feat(translator): make append_x_forwarded_host configurable in HTTPRouteFilter (#8527)

* feat(translator): make appendXForwardedHost configurable in HTTPRouteFilter

Add appendXForwardedHost field to HTTPURLRewriteFilter to allow users to
control whether the original Host header is appended to X-Forwarded-Host
when hostname rewriting is configured. Defaults to true for backward
compatibility.

Fixes #8386

Signed-off-by: rborale5 <rborale5@gmail.com>

Author: rborale5

api/v1alpha1/httproutefilter_types.go

@@ -65,6 +65,12 @@ type HTTPURLRewriteFilter struct {
 	//
 	// +optional
 	Path *HTTPPathModifier `json:"path,omitempty"`
+	// AppendXForwardedHost controls whether the original Host header value is
+	// appended to the X-Forwarded-Host header when hostname rewriting is configured.
+	// Defaults to true for backward compatibility.
+	//
+	// +optional
+	AppendXForwardedHost *bool `json:"appendXForwardedHost,omitempty"`
 }
 
 // HTTPDirectResponseFilter defines the configuration to return a fixed response.

api/v1alpha1/zz_generated.deepcopy.go

@@ -400,6 +400,12 @@ spec:
                 description: HTTPURLRewriteFilter define rewrites of HTTP URL components
                   such as path and host
                 properties:
+                  appendXForwardedHost:
+                    description: |-
+                      AppendXForwardedHost controls whether the original Host header value is
+                      appended to the X-Forwarded-Host header when hostname rewriting is configured.
+                      Defaults to true for backward compatibility.
+                    type: boolean
                   hostname:
                     description: |-
                       Hostname is the value to be used to replace the Host header value during

charts/gateway-crds-helm/templates/generated/gateway.envoyproxy.io_httproutefilters.yaml

@@ -399,6 +399,12 @@ spec:
                 description: HTTPURLRewriteFilter define rewrites of HTTP URL components
                   such as path and host
                 properties:
+                  appendXForwardedHost:
+                    description: |-
+                      AppendXForwardedHost controls whether the original Host header value is
+                      appended to the X-Forwarded-Host header when hostname rewriting is configured.
+                      Defaults to true for backward compatibility.
+                    type: boolean
                   hostname:
                     description: |-
                       Hostname is the value to be used to replace the Host header value during

charts/gateway-helm/charts/crds/crds/generated/gateway.envoyproxy.io_httproutefilters.yaml

@@ -899,6 +899,13 @@ func (t *Translator) processExtensionRefHTTPFilter(extFilter *gwapiv1.LocalObjec
 						}
 					}
 
+					if hrf.Spec.URLRewrite.AppendXForwardedHost != nil {
+						if filterContext.URLRewrite == nil {
+							filterContext.URLRewrite = &ir.URLRewrite{}
+						}
+						filterContext.URLRewrite.AppendXForwardedHost = hrf.Spec.URLRewrite.AppendXForwardedHost
+					}
+
 				}
 
 				if hrf.Spec.DirectResponse != nil {

internal/gatewayapi/filters.go

@@ -0,0 +1,123 @@
+gateways:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: Gateway
+  metadata:
+    namespace: envoy-gateway
+    name: gateway-1
+  spec:
+    gatewayClassName: envoy-gateway-class
+    listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      hostname: "*.envoyproxy.io"
+      allowedRoutes:
+        namespaces:
+          from: All
+httpRoutes:
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-disable-append
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-1
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/disable-append"
+      backendRefs:
+      - name: service-1
+        port: 8080
+      filters:
+      - type: ExtensionRef
+        extensionRef:
+          group: gateway.envoyproxy.io
+          kind: HTTPRouteFilter
+          name: header-host-no-append
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-enable-append
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-1
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/enable-append"
+      backendRefs:
+      - name: service-1
+        port: 8080
+      filters:
+      - type: ExtensionRef
+        extensionRef:
+          group: gateway.envoyproxy.io
+          kind: HTTPRouteFilter
+          name: header-host-with-append
+- apiVersion: gateway.networking.k8s.io/v1
+  kind: HTTPRoute
+  metadata:
+    namespace: default
+    name: httproute-only-append-flag
+  spec:
+    hostnames:
+    - gateway.envoyproxy.io
+    parentRefs:
+    - namespace: envoy-gateway
+      name: gateway-1
+      sectionName: http
+    rules:
+    - matches:
+      - path:
+          value: "/only-append-flag"
+      backendRefs:
+      - name: service-1
+        port: 8080
+      filters:
+      - type: ExtensionRef
+        extensionRef:
+          group: gateway.envoyproxy.io
+          kind: HTTPRouteFilter
+          name: only-append-flag
+httpFilters:
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: HTTPRouteFilter
+  metadata:
+    name: header-host-no-append
+    namespace: default
+  spec:
+    urlRewrite:
+      hostname:
+        type: Header
+        header: my-host
+      appendXForwardedHost: false
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: HTTPRouteFilter
+  metadata:
+    name: header-host-with-append
+    namespace: default
+  spec:
+    urlRewrite:
+      hostname:
+        type: Header
+        header: my-host
+      appendXForwardedHost: true
+- apiVersion: gateway.envoyproxy.io/v1alpha1
+  kind: HTTPRouteFilter
+  metadata:
+    name: only-append-flag
+    namespace: default
+  spec:
+    urlRewrite:
+      appendXForwardedHost: false