use ClientTrafficPolicy.Spec.Headers

Signed-off-by: Edoardo Vacchi <evacchi@users.noreply.github.com>

api/v1alpha1/clienttrafficpolicy_types.go

@@ -104,6 +104,12 @@ type HeaderSettings struct {
 	// +optional
 	EnableEnvoyHeaders *bool `json:"enableEnvoyHeaders,omitempty"`
 
+	// DisableRateLimitHeaders configures Envoy Proxy to omit the "X-RateLimit" headers.
+	// If DisableRateLimitHeaders is false, "X-RateLimit" headers will be emitted.
+	// If not set, DisableRateLimitHeaders is False.
+	// +optional
+	DisableRateLimitHeaders bool `json:"disableRateLimitHeaders,omitempty"`
+
 	// XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-cert (XFCC) HTTP header.
 	//
 	// x-forwarded-client-cert (XFCC) is an HTTP header used to forward the certificate

api/v1alpha1/envoygateway_types.go

@@ -340,13 +340,6 @@ type RateLimit struct {
 	// state associated with global ratelimiting.
 	Backend RateLimitDatabaseBackend `json:"backend"`
 
-	// DisableHeaders is a switch used to control whether
-	// X-RateLimit headers should be emitted
-	// If DisableHeaders is false, X-RateLimit headers
-	// will be emitted.
-	// If not set, DisableHeaders is False.
-	DisableHeaders bool `json:"disableHeaders"`
-
 	// Timeout specifies the timeout period for the proxy to access the ratelimit server
 	// If not set, timeout is 20ms.
 	// +optional

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml

@@ -142,6 +142,12 @@ spec:
               headers:
                 description: HeaderSettings provides configuration for header management.
                 properties:
+                  disableRateLimitHeaders:
+                    description: |-
+                      DisableRateLimitHeaders configures Envoy Proxy to omit the "X-RateLimit" headers.
+                      If DisableRateLimitHeaders is false, "X-RateLimit" headers will be emitted.
+                      If not set, DisableRateLimitHeaders is False.
+                    type: boolean
                   enableEnvoyHeaders:
                     description: |-
                       EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests

internal/cmd/egctl/config_test.go

@@ -403,7 +403,6 @@ rateLimit:
     type: Redis
     redis:
       url: redis.redis-system.svc.cluster.local:6379
-  disableHeaders: true
 `,
 				},
 			},

internal/ir/xds.go

@@ -430,6 +430,11 @@ type HeaderSettings struct {
 	// Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#extensions-filters-http-router-v3-router
 	EnableEnvoyHeaders bool `json:"enableEnvoyHeaders,omitempty" yaml:"enableEnvoyHeaders,omitempty"`
 
+	// EnableEnvoyHeaders controls if "x-ratelimit-" headers are added by the HTTP Router filter.
+	// The default is to emit these headers.
+	// https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ratelimit/v3/rate_limit.proto#extensions-filters-http-ratelimit-v3-ratelimit
+	DisableRateLimitHeaders bool `json:"disableRateLimitHeaders,omitempty" yaml:"disableRateLimitHeaders,omitempty"`
+
 	// Configure Envoy proxy how to handle the x-forwarded-client-cert (XFCC) HTTP header.
 	// refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-forwardclientcertdetails
 	XForwardedClientCert *XForwardedClientCert `json:"xForwardedClientCert,omitempty" yaml:"xForwardedClientCert,omitempty"`

internal/xds/translator/ratelimit.go

@@ -41,7 +41,6 @@ const (
 )
 
 const (
-	xRateLimitHeadersDisabled = 0
 	// Use `draft RFC Version 03 <https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html>` by default,
 	// where 3 headers will be added:
 	// * ``X-RateLimit-Limit`` - indicates the request-quota associated to the
@@ -118,11 +117,11 @@ func (t *Translator) buildRateLimitFilter(irListener *ir.HTTPListener) *hcmv3.Ht
 		rateLimitFilterProto.Timeout = durationpb.New(t.GlobalRateLimit.Timeout)
 	}
 
