solo-io · ashishb-solo · Jun 25, 2024 · Jun 4, 2024 · Jun 5, 2024 · Jun 6, 2024
@@ -1208,6 +1208,9 @@ apis:
   hcm.options.gloo.solo.io.HttpConnectionManagerSettings:
     relativepath: reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/hcm/hcm.proto.sk/#HttpConnectionManagerSettings
     package: hcm.options.gloo.solo.io
+  header_validation.options.gloo.solo.io.HeaderValidationSettings:
+    relativepath: reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/header_validation/header_validation.proto.sk/#HeaderValidationSettings
+    package: header_validation.options.gloo.solo.io
   headers.options.gloo.solo.io.HeaderManipulation:
     relativepath: reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/options/headers/headers.proto.sk/#HeaderManipulation
     package: headers.options.gloo.solo.io

diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_Gateway.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_Gateway.yaml
@@ -818,6 +818,11 @@ spec:
                             nullable: true
                             type: integer
                         type: object
+                      headerValidationSettings:
+                        properties:
+                          allowCustomHeaderMethods:
+                            type: boolean
+                        type: object
                       healthCheck:
                         properties:
                           path:
@@ -2737,6 +2742,11 @@ spec:
                                       nullable: true
                                       type: integer
                                   type: object
+                                headerValidationSettings:
+                                  properties:
+                                    allowCustomHeaderMethods:
+                                      type: boolean
+                                  type: object
                                 healthCheck:
                                   properties:
                                     path:

diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_HttpListenerOption.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_HttpListenerOption.yaml
@@ -809,6 +809,11 @@ spec:
                         nullable: true
                         type: integer
                     type: object
+                  headerValidationSettings:
+                    properties:
+                      allowCustomHeaderMethods:
+                        type: boolean
+                    type: object
                   healthCheck:
                     properties:
                       path:

diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_MatchableHttpGateway.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_MatchableHttpGateway.yaml
@@ -812,6 +812,11 @@ spec:
                             nullable: true
                             type: integer
                         type: object
+                      headerValidationSettings:
+                        properties:
+                          allowCustomHeaderMethods:
+                            type: boolean
+                        type: object
                       healthCheck:
                         properties:
                           path:

diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_RouteOption.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_RouteOption.yaml
@@ -386,6 +386,11 @@ spec:
                           type: string
                         type: array
                     type: object
+                  headerValidationSettings:
+                    properties:
+                      allowCustomHeaderMethods:
+                        type: boolean
+                    type: object
                   hostRewrite:
                     type: string
                   hostRewriteHeader:

diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_RouteTable.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_RouteTable.yaml
@@ -496,6 +496,11 @@ spec:
                                 type: string
                               type: array
                           type: object
+                        headerValidationSettings:
+                          properties:
+                            allowCustomHeaderMethods:
+                              type: boolean
+                          type: object
                         hostRewrite:
                           type: string
                         hostRewriteHeader:

diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_VirtualHostOption.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_VirtualHostOption.yaml
@@ -356,6 +356,11 @@ spec:
                           type: string
                         type: array
                     type: object
+                  headerValidationSettings:
+                    properties:
+                      allowCustomHeaderMethods:
+                        type: boolean
+                    type: object
                   includeAttemptCountInResponse:
                     nullable: true
                     type: boolean

diff --git a/install/helm/gloo/crds/gateway.solo.io_v1_VirtualService.yaml b/install/helm/gloo/crds/gateway.solo.io_v1_VirtualService.yaml
@@ -446,6 +446,11 @@ spec:
                               type: string
                             type: array
                         type: object
+                      headerValidationSettings:
+                        properties:
+                          allowCustomHeaderMethods:
+                            type: boolean
+                        type: object
                       includeAttemptCountInResponse:
                         nullable: true
                         type: boolean
@@ -3329,6 +3334,11 @@ spec:
                                     type: string
                                   type: array
                               type: object
+                            headerValidationSettings:
+                              properties:
+                                allowCustomHeaderMethods:
+                                  type: boolean
+                              type: object
                             hostRewrite:
                               type: string
                             hostRewriteHeader:

diff --git a/projects/gloo/api/v1/options.proto b/projects/gloo/api/v1/options.proto
@@ -18,6 +18,7 @@ import "github.com/solo-io/gloo/projects/gloo/api/v1/options/proxy_protocol/prox
 import "github.com/solo-io/gloo/projects/gloo/api/v1/options/grpc_web/grpc_web.proto";
 import "github.com/solo-io/gloo/projects/gloo/api/v1/options/grpc_json/grpc_json.proto";
 import "github.com/solo-io/gloo/projects/gloo/api/v1/options/hcm/hcm.proto";
+import "github.com/solo-io/gloo/projects/gloo/api/v1/options/header_validation/header_validation.proto";
 import "github.com/solo-io/gloo/projects/gloo/api/v1/options/lbhash/lbhash.proto";
 import "github.com/solo-io/gloo/projects/gloo/api/v1/options/shadowing/shadowing.proto";
 import "github.com/solo-io/gloo/projects/gloo/api/v1/options/tcp/tcp.proto";
@@ -231,6 +232,12 @@ message HttpListenerOptions {
 
