api: Support Server header transformations

[liorokman]

What this PR does / why we need it:

This PR adds support for defining what should be done with the Server header.

The relevant Envoy configuration is here.

This PR additionally moves the SuppressEnvoyHeaders attribute into a headers container in the client traffic policy document.

[codecov]

Codecov Report

Attention: 5 lines in your changes are missing coverage. Please review.

Comparison is base (f21f9ff) 63.94% compared to head (b771af6) 63.94%.
Report is 1 commits behind head on main.

Files	Patch %	Lines
...frastructure/kubernetes/proxy/resource_provider.go	50.00%	0 Missing and 4 partials ⚠️
internal/gatewayapi/clienttrafficpolicy.go	83.33%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2500   +/-   ##
=======================================
  Coverage   63.94%   63.94%           
=======================================
  Files         117      117           
  Lines       18057    18062    +5     
=======================================
+ Hits        11546    11550    +4     
- Misses       5758     5761    +3     
+ Partials      753      751    -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[arkodg]

we discussed this in the community meeting today, here are some follow up questions

• can this use case we solved with the ResponseHeaderFilter ?
  https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPHeaderFilter
• can the suppressEnvoyHeaders be represented with another name closer to the goal of the field such as passThrough etc ?

[liorokman]

we discussed this in the community meeting today, here are some follow up questions

• can this use case we solved with the ResponseHeaderFilter ?
  https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPHeaderFilter

No. The ResponseHeaderFilter unconditionally adds/overwrites a header whose value is given in the filter. This feature's passThrough option will keep the value of the Server header provided by the upstream, and there's no way to express the appendIfAbsent option with ResponseHeaderFilter.

• can the suppressEnvoyHeaders be represented with another name closer to the goal of the field such as passThrough etc ?

You meant serverHeaderTransformation, not suppressEnvoyHeaders, right? suppressEnvoyHeaders has nothing to do with passing anything through and isn't the topic of this PR.

I used the name of the underlying feature in Envoy Proxy for the serverHeaderTransformation field. I think passThrough isn't a good name - it's only one of three options, and is exactly the opposite of the overwrite option.

I'm open to any other name you have that you think fits better.

[arkodg]

from a user perspective, (correct me if im wrong), what you're really trying to solve here is - hey envoy, dont add any new response headers like x-envoy-* or server
we should come up with a name for this knob to define this opt in behavior

[arkodg]

how about a knob called addEnvoyResponseHeaders, making adding envoy headers along with server as opt in, so we supress by default

[zirain]

maybe istio/api#2240 will give a little help.

[arkodg]

thanks for sharing this @zirain, this is super useful
how about removing this API and disabling

• x-envoy-*
• server (passthrough)
  by default

and we can introduce APIs in the future to opt into this

[zirain]

fine to me

[liorokman]

So, to summarise the above:

1. The HeaderSettings structure is removed, and the default behaviour becomes that the X-Envoy- headers are removed and the Server header is defined as passthrough. This is done to try to effectively hide the presence of an Envoy Proxy between the client and the upstream target.
2. There is no support at this time for allowing the X-Envoy headers. This makes it harder for developers to perform certain tasks, for example when trying to measure latency with the x-envoy-upstream-service-time, or debugging various rewrite rules with the x-envoy-original-path header.

How to proceed? Should I close this PR and create a new PR removing the suppressEnvoyHeaders option and implementing the behavioural changes listed here?

[arkodg]

hey @liorokman, agree with 1.
for 2. we can make a opt in API e.g.

headers:
  enableEnvoyHeaders: true
``

[liorokman]

Updated to reflect this thread.

This PR changes the API and keeps the project building, a different PR will actually implement the feature.

[arkodg]

this is not needed

[liorokman]

Missed that. Removed.

[arkodg]

LGTM thanks !

[shawnh2]

/retest