5579 extended http methods

Makefile

@@ -48,6 +48,12 @@ VERSION ?= 1.0.1-dev
 
 SOURCES := $(shell find . -name "*.go" | grep -v test.go)
 
+# ATTENTION: when updating to a new major version of Envoy, check if
+# universal header validation has been enabled and if so, we expect
+# failures in `test/e2e/header_validation_test.go`
+# for more information, see https://github.com/solo-io/gloo/pull/9633
+# and
+# https://soloio.slab.com/posts/extended-http-methods-design-doc-40j7pjeu
 ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.30.2-patch2
 LDFLAGS := "-X github.com/solo-io/gloo/pkg/version.Version=$(VERSION)"
 GCFLAGS ?=
@@ -932,7 +938,7 @@ docker-push-%:
 	docker push $(IMAGE_REGISTRY)/$*:$(VERSION)
 
 .PHONY: docker-standard
-docker-standard: check-go-version
+docker-standard: check-go-version ## Build docker images (standard only)
 docker-standard: gloo-docker
 docker-standard: discovery-docker
 docker-standard: gloo-envoy-wrapper-docker
@@ -943,7 +949,7 @@ docker-standard: access-logger-docker
 docker-standard: kubectl-docker
 
 .PHONY: docker-distroless
-docker-distroless: check-go-version
+docker-distroless: check-go-version ## Build docker images (distroless only)
 docker-distroless: gloo-distroless-docker
 docker-distroless: discovery-distroless-docker
 docker-distroless: gloo-envoy-wrapper-distroless-docker
@@ -956,7 +962,7 @@ docker-distroless: kubectl-distroless-docker
 IMAGE_VARIANT ?= all
 # Build docker images using the defined IMAGE_REGISTRY, VERSION
 .PHONY: docker
-docker: check-go-version
+docker: check-go-version ## Build all docker images (standard and distroless)
 docker: # Standard images
 ifeq ($(IMAGE_VARIANT),$(filter $(IMAGE_VARIANT),all standard))
 docker: docker-standard

changelog/v1.18.0-beta2/5579-support-extended-http-methods.yaml

@@ -0,0 +1,8 @@
+changelog:
+- type: NEW_FEATURE
+  issueLink: https://github.com/solo-io/gloo/issues/5579
+  resolvesIssue: true
+  description: >-
+    Enable Envoy to accept requests with extended HTTP methods (such as `LABEL`
+    or `UPDATE`). Previously, requests with these methods would return an HTTP
+    400 response. Currently, this functionality is supported for HTTP/1 only.

docs/data/ProtoMap.yaml

@@ -1208,6 +1208,9 @@ apis:
   hcm.options.gloo.solo.io.HttpConnectionManagerSettings:
     relativepath: reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/hcm/hcm.proto.sk/#HttpConnectionManagerSettings
     package: hcm.options.gloo.solo.io
+  header_validation.options.gloo.solo.io.HeaderValidationSettings:
+    relativepath: reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/header_validation/header_validation.proto.sk/#HeaderValidationSettings
+    package: header_validation.options.gloo.solo.io
   headers.options.gloo.solo.io.HeaderManipulation:
     relativepath: reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/headers/headers.proto.sk/#HeaderManipulation
     package: headers.options.gloo.solo.io

install/helm/gloo/crds/gateway.solo.io_v1_Gateway.yaml

@@ -818,6 +818,12 @@ spec:
                             nullable: true
                             type: integer
                         type: object
+                      headerValidationSettings:
+                        properties:
+                          disableHttp1MethodValidation:
+                            maxProperties: 0
+                            type: object
+                        type: object
                       healthCheck:
                         properties:
                           path:
@@ -2737,6 +2743,12 @@ spec:
                                       nullable: true
                                       type: integer
                                   type: object
+                                headerValidationSettings:
+                                  properties:
+                                    disableHttp1MethodValidation:
+                                      maxProperties: 0
+                                      type: object
+                                  type: object
                                 healthCheck:
                                   properties:
                                     path:

