Add strip trailing host dot option from Envoy

Fixes #6334

Signed-off-by: David Sale <[email protected]>

apis/projectcontour/v1alpha1/contourconfig.go

@@ -757,6 +757,19 @@ type NetworkParameters struct {
 	// Contour's default is 9001.
 	// +optional
 	EnvoyAdminPort *int `json:"adminPort,omitempty"`
+
+	// EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+	// before any processing of request by HTTP filters or routing. This
+	// affects the upstream host header. Without setting this option to true, incoming
+	// requests with host example.com. will not match against route with domains
+	// match set to example.com.
+	//
+	// See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+	// for more information.
+	//
+	// Contour's default is false.
+	// +optional
+	EnvoyStripTrailingHostDot *bool `json:"stripTrailingHostDot,omitempty"`
 }
 
 // RateLimitServiceConfig defines properties of a global Rate Limit Service.

changelogs/unreleased/6792-saley89-small.md

@@ -0,0 +1 @@
+Envoy's listener configuration to remove trailing dots at the end of a hostname before request processing can now be configured using the `network.strip-trailing-host-dot` field in the configuration file or the `spec.envoy.network.stripTrailingHostDot` field in the `ContourConfiguration` CRD. The available values are `false` (default) and `true`.

cmd/contour/serve.go

@@ -464,6 +464,7 @@ func (s *Server) doServe() error {
 		MergeSlashes:                  !*contourConfiguration.Envoy.Listener.DisableMergeSlashes,
 		ServerHeaderTransformation:    contourConfiguration.Envoy.Listener.ServerHeaderTransformation,
 		XffNumTrustedHops:             *contourConfiguration.Envoy.Network.XffNumTrustedHops,
+		StripTrailingHostDot:          *contourConfiguration.Envoy.Network.EnvoyStripTrailingHostDot,
 		ConnectionBalancer:            contourConfiguration.Envoy.Listener.ConnectionBalancer,
 		MaxRequestsPerConnection:      contourConfiguration.Envoy.Listener.MaxRequestsPerConnection,
 		HTTP2MaxConcurrentStreams:     contourConfiguration.Envoy.Listener.HTTP2MaxConcurrentStreams,

cmd/contour/servecontext.go

@@ -580,8 +580,9 @@ func (ctx *serveContext) convertToContourConfigurationSpec() contour_v1alpha1.Co
 				},
 			},
 			Network: &contour_v1alpha1.NetworkParameters{
-				XffNumTrustedHops: &ctx.Config.Network.XffNumTrustedHops,
-				EnvoyAdminPort:    &ctx.Config.Network.EnvoyAdminPort,
+				XffNumTrustedHops:         &ctx.Config.Network.XffNumTrustedHops,
+				EnvoyAdminPort:            &ctx.Config.Network.EnvoyAdminPort,
+				EnvoyStripTrailingHostDot: &ctx.Config.Network.EnvoyStripTrailingHostDot,
 			},
 		},
 		Gateway: gatewayConfig,

cmd/contour/servecontext_test.go

@@ -484,8 +484,9 @@ func TestConvertServeContext(t *testing.T) {
 					},
 				},
 				Network: &contour_v1alpha1.NetworkParameters{
-					EnvoyAdminPort:    ptr.To(9001),
-					XffNumTrustedHops: ptr.To(uint32(0)),
+					EnvoyAdminPort:            ptr.To(9001),
+					XffNumTrustedHops:         ptr.To(uint32(0)),
+					EnvoyStripTrailingHostDot: ptr.To(false),
 				},
 			},
 			Gateway: nil,

