extAuth - headersToExtAuth translation case-sensitivity

[ecoughlan]

Description:
headersToExtAuth translation case-sensitivity mismatch

Repro steps:
A config like this:

---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: authentik-ext-auth
  namespace: default
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: httpbin
    namespace: default
  extAuth:
    headersToExtAuth:
      - Cookie
    ...

is translated to exact string matches including case. Unfortunately request headers are folded to lower-case somewhere (maybe this is the actual bug), so "Cookie" will not get forwarded to the auth backend and is silently dropped.

With this change in extauth.go I was able to make logging in work:

--- a/internal/xds/translator/extauth.go
+++ b/internal/xds/translator/extauth.go
@@ -104,6 +104,7 @@ func extAuthConfig(extAuth *ir.ExtAuth) *extauthv3.ExtAuthz {
                        MatchPattern: &matcherv3.StringMatcher_Exact{
                                Exact: header,
                        },
+                       IgnoreCase: true,
                })
        }

Environment:
gateway v1.0.1

Notes:
Maybe this should be specifiable in https://gateway.envoyproxy.io/latest/api/extension_types/#extauth instead of a stringarray instead.
The same problem might apply to headersToBackend as well.

[alexandermarston]

We're seeing a similar problem where our application sometimes sends an Authorization header and sometimes sends an authorization header which is causing us a headache.

[arkodg]

HTTP header names are case insensitive https://datatracker.ietf.org/doc/html/rfc2616#page-31 so +1 to this change