install/helm/gloo/crds/gateway.solo.io_v1_HttpListenerOption.yaml

@@ -809,6 +809,12 @@ spec:
                         nullable: true
                         type: integer
                     type: object
+                  headerValidationSettings:
+                    properties:
+                      disableHttp1MethodValidation:
+                        maxProperties: 0
+                        type: object
+                    type: object
                   healthCheck:
                     properties:
                       path:

install/helm/gloo/crds/gateway.solo.io_v1_MatchableHttpGateway.yaml

@@ -812,6 +812,12 @@ spec:
                             nullable: true
                             type: integer
                         type: object
+                      headerValidationSettings:
+                        properties:
+                          disableHttp1MethodValidation:
+                            maxProperties: 0
+                            type: object
+                        type: object
                       healthCheck:
                         properties:
                           path:

projects/gloo/api/v1/options.proto

@@ -18,6 +18,7 @@ import "github.com/solo-io/gloo/projects/gloo/api/v1/options/proxy_protocol/prox
 import "github.com/solo-io/gloo/projects/gloo/api/v1/options/grpc_web/grpc_web.proto";
 import "github.com/solo-io/gloo/projects/gloo/api/v1/options/grpc_json/grpc_json.proto";
 import "github.com/solo-io/gloo/projects/gloo/api/v1/options/hcm/hcm.proto";
+import "github.com/solo-io/gloo/projects/gloo/api/v1/options/header_validation/header_validation.proto";
 import "github.com/solo-io/gloo/projects/gloo/api/v1/options/lbhash/lbhash.proto";
 import "github.com/solo-io/gloo/projects/gloo/api/v1/options/shadowing/shadowing.proto";
 import "github.com/solo-io/gloo/projects/gloo/api/v1/options/tcp/tcp.proto";
@@ -231,6 +232,11 @@ message HttpListenerOptions {
 
     // Enterprise only: Listener-level stateful session settings
     stateful_session.options.gloo.solo.io.StatefulSession stateful_session = 35;
+
+    // Header validation settings - fields in this message can be used to
+    // determine whether requests should be rejected based on the contents of
+    // the header.
+    header_validation.options.gloo.solo.io.HeaderValidationSettings header_validation_settings = 36;
 }
 
 // Optional, feature-specific configuration that lives on tcp listeners
@@ -578,6 +584,7 @@ message RouteOptions {
     // override certain HttpListenerOptions or VirtualHostOptions settings.
     extproc.options.gloo.solo.io.RouteSettings ext_proc = 30;
 }
+
 // Configuration for Destinations that are tied to the UpstreamSpec or ServiceSpec on that destination
 message DestinationSpec {
     // Note to developers: new DestinationSpecs must be added to this oneof field

projects/gloo/api/v1/options/header_validation/header_validation.proto

@@ -0,0 +1,24 @@
+syntax = "proto3";
+package header_validation.options.gloo.solo.io;
+
+import "google/protobuf/empty.proto";
+
+option go_package = "github.com/solo-io/gloo/projects/gloo/pkg/api/v1/options/header_validation";
+
+message HeaderValidationSettings {
+  // How header methods will be validated. By default, Envoy will
+  // validate HTTP methods for HTTP/1 connections against the default set of allowed methods.
+  // The default allowed methods can be found here:
+  // https://github.com/envoyproxy/envoy/blob/2970ddbd4ade787dd51dfbe605ae2e8c5d8ffcf7/source/common/http/http1/balsa_parser.cc#L54
+  // or here, if Universal Header Validation is enabled:
+  // https://github.com/envoyproxy/envoy/blob/0b9f67e7f71bcba3ff49575dc61676478cb68614/source/extensions/http/header_validators/envoy_default/header_validator.cc#L53
+  // Invalid methods on HTTP/1 requests will be rejected with a HTTP 400
+  // response.
+  // For HTTP/2, Envoy does not validate header methods by default.
+	oneof header_method_validation {
+		// Disable method validation. Envoy will not perform any validation on
+		// the method provided in the HTTP header.
+		google.protobuf.Empty disable_http1_method_validation = 1;
+	}
+}
+