examples/contour/01-crds.yaml

@@ -521,6 +521,17 @@ spec:
                           Contour's default is 0.
                         format: int32
                         type: integer
+                      stripTrailingHostDot:
+                        description: |-
+                          EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                          before any processing of request by HTTP filters or routing. This
+                          affects the upstream host header. Without setting this option to true, incoming
+                          requests with host example.com. will not match against route with domains
+                          match set to example.com.
+                          See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                          for more information.
+                          Contour's default is false.
+                        type: boolean
                     type: object
                   service:
                     description: |-
@@ -4323,6 +4334,17 @@ spec:
                               Contour's default is 0.
                             format: int32
                             type: integer
+                          stripTrailingHostDot:
+                            description: |-
+                              EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                              before any processing of request by HTTP filters or routing. This
+                              affects the upstream host header. Without setting this option to true, incoming
+                              requests with host example.com. will not match against route with domains
+                              match set to example.com.
+                              See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                              for more information.
+                              Contour's default is false.
+                            type: boolean
                         type: object
                       service:
                         description: |-

examples/render/contour-deployment.yaml

@@ -741,6 +741,17 @@ spec:
                           Contour's default is 0.
                         format: int32
                         type: integer
+                      stripTrailingHostDot:
+                        description: |-
+                          EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                          before any processing of request by HTTP filters or routing. This
+                          affects the upstream host header. Without setting this option to true, incoming
+                          requests with host example.com. will not match against route with domains
+                          match set to example.com.
+                          See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                          for more information.
+                          Contour's default is false.
+                        type: boolean
                     type: object
                   service:
                     description: |-
@@ -4543,6 +4554,17 @@ spec:
                               Contour's default is 0.
                             format: int32
                             type: integer
+                          stripTrailingHostDot:
+                            description: |-
+                              EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                              before any processing of request by HTTP filters or routing. This
+                              affects the upstream host header. Without setting this option to true, incoming
+                              requests with host example.com. will not match against route with domains
+                              match set to example.com.
+                              See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                              for more information.
+                              Contour's default is false.
+                            type: boolean
                         type: object
                       service:
                         description: |-

examples/render/contour-gateway-provisioner.yaml

@@ -532,6 +532,17 @@ spec:
                           Contour's default is 0.
                         format: int32
                         type: integer
+                      stripTrailingHostDot:
+                        description: |-
+                          EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                          before any processing of request by HTTP filters or routing. This
+                          affects the upstream host header. Without setting this option to true, incoming
+                          requests with host example.com. will not match against route with domains
+                          match set to example.com.
+                          See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                          for more information.
+                          Contour's default is false.
+                        type: boolean
                     type: object
                   service:
                     description: |-
@@ -4334,6 +4345,17 @@ spec:
                               Contour's default is 0.
                             format: int32
                             type: integer
+                          stripTrailingHostDot:
+                            description: |-
+                              EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                              before any processing of request by HTTP filters or routing. This
+                              affects the upstream host header. Without setting this option to true, incoming
+                              requests with host example.com. will not match against route with domains
+                              match set to example.com.
+                              See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                              for more information.
+                              Contour's default is false.
+                            type: boolean
                         type: object
                       service:
                         description: |-

examples/render/contour-gateway.yaml

@@ -557,6 +557,17 @@ spec:
                           Contour's default is 0.
                         format: int32
                         type: integer
+                      stripTrailingHostDot:
+                        description: |-
+                          EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                          before any processing of request by HTTP filters or routing. This
+                          affects the upstream host header. Without setting this option to true, incoming
+                          requests with host example.com. will not match against route with domains
+                          match set to example.com.
+                          See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                          for more information.
+                          Contour's default is false.
+                        type: boolean
                     type: object
                   service:
                     description: |-
@@ -4359,6 +4370,17 @@ spec:
                               Contour's default is 0.
                             format: int32
                             type: integer
+                          stripTrailingHostDot:
+                            description: |-
+                              EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                              before any processing of request by HTTP filters or routing. This
+                              affects the upstream host header. Without setting this option to true, incoming
+                              requests with host example.com. will not match against route with domains
+                              match set to example.com.
+                              See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                              for more information.
+                              Contour's default is false.
+                            type: boolean
                         type: object
                       service:
                         description: |-

