StripTrailingHostDot: Expose new configuration option to enable Envoy…

… removal of trailing dot on hostnames (#6792) * Add strip trailing host dot option from Envoy Signed-off-by: David Sale <[email protected]> * Rebase from main and apply code review suggestions Signed-off-by: David Sale <[email protected]> * Add missing changelog file for the PR 6792 Signed-off-by: David Sale <[email protected]> --------- Signed-off-by: David Sale <[email protected]>
projectcontour · Feb 13, 2025 · 38346c5 · 38346c5
1 parent 39c7cb9
commit 38346c5
Show file tree

Hide file tree

Showing 22 changed files with 355 additions and 16 deletions.
diff --git a/apis/projectcontour/v1alpha1/contourconfig.go b/apis/projectcontour/v1alpha1/contourconfig.go
@@ -736,6 +736,19 @@ type NetworkParameters struct {
 	// Contour's default is 9001.
 	// +optional
 	EnvoyAdminPort *int `json:"adminPort,omitempty"`
+
+	// EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+	// before any processing of request by HTTP filters or routing. This
+	// affects the upstream host header. Without setting this option to true, incoming
+	// requests with host example.com. will not match against route with domains
+	// match set to example.com.
+	//
+	// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+	// for more information.
+	//
+	// Contour's default is false.
+	// +optional
+	EnvoyStripTrailingHostDot *bool `json:"stripTrailingHostDot,omitempty"`
 }
 
 // RateLimitServiceConfig defines properties of a global Rate Limit Service.

diff --git a/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go b/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go
diff --git a/changelogs/unreleased/6792-saley89-small.md b/changelogs/unreleased/6792-saley89-small.md
@@ -0,0 +1 @@
+Adds a new configuration option `strip-trailing-host-dot` which defines if trailing dot of the host should be removed from host/authority header before any processing of request by HTTP filters or routing.
diff --git a/cmd/contour/serve.go b/cmd/contour/serve.go
@@ -464,6 +464,7 @@ func (s *Server) doServe() error {
 		MergeSlashes:                  !*contourConfiguration.Envoy.Listener.DisableMergeSlashes,
 		ServerHeaderTransformation:    contourConfiguration.Envoy.Listener.ServerHeaderTransformation,
 		XffNumTrustedHops:             *contourConfiguration.Envoy.Network.XffNumTrustedHops,
+		StripTrailingHostDot:          *contourConfiguration.Envoy.Network.EnvoyStripTrailingHostDot,
 		ConnectionBalancer:            contourConfiguration.Envoy.Listener.ConnectionBalancer,
 		MaxRequestsPerConnection:      contourConfiguration.Envoy.Listener.MaxRequestsPerConnection,
 		HTTP2MaxConcurrentStreams:     contourConfiguration.Envoy.Listener.HTTP2MaxConcurrentStreams,

diff --git a/cmd/contour/servecontext.go b/cmd/contour/servecontext.go
@@ -580,8 +580,9 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_v1alpha1.Co
 				},
 			},
 			Network: &contour_v1alpha1.NetworkParameters{
-				XffNumTrustedHops: &ctx.Config.Network.XffNumTrustedHops,
-				EnvoyAdminPort:    &ctx.Config.Network.EnvoyAdminPort,
+				XffNumTrustedHops:         &ctx.Config.Network.XffNumTrustedHops,
+				EnvoyAdminPort:            &ctx.Config.Network.EnvoyAdminPort,
+				EnvoyStripTrailingHostDot: &ctx.Config.Network.EnvoyStripTrailingHostDot,
 			},
 		},
 		Gateway: gatewayConfig,

diff --git a/cmd/contour/servecontext_test.go b/cmd/contour/servecontext_test.go
@@ -483,8 +483,9 @@ func TestConvertServeContext(t *testing.T) {
 					},
 				},
 				Network: &contour_v1alpha1.NetworkParameters{
-					EnvoyAdminPort:    ptr.To(9001),
-					XffNumTrustedHops: ptr.To(uint32(0)),
+					EnvoyAdminPort:            ptr.To(9001),
+					XffNumTrustedHops:         ptr.To(uint32(0)),
+					EnvoyStripTrailingHostDot: ptr.To(false),
 				},
 			},
 			Gateway: nil,

diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml
@@ -521,6 +521,17 @@ spec:
                           Contour's default is 0.
                         format: int32
                         type: integer
+                      stripTrailingHostDot:
+                        description: |-
+                          EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                          before any processing of request by HTTP filters or routing. This
+                          affects the upstream host header. Without setting this option to true, incoming
+                          requests with host example.com. will not match against route with domains
+                          match set to example.com.
+                          See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                          for more information.
+                          Contour's default is false.
+                        type: boolean
                     type: object
                   service:
                     description: |-
@@ -4337,6 +4348,17 @@ spec:
                               Contour's default is 0.
                             format: int32
                             type: integer
+                          stripTrailingHostDot:
+                            description: |-
+                              EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                              before any processing of request by HTTP filters or routing. This
+                              affects the upstream host header. Without setting this option to true, incoming
+                              requests with host example.com. will not match against route with domains
+                              match set to example.com.
+                              See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                              for more information.
+                              Contour's default is false.
+                            type: boolean
                         type: object
                       service:
                         description: |-

diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml
@@ -736,6 +736,17 @@ spec:
                           Contour's default is 0.
                         format: int32
                         type: integer
+                      stripTrailingHostDot:
+                        description: |-
+                          EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                          before any processing of request by HTTP filters or routing. This
+                          affects the upstream host header. Without setting this option to true, incoming
+                          requests with host example.com. will not match against route with domains
+                          match set to example.com.
+                          See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                          for more information.
+                          Contour's default is false.
+                        type: boolean
                     type: object
                   service:
                     description: |-
@@ -4552,6 +4563,17 @@ spec:
                               Contour's default is 0.
                             format: int32
                             type: integer
+                          stripTrailingHostDot:
+                            description: |-
+                              EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                              before any processing of request by HTTP filters or routing. This
+                              affects the upstream host header. Without setting this option to true, incoming
+                              requests with host example.com. will not match against route with domains
+                              match set to example.com.
+                              See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                              for more information.
+                              Contour's default is false.
+                            type: boolean
                         type: object
                       service:
                         description: |-

diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml
@@ -532,6 +532,17 @@ spec:
                           Contour's default is 0.
                         format: int32
                         type: integer
+                      stripTrailingHostDot:
+                        description: |-
+                          EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                          before any processing of request by HTTP filters or routing. This
+                          affects the upstream host header. Without setting this option to true, incoming
+                          requests with host example.com. will not match against route with domains
+                          match set to example.com.
+                          See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                          for more information.
+                          Contour's default is false.
+                        type: boolean
                     type: object
                   service:
                     description: |-
@@ -4348,6 +4359,17 @@ spec:
                               Contour's default is 0.
                             format: int32
                             type: integer
+                          stripTrailingHostDot:
+                            description: |-
+                              EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                              before any processing of request by HTTP filters or routing. This
+                              affects the upstream host header. Without setting this option to true, incoming
+                              requests with host example.com. will not match against route with domains
+                              match set to example.com.
+                              See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                              for more information.
+                              Contour's default is false.
+                            type: boolean
                         type: object
                       service:
                         description: |-

diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml
@@ -557,6 +557,17 @@ spec:
                           Contour's default is 0.
                         format: int32
                         type: integer
+                      stripTrailingHostDot:
+                        description: |-
+                          EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                          before any processing of request by HTTP filters or routing. This
+                          affects the upstream host header. Without setting this option to true, incoming
+                          requests with host example.com. will not match against route with domains
+                          match set to example.com.
+                          See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                          for more information.
+                          Contour's default is false.
+                        type: boolean
                     type: object
                   service:
                     description: |-
@@ -4373,6 +4384,17 @@ spec:
                               Contour's default is 0.
                             format: int32
                             type: integer
+                          stripTrailingHostDot:
+                            description: |-
+                              EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                              before any processing of request by HTTP filters or routing. This
+                              affects the upstream host header. Without setting this option to true, incoming
+                              requests with host example.com. will not match against route with domains
+                              match set to example.com.
+                              See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                              for more information.
+                              Contour's default is false.
+                            type: boolean
                         type: object
                       service:
                         description: |-

diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml
@@ -736,6 +736,17 @@ spec:
                           Contour's default is 0.
                         format: int32
                         type: integer
+                      stripTrailingHostDot:
+                        description: |-
+                          EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                          before any processing of request by HTTP filters or routing. This
+                          affects the upstream host header. Without setting this option to true, incoming
+                          requests with host example.com. will not match against route with domains
+                          match set to example.com.
+                          See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                          for more information.
+                          Contour's default is false.
+                        type: boolean
                     type: object
                   service:
                     description: |-
@@ -4552,6 +4563,17 @@ spec:
                               Contour's default is 0.
                             format: int32
                             type: integer
+                          stripTrailingHostDot:
+                            description: |-
+                              EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                              before any processing of request by HTTP filters or routing. This
+                              affects the upstream host header. Without setting this option to true, incoming
+                              requests with host example.com. will not match against route with domains
+                              match set to example.com.
+                              See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                              for more information.
+                              Contour's default is false.
+                            type: boolean
                         type: object
                       service:
                         description: |-

diff --git a/internal/contourconfig/contourconfiguration.go b/internal/contourconfig/contourconfiguration.go
@@ -127,8 +127,9 @@ func Defaults() contour_v1alpha1.ContourConfigurationSpec {
 				},
 			},
 			Network: &contour_v1alpha1.NetworkParameters{
-				XffNumTrustedHops: ptr.To(uint32(0)),
-				EnvoyAdminPort:    ptr.To(9001),
+				XffNumTrustedHops:         ptr.To(uint32(0)),
+				EnvoyAdminPort:            ptr.To(9001),
+				EnvoyStripTrailingHostDot: ptr.To(false),
 			},
 		},
 		Gateway: nil,

diff --git a/internal/contourconfig/contourconfiguration_test.go b/internal/contourconfig/contourconfiguration_test.go
@@ -130,8 +130,9 @@ func TestOverlayOnDefaults(t *testing.T) {
 				},
 			},
 			Network: &contour_v1alpha1.NetworkParameters{
-				XffNumTrustedHops: ptr.To(uint32(77)),
-				EnvoyAdminPort:    ptr.To(9997),
+				XffNumTrustedHops:         ptr.To(uint32(77)),
+				EnvoyAdminPort:            ptr.To(9997),
+				EnvoyStripTrailingHostDot: ptr.To(true),
 			},
 		},
 		Gateway: &contour_v1alpha1.GatewayConfig{

diff --git a/internal/envoy/v3/listener.go b/internal/envoy/v3/listener.go
@@ -185,6 +185,7 @@ type httpConnectionManagerBuilder struct {
 	serverHeaderTransformation    envoy_filter_network_http_connection_manager_v3.HttpConnectionManager_ServerHeaderTransformation
 	forwardClientCertificate      *dag.ClientCertificateDetails
 	numTrustedHops                uint32
+	stripTrailingHostDot          bool
 	tracingConfig                 *envoy_filter_network_http_connection_manager_v3.HttpConnectionManager_Tracing
 	maxRequestsPerConnection      *uint32
 	http2MaxConcurrentStreams     *uint32
@@ -294,6 +295,11 @@ func (b *httpConnectionManagerBuilder) NumTrustedHops(num uint32) *httpConnectio
 	return b
 }
 
+func (b *httpConnectionManagerBuilder) StripTrailingHostDot(strip bool) *httpConnectionManagerBuilder {
+	b.stripTrailingHostDot = strip
+	return b
+}
+
 // MaxRequestsPerConnection sets max requests per connection for the downstream.
 func (b *httpConnectionManagerBuilder) MaxRequestsPerConnection(maxRequestsPerConnection *uint32) *httpConnectionManagerBuilder {
 	b.maxRequestsPerConnection = maxRequestsPerConnection
@@ -506,8 +512,9 @@ func (b *httpConnectionManagerBuilder) Get() *envoy_config_listener_v3.Filter {
 			AllowChunkedLength: b.allowChunkedLength,
 		},
 
-		UseRemoteAddress:  wrapperspb.Bool(true),
-		XffNumTrustedHops: b.numTrustedHops,
+		UseRemoteAddress:     wrapperspb.Bool(true),
+		XffNumTrustedHops:    b.numTrustedHops,
+		StripTrailingHostDot: b.stripTrailingHostDot,
 
 		NormalizePath: wrapperspb.Bool(true),
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Adds a new configuration option `strip-trailing-host-dot` which defines if trailing dot of the host should be removed from host/authority header before any processing of request by HTTP filters or routing.