feat: support forward client cert config XFCC header

api/v1alpha1/clienttrafficpolicy_types.go

@@ -104,6 +104,9 @@ type HeaderSettings struct {
 	// is encountered. The default action is to reject the request.
 	// +optional
 	WithUnderscoresAction *WithUnderscoresAction `json:"withUnderscoresAction,omitempty"`
+
+	// configure Envoy proxy to forward x-forwarded-client-cert (XFCC) HTTP header
+	ForwardClientCertDetails *ForwardClientCertDetails `json:"forwardClientCertDetails,omitempty"`
 }
 
 // WithUnderscoresAction configures the action to take when an HTTP header with underscores
@@ -123,6 +126,26 @@ const (
 	WithUnderscoresActionDropHeader WithUnderscoresAction = "DropHeader"
 )
 
+// +kubebuilder:validation:Enum=Sanitize;ForwardOnly;AppendForward;SanitizeSet;AlwaysForwardOnly
+type ForwardClientCertDetails string
+
+const (
+	// Do not send the XFCC header to the next hop. This is the default value.
+	ForwardClientCertDetailsSanitize ForwardClientCertDetails = "Sanitize"
+	// When the client connection is mTLS (Mutual TLS), forward the XFCC header
+	// in the request.
+	ForwardClientCertDetailsForwardOnly ForwardClientCertDetails = "ForwardOnly"
+	// When the client connection is mTLS, append the client certificate
+	// information to the request’s XFCC header and forward it.
+	ForwardClientCertDetailsAppendForward ForwardClientCertDetails = "AppendForward"
+	// When the client connection is mTLS, reset the XFCC header with the client
+	// certificate information and send it to the next hop.
+	ForwardClientCertDetailsSanitizeSet ForwardClientCertDetails = "SanitizeSet"
+	// Always forward the XFCC header in the request, regardless of whether the
+	// client connection is mTLS.
+	ForwardClientCertDetailsAlwaysForwardOnly ForwardClientCertDetails = "AlwaysForwardOnly"
+)
+
 // ClientIPDetectionSettings provides configuration for determining the original client IP address for requests.
 //
 // +kubebuilder:validation:XValidation:rule="!(has(self.xForwardedFor) && has(self.customHeader))",message="customHeader cannot be used in conjunction with xForwardedFor"

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml

@@ -150,6 +150,16 @@ spec:
                       EnableEnvoyHeaders configures Envoy Proxy to add the "X-Envoy-" headers to requests
                       and responses.
                     type: boolean
+                  forwardClientCertDetails:
+                    description: configure Envoy proxy to forward x-forwarded-client-cert
+                      (XFCC) HTTP header
+                    enum:
+                    - Sanitize
+                    - ForwardOnly
+                    - AppendForward
+                    - SanitizeSet
+                    - AlwaysForwardOnly
+                    type: string
                   withUnderscoresAction:
                     description: |-
                       WithUnderscoresAction configures the action to take when an HTTP header with underscores

internal/ir/xds.go

@@ -366,6 +366,16 @@ const (
 	WithUnderscoresActionDropHeader    = WithUnderscoresAction(egv1a1.WithUnderscoresActionDropHeader)
 )
 
+type ForwardClientCertDetails egv1a1.ForwardClientCertDetails
+
+const (
+	ForwardClientCertDetailsSanitize          = ForwardClientCertDetails(egv1a1.ForwardClientCertDetailsSanitize)
+	ForwardClientCertDetailsForwardOnly       = ForwardClientCertDetails(egv1a1.ForwardClientCertDetailsForwardOnly)
+	ForwardClientCertDetailsAppendForward     = ForwardClientCertDetails(egv1a1.ForwardClientCertDetailsAppendForward)
+	ForwardClientCertDetailsSanitizeSet       = ForwardClientCertDetails(egv1a1.ForwardClientCertDetailsSanitizeSet)
+	ForwardClientCertDetailsAlwaysForwardOnly = ForwardClientCertDetails(egv1a1.ForwardClientCertDetailsAlwaysForwardOnly)
+)
+
 // ClientIPDetectionSettings provides configuration for determining the original client IP address for requests.
 // +k8s:deepcopy-gen=true
 type ClientIPDetectionSettings egv1a1.ClientIPDetectionSettings
@@ -400,6 +410,10 @@ type HeaderSettings struct {
 	// Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#extensions-filters-http-router-v3-router
 	EnableEnvoyHeaders bool `json:"enableEnvoyHeaders,omitempty" yaml:"enableEnvoyHeaders,omitempty"`
 
