`
+    or `UPDATE`). Previously, requests with these methods would return an HTTP
+    400 response. Currently, this functionality is supported for HTTP/1 only.
diff --git a/.../reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options.proto.sk.md b/.../reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options.proto.sk.md
diff --git a/...oo/projects/gloo/api/v1/options/header_validation/header_validation.proto.sk.md b/...oo/projects/gloo/api/v1/options/header_validation/header_validation.proto.sk.md
diff --git a/docs/data/ProtoMap.yaml b/docs/data/ProtoMap.yaml
@@ -1208,6 +1208,9 @@ apis:
   hcm.options.gloo.solo.io.HttpConnectionManagerSettings:
     relativepath: reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/hcm/hcm.proto.sk/#HttpConnectionManagerSettings
     package: hcm.options.gloo.solo.io
+  header_validation.options.gloo.solo.io.HeaderValidationSettings:
+    relativepath: reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/header_validation/header_validation.proto.sk/#HeaderValidationSettings
+    package: header_validation.options.gloo.solo.io
   headers.options.gloo.solo.io.HeaderManipulation:
     relativepath: reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/headers/headers.proto.sk/#HeaderManipulation
     package: headers.options.gloo.solo.io

diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_Gateway.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_Gateway.yaml
@@ -818,6 +818,12 @@ spec:
                             nullable: true
                             type: integer
                         type: object
+                      headerValidationSettings:
+                        properties:
+                          disableHttp1MethodValidation:
+                            maxProperties: 0
+                            type: object
+                        type: object
                       healthCheck:
                         properties:
                           path:
@@ -2737,6 +2743,12 @@ spec:
                                       nullable: true
                                       type: integer
                                   type: object
+                                headerValidationSettings:
+                                  properties:
+                                    disableHttp1MethodValidation:
+                                      maxProperties: 0
+                                      type: object
+                                  type: object
                                 healthCheck:
                                   properties:
                                     path:

diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_HttpListenerOption.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_HttpListenerOption.yaml
@@ -809,6 +809,12 @@ spec:
                         nullable: true
                         type: integer
                     type: object
+                  headerValidationSettings:
+                    properties:
+                      disableHttp1MethodValidation:
+                        maxProperties: 0
+                        type: object
+                    type: object
                   healthCheck:
                     properties:
                       path:

diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_MatchableHttpGateway.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_MatchableHttpGateway.yaml
@@ -812,6 +812,12 @@ spec:
                             nullable: true
                             type: integer
                         type: object
+                      headerValidationSettings:
+                        properties:
+                          disableHttp1MethodValidation:
+                            maxProperties: 0
+                            type: object
+                        type: object
                       healthCheck:
                         properties:
                           path:

diff --git a/projects/gloo/api/v1/options.proto b/projects/gloo/api/v1/options.proto
@@ -18,6 +18,7 @@ import "github.com/solo-io/gloo/projects/gloo/api/v1/options/proxy_protocol/prox
 import "github.com/solo-io/gloo/projects/gloo/api/v1/options/grpc_web/grpc_web.proto";
 import "github.com/solo-io/gloo/projects/gloo/api/v1/options/grpc_json/grpc_json.proto";
 import "github.com/solo-io/gloo/projects/gloo/api/v1/options/hcm/hcm.proto";
+import "github.com/solo-io/gloo/projects/gloo/api/v1/options/header_validation/header_validation.proto";
 import "github.com/solo-io/gloo/projects/gloo/api/v1/options/lbhash/lbhash.proto";
 import "github.com/solo-io/gloo/projects/gloo/api/v1/options/shadowing/shadowing.proto";
 import "github.com/solo-io/gloo/projects/gloo/api/v1/options/tcp/tcp.proto";
@@ -231,6 +232,11 @@ message HttpListenerOptions {
 
     // Enterprise only: Listener-level stateful session settings
     stateful_session.options.gloo.solo.io.StatefulSession stateful_session = 35;
+
+    // Header validation settings - fields in this message can be used to
+    // determine whether requests should be rejected based on the contents of
+    // the header.
+    header_validation.options.gloo.solo.io.HeaderValidationSettings header_validation_settings = 36;
 }
 
 // Optional, feature-specific configuration that lives on tcp listeners
@@ -578,6 +584,7 @@ message RouteOptions {
     // override certain HttpListenerOptions or VirtualHostOptions settings.
     extproc.options.gloo.solo.io.RouteSettings ext_proc = 30;
 }
+
 // Configuration for Destinations that are tied to the UpstreamSpec or ServiceSpec on that destination
 message DestinationSpec {
     // Note to developers: new DestinationSpecs must be added to this oneof field

diff --git a/projects/gloo/api/v1/options/header_validation/header_validation.proto b/projects/gloo/api/v1/options/header_validation/header_validation.proto
@@ -0,0 +1,24 @@
+syntax = "proto3";
+package header_validation.options.gloo.solo.io;
+
+import "google/protobuf/empty.proto";
+
+option go_package = "github.com/solo-io/gloo/projects/gloo/pkg/api/v1/options/header_validation";
+
+message HeaderValidationSettings {
+  // How header methods will be validated. By default, Envoy will
+  // validate HTTP methods for HTTP/1 connections against the default set of allowed methods.
+  // The default allowed methods can be found here:
+  // https://github.com/envoyproxy/envoy/blob/2970ddbd4ade787dd51dfbe605ae2e8c5d8ffcf7/source/common/http/http1/balsa_parser.cc#L54
+  // or here, if Universal Header Validation is enabled:
+  // https://github.com/envoyproxy/envoy/blob/0b9f67e7f71bcba3ff49575dc61676478cb68614/source/extensions/http/header_validators/envoy_default/header_validator.cc#L53
+  // Invalid methods on HTTP/1 requests will be rejected with a HTTP 400
+  // response.
+  // For HTTP/2, Envoy does not validate header methods by default.
+	oneof header_method_validation {
+		// Disable method validation. Envoy will not perform any validation on
+		// the method provided in the HTTP header.
+		google.protobuf.Empty disable_http1_method_validation = 1;
+	}
+}
+
diff --git a/projects/gloo/pkg/api/v1/options.pb.clone.go b/projects/gloo/pkg/api/v1/options.pb.clone.go
diff --git a/projects/gloo/pkg/api/v1/options.pb.equal.go b/projects/gloo/pkg/api/v1/options.pb.equal.go