Skip to content

api: add maxRequestHeaderBytes and host normalization to ClientTrafficPolicy#8825

Open
albsga4 wants to merge 7 commits intoenvoyproxy:mainfrom
albsga4:feat/ctp-max-request-headers-strip-port
Open

api: add maxRequestHeaderBytes and host normalization to ClientTrafficPolicy#8825
albsga4 wants to merge 7 commits intoenvoyproxy:mainfrom
albsga4:feat/ctp-max-request-headers-strip-port

Conversation

@albsga4
Copy link
Copy Markdown

@albsga4 albsga4 commented Apr 22, 2026

What type of PR is this?

api: add maxRequestHeaderBytes and host.stripPortMode fields to ClientTrafficPolicy

What this PR does / why we need it:

Two common HttpConnectionManager settings currently require EnvoyPatchPolicy with fragile jsonPath expressions to configure:

  1. max_request_headers_kb — the default 60 KiB limit is too small for many production use cases (large Authorization headers, cookies, etc.)
  2. strip_port_mode — clients sending Host: example.com:443 don't match routes defined without ports

This PR adds native ClientTrafficPolicy fields for both:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: ClientTrafficPolicy
spec:
  headers:
    maxRequestHeaderBytes: 80Ki
  host:
    stripPortMode: Any

headers.maxRequestHeaderBytes (resource.Quantity)

  • Maps to Envoy max_request_headers_kb on the HCM
  • Accepts Kubernetes resource quantities (80Ki, 100Ki, 1Mi, or raw bytes like 81920)
  • Validated to be at least 1Ki (1024 bytes) — values below return an error
  • Follows the same pattern as connection.socketBufferLimit (Quantity in API, uint32 in IR)

host.stripPortMode (Enum: Any | Matching)

  • New host section parallel to the existing path section (path normalizes path, host normalizes host)
  • Any maps to Envoy strip_any_host_port (strips port unconditionally)
  • Matching maps to Envoy strip_matching_host_port (strips only when port matches listener)
  • Nil means no stripping (Envoy default)

Changes:

  • api/v1alpha1/clienttrafficpolicy_types.goMaxRequestHeaderBytes in HeaderSettings, new HostSettings struct with StripPortMode enum
  • internal/ir/xds.goMaxRequestHeadersKB *uint32 in HeaderSettings, HostSettings with typed StripPortMode + constants
  • internal/gatewayapi/clienttrafficpolicy.go — Quantity-to-uint32 conversion with validation, translateHostSettings
  • internal/xds/translator/listener.go — xDS translation (typed-nil safe pattern for strip_port_mode oneof, standalone bool for strip_matching_host_port)
  • CRDs regenerated, deepcopy generated
  • 3 gatewayapi golden tests (happy path, Matching mode, error for < 1Ki) + 1 xDS translator golden test (both strip modes)
  • Docs: request-header-size.md + host-port-stripping.md
  • Release notes updated

Which issue(s) this PR fixes:

Fixes #5368

Release Notes: Yes

/cc @arkodg

@albsga4
api: add maxRequestHeaderBytes and host.stripPortMode to ClientTraffi…
0174fe5 
…cPolicy

Add maxRequestHeaderBytes to ClientTrafficPolicy.headers for configuring maximum
request header size (Envoy max_request_headers_kb). Values use resource.Quantity
format (e.g. 80Ki) and are validated to be at least 1Ki.

Add host.stripPortMode to ClientTrafficPolicy for stripping ports from the
Host/Authority header before route matching. Supports Any (unconditional) and
Matching (only when port matches listener port).

Fixes envoyproxy#5368

Signed-off-by: asalvador <asalvador@newrelic.com>
@albsga4 albsga4 requested a review from a team as a code owner April 22, 2026 23:11
@netlify
Copy link
Copy Markdown

netlify Bot commented Apr 22, 2026
edited
Loading

Deploy Preview for cerulean-figolla-1f9435 ready!

Name Link
🔨 Latest commit 911aea7
🔍 Latest deploy log https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69ef9d50ec60c1000850fd67
😎 Deploy Preview https://deploy-preview-8825--cerulean-figolla-1f9435.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0174fe5350

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread internal/gatewayapi/clienttrafficpolicy.go
Comment thread internal/gatewayapi/clienttrafficpolicy.go
@albsga4
fix: add upper bound check for MaxRequestHeaderBytes
52c7f86 
Guard against uint32 overflow by rejecting values where bytes/1024
exceeds math.MaxUint32.

Signed-off-by: asalvador <asalvador@newrelic.com>
@albsga4
Copy link
Copy Markdown
Author

albsga4 commented Apr 22, 2026

@codex review

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 52c7f869ce

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread internal/gatewayapi/clienttrafficpolicy.go
@albsga4
docs: regenerate API reference for new CTP fields
b15f063 
Run docs-api-gen to include HostSettings, StripPortMode, and
MaxRequestHeaderBytes in the generated API reference.

Signed-off-by: asalvador <asalvador@newrelic.com>
@albsga4 albsga4 mentioned this pull request Apr 23, 2026
Open
albsga4 added 2 commits April 23, 2026 16:57
@albsga4
api: add stripTrailingHostDot to ClientTrafficPolicy.host
8d87434 
Add stripTrailingHostDot bool to the host section. Maps to Envoy's
strip_trailing_host_dot on the HCM. Without this, requests with
Host "example.com." don't match routes for "example.com".

Fixes envoyproxy#8832

Signed-off-by: asalvador <asalvador@newrelic.com>
@albsga4
test: add dedicated test for host.stripTrailingHostDot
7cb7f3a 
Signed-off-by: asalvador <asalvador@newrelic.com>
@albsga4 albsga4 changed the title api: add maxRequestHeaderBytes and host.stripPortMode to ClientTrafficPolicy api: add maxRequestHeaderBytes and host normalization to ClientTrafficPolicy Apr 23, 2026
@albsga4 albsga4 mentioned this pull request Apr 24, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add support for max request header size

1 participant

@albsga4