GEP 1323: Response Header Filter

  • Issue: #1323
  • Status: Standard

Note: This GEP is exempt from the Probationary Period rules of our GEP overview as it existed before those rules did, and so it has been explicitly grandfathered in.

TLDR

Similar to how we have RequestHeaderModifier in HTTPRouteFilter, which lets users modify request headers before the request is forwarded to a backend (or a group of backends), it’d be helpful to have a ResponseHeaderModifier field which would let users modify response headers before they are returned to the client.

Goals

  • Provide a way to modify HTTP response headers in a HTTPRoute.
  • Reuse existing types as much as possible to reduce boilerplate code.

Non Goals

  • Provide a way to modify other parts of a HTTP response like status code.
  • Add fields specifically for standard headers such as Cookie.

Introduction

Currently, the HTTPRouteFilter API provides a way for request headers to be modified through the RequestHeaderModifier field of type HTTPRequestHeaderModifier. But, a similar API to modify response headers does not exist. This proposal intends to introduce a new field in HTTPRouteFilter named ResponseHeaderModifier.

API

We could introduce a new API named HTTPResponseHeaderModifier which would look exactly like the existing HTTPRequestHeaderModifier API. But since HTTP headers have the same semantics for both requests and responses, it makes more sense to rename HTTPRequestHeaderModifier to HTTPHeaderModifier and use this for both RequestHeaderModifier and ResponseHeaderModifier.

  1. // HTTPHeaderModifier defines a filter that modifies the headers of a HTTP
  2. // request or response.
  3. type HTTPHeaderModifier struct {
  4.     // Set overwrites the request with the given header (name, value)
  5.     // before the action.
  6.     // +optional
  7.     // +listType=map
  8.     // +listMapKey=name
  9.     // +kubebuilder:validation:MaxItems=16
  10.     Set []HTTPHeader `json:"set,omitempty"`
  12.     // Add adds the given header(s) (name, value) to the request
  13.     // before the action. It appends to any existing values associated
  14.     // with the header name.
  16.     // +optional
  17.     // +listType=map
  18.     // +listMapKey=name
  19.     // +kubebuilder:validation:MaxItems=16
  20.     Add []HTTPHeader `json:"add,omitempty"`
  22.     // Remove the given header(s) from the HTTP request before the action. The
  23.     // value of Remove is a list of HTTP header names. Note that the header
  24.     // names are case-insensitive (see
  25.     // https://datatracker.ietf.org/doc/html/rfc2616#section-4.2).
  26.     // +optional
  27.     // +kubebuilder:validation:MaxItems=16
  28.     Remove []string `json:"remove,omitempty"`
  29. }

Given the fact that this functionality is offered by only a few projects that currently implement Gateway API when using their own traffic routing CRDs, it’s better to support ResponseHeaderModifier as an Extended feature, unlike RequestHeaderModifier which is a Core feature. This will also not increase the difficulty of implementing Gateway API for any future ingress or service mesh.

This feature can be further extended via Policy Attachment. The mechanism and use cases of this may be explored in a future GEP.

Usage

Adding support for this unlocks a lot of real world use cases. Let’s review a couple of them:

  • A team has a frontend web app, along with two different versions of their backends exposed as Kubernetes services. If, the frontend needs to know which backend it’s talking to, this can be easily achieved without any modifications to the application code.
  1. apiVersion: gateway.networking.k8s.io/v1beta1
  2. kind: HTTPRoute
  3. metadata:
  4.   name: http-response-header
  5. spec:
  6.   hostnames:
  7.     - response.header.example
  8.   rules:
  9.     - backendRefs:
  10.       - name: example-svc-beta
  11.         weight: 50
  12.         port: 80
  13.         # set a custom header for all responses being sent from the beta build of the backend server.
  14.         filters:
  15.            - type: ResponseHeaderModifier
  16.              responseHeaderModifier:
  17.               add:
  18.                 name: build
  19.                 value: beta
  20.       - name: example-svc-stable
  21.         weight: 50
  22.         port: 80
  • Cookies can be automatically injected into the response of services. This can enable services to identify users that were redirected to a certain backend.
  1. apiVersion: gateway.networking.k8s.io/v1beta1
  2. kind: HTTPRoute
  3. metadata:
  4.   name: http-response-header
  5. spec:
  6.   hostnames:
  7.     - response.header.example
  8.   rules:
  9.     # match against any requests that has the cookie set due to the below rule
  10.     - matches:
  11.       - headers:
  12.         type: Exact
  13.         name: Cookie
  14.         value: user=insider
  15.       backendRefs:
  16.       - name: foo-svc
  17.         port: 8080
  19.     - filters:
  20.       - type: ResponseHeaderModifier
  21.         # set cookies for all requests being forwarded to this service
  22.         responseHeaderModifier:
  23.           set:
  24.             name: Set-Cookie
  25.             value: user=insider
  26.       backendRefs:
  27.       - name: example-svc
  28.         weight: 1
  29.         port: 80

Note: Some projects like Envoy support interpolating a few predefined variables into header values. Similar functionality might be supported by other implementations but its unlikely to be portable and thus has been excluded from the API for the time being.

Prior Art

A few projects that implement Gateway API already have support for similar functionality (in their custom CRDs), like: * Istio’s VirtualService:

  1. apiVersion: networking.istio.io/v1alpha3
  2. kind: VirtualService
  3. metadata:
  4.   name: reviews-route
  5. spec:
  6.   hosts:
  7.   - reviews.prod.svc.cluster.local
  8.   http:
  9.   - headers:
  10.       request:
  11.         set:
  12.           test: "true"
  13.     route:
  14.     - destination:
  15.         host: reviews.prod.svc.cluster.local
  16.         subset: v2
  17.       weight: 25
  18.     - destination:
  19.         host: reviews.prod.svc.cluster.local
  20.         subset: v1
  21.       headers:
  22.         response:
  23.           remove:
  24.           - foo
  25.       weight: 75
  • Contour’s HTTPProxy:
  1. apiVersion: projectcontour.io/v1
  2. kind: HTTPProxy
  3. metadata:
  4.   name: basic
  5. spec:
  6.   virtualhost:
  7.     fqdn: foo-basic.bar.com
  8.   routes:
  9.     - conditions:
  10.       - prefix: /
  11.       services:
  12.         - name: s1
  13.           port: 80
  14.       responseHeadersPolicy:
  15.         set:
  16.           name: test
  17.           value: true
  • Ingress NGINX:
  1. apiVersion: networking.k8s.io/v1
  2. kind: Ingress
  3. metadata:
  4.   name: nginx-headers
  5.   annotations:
  6.     nginx.ingress.kubernetes.io/configuration-snippet: |
  7.       add_header ingress nginx;
  8. spec:
  9.   ingressClassName: nginx
  10.   rules:
  11.   - host: custom.configuration.com
  12.     http:
  13.       paths:
  14.       - path: /
  15.         pathType: Prefix
  16.         backend:
  17.           service:
  18.             name: http-svc
  19.             port:
  20.               number: 80