Ingress - allow headers manipulation

[Adiqq]

It should be possible to add/remove/modify headers. It would also be nice to use template-like expressions through ingress annotations or in some other way, e.g. optional-header: "Authorization: $some-existing-header" , to create new header from existing if request contains some existing header. There would also have to be some way to specify required values, e.g. required-header: "Something: $something | default('value')"

https://www.envoyproxy.io/docs/envoy/latest/configuration/http_conn_man/headers#custom-request-response-headers

[rshriram]

Our upcoming gateway resource provides these features. Its unlikely to land in Kubernetes ingress implementation as it gets extremely complicated. The gateway can be stood up as a load balancer service, and configured easily through our routing rules for these purposes.

[rshriram]

Actually could you file an issue in istio/api for ability to generate headers via routing rules? we allow adding/removing headers, but what you are asking for requires automatic generation of headers through template values..

[Adiqq]

Done. In our case, we would need it, because our ingress will be behind Citrix's Netscaler Gateway that can remove some specific headers, so one potential solution is to "rename" headers on ingress.

[sneko]

@rshriram Hi! I'm using Istio ingress gateway and I can see in my browser that HTTP response headers contain some fields like:

• server: envoy
• x-envoy-upstream-service-time: 3

For security purpose I would like to hide this kind of information. Do you know how I could do that please?

I just found information about CORS policy with exposeHeaders property.

Thank you 🙂

[sneko]

It seems related to this PR (https://github.com/istio/api/pull/625) so I guess it will be released in Istio v1.0.3 ?

I hope we will have the ability to use a wildcard to use x-envoy-*

[ijsnellf]

@sneko: the ability to remove response headers is being worked on here: https://github.com/istio/istio/pull/8340

[sneko]

@ijsnellf indeed that's a solution we can put on every VirtualService.

I'm also interested in a global solution such as removing Server header from all Istio ingress responses. Someone found a workaround by patching envoy sidecars https://github.com/istio/istio/issues/13861#issuecomment-534477416, but that's unfortunately not specific to Istio (so we cannot scope to a gateway...).