examples/render/contour.yaml

@@ -741,6 +741,17 @@ spec:
                           Contour's default is 0.
                         format: int32
                         type: integer
+                      stripTrailingHostDot:
+                        description: |-
+                          EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                          before any processing of request by HTTP filters or routing. This
+                          affects the upstream host header. Without setting this option to true, incoming
+                          requests with host example.com. will not match against route with domains
+                          match set to example.com.
+                          See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                          for more information.
+                          Contour's default is false.
+                        type: boolean
                     type: object
                   service:
                     description: |-
@@ -4543,6 +4554,17 @@ spec:
                               Contour's default is 0.
                             format: int32
                             type: integer
+                          stripTrailingHostDot:
+                            description: |-
+                              EnvoyStripTrailingHostDot defines if trailing dot of the host should be removed from host/authority header
+                              before any processing of request by HTTP filters or routing. This
+                              affects the upstream host header. Without setting this option to true, incoming
+                              requests with host example.com. will not match against route with domains
+                              match set to example.com.
+                              See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto?highlight=strip_trailing_host_dot
+                              for more information.
+                              Contour's default is false.
+                            type: boolean
                         type: object
                       service:
                         description: |-

internal/contourconfig/contourconfiguration.go

@@ -128,8 +128,9 @@ func Defaults() contour_v1alpha1.ContourConfigurationSpec {
 				},
 			},
 			Network: &contour_v1alpha1.NetworkParameters{
-				XffNumTrustedHops: ptr.To(uint32(0)),
-				EnvoyAdminPort:    ptr.To(9001),
+				XffNumTrustedHops:         ptr.To(uint32(0)),
+				EnvoyAdminPort:            ptr.To(9001),
+				EnvoyStripTrailingHostDot: ptr.To(false),
 			},
 		},
 		Gateway: nil,

internal/contourconfig/contourconfiguration_test.go

@@ -131,8 +131,9 @@ func TestOverlayOnDefaults(t *testing.T) {
 				},
 			},
 			Network: &contour_v1alpha1.NetworkParameters{
-				XffNumTrustedHops: ptr.To(uint32(77)),
-				EnvoyAdminPort:    ptr.To(9997),
+				XffNumTrustedHops:         ptr.To(uint32(77)),
+				EnvoyAdminPort:            ptr.To(9997),
+				EnvoyStripTrailingHostDot: ptr.To(true),
 			},
 		},
 		Gateway: &contour_v1alpha1.GatewayConfig{

internal/envoy/v3/listener.go

@@ -184,6 +184,7 @@ type httpConnectionManagerBuilder struct {
 	serverHeaderTransformation    envoy_filter_network_http_connection_manager_v3.HttpConnectionManager_ServerHeaderTransformation
 	forwardClientCertificate      *dag.ClientCertificateDetails
 	numTrustedHops                uint32
+	stripTrailingHostDot          bool
 	tracingConfig                 *envoy_filter_network_http_connection_manager_v3.HttpConnectionManager_Tracing
 	maxRequestsPerConnection      *uint32
 	http2MaxConcurrentStreams     *uint32
@@ -293,6 +294,11 @@ func (b *httpConnectionManagerBuilder) NumTrustedHops(num uint32) *httpConnectio
 	return b
 }
 
+func (b *httpConnectionManagerBuilder) StripTrailingHostDot(strip bool) *httpConnectionManagerBuilder {
+	b.stripTrailingHostDot = strip
+	return b
+}
+
 // MaxRequestsPerConnection sets max requests per connection for the downstream.
 func (b *httpConnectionManagerBuilder) MaxRequestsPerConnection(maxRequestsPerConnection *uint32) *httpConnectionManagerBuilder {
 	b.maxRequestsPerConnection = maxRequestsPerConnection
@@ -505,8 +511,9 @@ func (b *httpConnectionManagerBuilder) Get() *envoy_config_listener_v3.Filter {
 			AllowChunkedLength: b.allowChunkedLength,
 		},
 
-		UseRemoteAddress:  wrapperspb.Bool(true),
-		XffNumTrustedHops: b.numTrustedHops,
+		UseRemoteAddress:     wrapperspb.Bool(true),
+		XffNumTrustedHops:    b.numTrustedHops,
+		StripTrailingHostDot: b.stripTrailingHostDot,
 
 		NormalizePath: wrapperspb.Bool(true),