-	headers := xRateLimitHeadersRfcVersion
-	if t.GlobalRateLimit.DisableHeaders {
-		headers = xRateLimitHeadersDisabled
+	if irListener.Headers != nil && irListener.Headers.DisableRateLimitHeaders {
+		rateLimitFilterProto.EnableXRatelimitHeaders = ratelimitfilterv3.RateLimit_OFF
+	} else {
+		rateLimitFilterProto.EnableXRatelimitHeaders = ratelimitfilterv3.RateLimit_DRAFT_VERSION_03
 	}
-	rateLimitFilterProto.EnableXRatelimitHeaders = ratelimitfilterv3.RateLimit_XRateLimitHeadersRFCVersion(headers)
 
 	if t.GlobalRateLimit.FailClosed {
 		rateLimitFilterProto.FailureModeDeny = t.GlobalRateLimit.FailClosed

internal/xds/translator/runner/runner.go

@@ -72,9 +72,8 @@ func (r *Runner) subscribeAndTranslate(ctx context.Context) {
 				// Set the rate limit service URL if global rate limiting is enabled.
 				if r.EnvoyGateway.RateLimit != nil {
 					t.GlobalRateLimit = &translator.GlobalRateLimitSettings{
-						ServiceURL:     ratelimit.GetServiceURL(r.Namespace, r.DNSDomain),
-						FailClosed:     r.EnvoyGateway.RateLimit.FailClosed,
-						DisableHeaders: r.EnvoyGateway.RateLimit.DisableHeaders,
+						ServiceURL: ratelimit.GetServiceURL(r.Namespace, r.DNSDomain),
+						FailClosed: r.EnvoyGateway.RateLimit.FailClosed,
 					}
 					if r.EnvoyGateway.RateLimit.Timeout != nil {
 						t.GlobalRateLimit.Timeout = r.EnvoyGateway.RateLimit.Timeout.Duration

internal/xds/translator/translator.go

@@ -59,9 +59,6 @@ type GlobalRateLimitSettings struct {
 	// rate limit service.
 	ServiceURL string
 
-	// DisableHeaders emits X-RateLimit headers when false.
-	DisableHeaders bool
-
 	// Timeout specifies the timeout period for the proxy to access the ratelimit server
 	// If not set, timeout is 20000000(20ms).
 	Timeout time.Duration

site/content/en/latest/api/extension_types.md

@@ -1843,6 +1843,7 @@ _Appears in:_
 | Field | Type | Required | Description |
 | ---   | ---  | ---      | ---         |
 | `enableEnvoyHeaders` | _boolean_ |  false  | EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests<br />and responses. |
+| `disableRateLimitHeaders` | _boolean_ |  false  | DisableRateLimitHeaders configures Envoy Proxy to omit the "X-RateLimit" headers.<br />If DisableRateLimitHeaders is false, "X-RateLimit" headers will be emitted.<br />If not set, DisableRateLimitHeaders is False. |
 | `xForwardedClientCert` | _[XForwardedClientCert](#xforwardedclientcert)_ |  false  | XForwardedClientCert configures how Envoy Proxy handle the x-forwarded-client-cert (XFCC) HTTP header.<br /><br />x-forwarded-client-cert (XFCC) is an HTTP header used to forward the certificate<br />information of part or all of the clients or proxies that a request has flowed through,<br />on its way from the client to the server.<br /><br />Envoy proxy may choose to sanitize/append/forward the XFCC header before proxying the request.<br /><br />If not set, the default behavior is sanitizing the XFCC header. |
 | `withUnderscoresAction` | _[WithUnderscoresAction](#withunderscoresaction)_ |  false  | WithUnderscoresAction configures the action to take when an HTTP header with underscores<br />is encountered. The default action is to reject the request. |
 | `preserveXRequestID` | _boolean_ |  false  | PreserveXRequestID configures Envoy to keep the X-Request-ID header if passed for a request that is edge<br />(Edge request is the request from external clients to front Envoy) and not reset it, which is the current Envoy behaviour.<br />It defaults to false. |