Description
Describe the bug
Gateway API header validation is defined here
NKG validates header names using this rule, which is permissive and disallow values that make NGINX fail to reload.
However, NGINX when processing request headers, applies much stricter validation rules - only allows alpha-number chars and -. See this comment #717 (comment) Note: in NGINX, you can also allow undescores in headers, but we don't support that in NKG.
When NGINX encounter such headers, it drops them printing in the error log a message like below:
2023/06/16 22:44:05 [info] 70#70: *17 client sent invalid header line: "version%!:v2" while reading client request headers, client: 127.0.0.1, server: cafe.example.com, request: "GET /coffee HTTP/1.1", host: "cafe.example.com:8080"
So the routing rules with invalid headers will not work as expected
To Reproduce
Steps to reproduce the behavior:
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
name: coffee
spec:
parentRefs:
- name: gateway
hostnames:
- "cafe.example.com"
rules:
- matches:
- path:
type: PathPrefix
value: /coffee
backendRefs:
- name: coffee-v1-svc
port: 80
- matches:
- path:
type: PathPrefix
value: /coffee
headers:
- name: version%! # valid from Gateway API and current NKG perspective
value: v2
- path:
type: PathPrefix
value: /coffee
queryParams:
- name: TEST
value: v2
backendRefs:
- name: coffee-v2-svc
port: 80This request is not routed as expected (to v2), because NGINX will drop the header version%!
curl --resolve cafe.example.com:$GW_PORT:$GW_IP http://cafe.example.com:$GW_PORT/coffee -H 'version%!:v2'
Server address: 10.244.0.9:8080
Server name: coffee-v1-58f4c685db-jpsqk
Date: 16/Jun/2023:22:41:51 +0000
URI: /coffee
Request ID: 390384c7f082f2d03468594dec85f7e9
Expected behavior
Make NKG reject invalid from NGINX perspective header names so that the error is visible in the HTTPRoute status.
Your environment
- NKG edge
Additional context
Add any other context about the problem here. Any log files you want to share.