     // Enterprise only: Listener-level stateful session settings
     stateful_session.options.gloo.solo.io.StatefulSession stateful_session = 35;
+
+    // Whether custom HTTP methods should be allowed. Defaults to false (custom
+    // HTTP methods are not allowed). The list of default-allowed HTTP methods
+    // can be found here:
+    // https://github.com/envoyproxy/envoy/blob/2970ddbd4ade787dd51dfbe605ae2e8c5d8ffcf7/source/common/http/http1/balsa_parser.cc#L54
+    header_validation.options.gloo.solo.io.HeaderValidationSettings header_validation_settings = 36;
 }
 
 // Optional, feature-specific configuration that lives on tcp listeners
@@ -373,6 +380,12 @@ message VirtualHostOptions {
     // Enterprise-only: External Processing filter settings for the virtual host. This can be used to
     // override certain HttpListenerOptions settings, and can be overridden by RouteOptions settings.
     extproc.options.gloo.solo.io.RouteSettings ext_proc = 30;
+
+    // Whether custom HTTP methods should be allowed. Defaults to false (custom
+    // HTTP methods are not allowed). The list of default-allowed HTTP methods
+    // can be found here:
+    // https://github.com/envoyproxy/envoy/blob/2970ddbd4ade787dd51dfbe605ae2e8c5d8ffcf7/source/common/http/http1/balsa_parser.cc#L54
+    header_validation.options.gloo.solo.io.HeaderValidationSettings header_validation_settings = 31;
 }
 
 // Optional, feature-specific configuration that lives on routes.
@@ -577,7 +590,15 @@ message RouteOptions {
     // Enterprise-only: External Processing filter settings for the route. This can be used to
     // override certain HttpListenerOptions or VirtualHostOptions settings.
     extproc.options.gloo.solo.io.RouteSettings ext_proc = 30;
+
+    // Header Validation Settings. These can be used to configure Gloo with
+    // rules to customize whether requests should be accepted or rejected,
+    // based on the contents of the HTTP header.
+    // TODO: include some kind of warning that the behavior of these fields may
+    // change when we update Envoy to a new version.
+    header_validation.options.gloo.solo.io.HeaderValidationSettings header_validation_settings = 31;
 }
+
 // Configuration for Destinations that are tied to the UpstreamSpec or ServiceSpec on that destination
 message DestinationSpec {
     // Note to developers: new DestinationSpecs must be added to this oneof field

diff --git a/projects/gloo/api/v1/options/header_validation/header_validation.proto b/projects/gloo/api/v1/options/header_validation/header_validation.proto
@@ -0,0 +1,32 @@
+syntax = "proto3";
+package header_validation.options.gloo.solo.io;
+
+option go_package = "github.com/solo-io/gloo/projects/gloo/pkg/api/v1/options/header_validation";
+
+message HeaderValidationSettings {
+    // Whether custom HTTP methods should be allowed. Defaults to false (custom
+    // HTTP methods are not allowed). The list of default-allowed HTTP methods
+    // can be found here:
+    // https://github.com/envoyproxy/envoy/blob/2970ddbd4ade787dd51dfbe605ae2e8c5d8ffcf7/source/common/http/http1/balsa_parser.cc#L54
+    // **BREAKING API COMPATIBILITY WARNING**:
+    // Note that right now, this field only changes whether custom header methods are allowed on HTTP/1 connections only.
+    // In a future release of Gloo, this option will change to allow custom
+    // HTTP methods not just on HTTP/1, but also on all other HTTP protocols as
+    // well.
+
+    // As of right now, this field is only supported on HTTP/1 connections.
+    // When Universal Header Validation is enabled in Envoy, this field will
+    // apply to all HTTP protocols.
+    // TODO: let's think a bit more carefully about how we want to design this
+    // for future-proofing purposes. I think we may want to consider having an
+    // oneof here instead that could be something like (allow default
+    // methods/allow all methods/custom allow-list).
+    // we may also want to model our API similarly to upstream Envoy's UHV API
+    // WARNING: these options should not be considered stable, and this API is
+    // subject to change in the future.
+    // question: alternately, we could enable this as an HTTP/1-only option,
+    // mark it as deprecated, and then when UHV is enabled, we could remove the
+    // deprecated option and introduce a new option for all HTTP protocols.
+    bool allow_custom_header_methods = 1;
+}
+