+	// configure Envoy proxy to forward x-forwarded-client-cert (XFCC) HTTP header
+	// refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#envoy-v3-api-enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-forwardclientcertdetails
+	ForwardClientCertDetails ForwardClientCertDetails `json:"forwardClientCertDetails,omitempty"`
+
 	// WithUnderscoresAction configures the action to take when an HTTP header with underscores
 	// is encountered. The default action is to reject the request.
 	// Refer to https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#envoy-v3-api-enum-config-core-v3-httpprotocoloptions-headerswithunderscoresaction

internal/xds/translator/listener.go

@@ -256,7 +256,8 @@ func (t *Translator) addHCMToXDSListener(xdsListener *listenerv3.Listener, irLis
 		CommonHttpProtocolOptions: &corev3.HttpProtocolOptions{
 			HeadersWithUnderscoresAction: buildHeadersWithUnderscoresAction(irListener.Headers),
 		},
-		Tracing: hcmTracing,
+		ForwardClientCertDetails: buildForwardClientCertDetailsAction(irListener.Headers),
+		Tracing:                  hcmTracing,
 	}
 
 	if irListener.Timeout != nil && irListener.Timeout.HTTP != nil {
@@ -775,3 +776,21 @@ func buildHeadersWithUnderscoresAction(in *ir.HeaderSettings) corev3.HttpProtoco
 	}
 	return corev3.HttpProtocolOptions_REJECT_REQUEST
 }
+
+func buildForwardClientCertDetailsAction(in *ir.HeaderSettings) hcmv3.HttpConnectionManager_ForwardClientCertDetails {
+	if in != nil {
+		switch in.ForwardClientCertDetails {
+		case ir.ForwardClientCertDetailsSanitize:
+			return hcmv3.HttpConnectionManager_SANITIZE
+		case ir.ForwardClientCertDetailsForwardOnly:
+			return hcmv3.HttpConnectionManager_FORWARD_ONLY
+		case ir.ForwardClientCertDetailsAppendForward:
+			return hcmv3.HttpConnectionManager_APPEND_FORWARD
+		case ir.ForwardClientCertDetailsSanitizeSet:
+			return hcmv3.HttpConnectionManager_SANITIZE_SET
+		case ir.ForwardClientCertDetailsAlwaysForwardOnly:
+			return hcmv3.HttpConnectionManager_ALWAYS_FORWARD_ONLY
+		}
+	}
+	return hcmv3.HttpConnectionManager_SANITIZE
+}

internal/xds/translator/testdata/in/xds-ir/headers-forward-client-cert-details.yaml

@@ -0,0 +1,95 @@
+http:
+- name: "first-listener"
+  address: "0.0.0.0"
+  port: 8081
+  hostnames:
+  - "*"
+  routes:
+  - name: "first-route"
+    hostname: "*"
+    destination:
+      name: "first-route-dest"
+      settings:
+      - endpoints:
+        - host: "1.1.1.1"
+          port: 8081
+- name: "second-listener"
+  address: "0.0.0.0"
+  port: 8082
+  hostnames:
+  - "*"
+  routes:
+  - name: "second-route"
+    hostname: "*"
+    destination:
+      name: "second-route-dest"
+      settings:
+      - endpoints:
+        - host: "2.2.2.2"
+          port: 8082
+  headers:
+    forwardClientCertDetails: Sanitize
+- name: "third-listener"
+  address: "0.0.0.0"
+  port: 8083
+  hostnames:
+  - "*"
+  routes:
+  - name: "third-route"
+    hostname: "*"
+    destination:
+      name: "third-route-dest"
+      settings:
+      - endpoints:
+        - host: "3.3.3.3"
+          port: 8083
+  headers:
+    forwardClientCertDetails: ForwardOnly
+- name: "fourth-listener"
+  address: "0.0.0.0"
+  port: 8084
+  hostnames:
+  - "*"
+  routes:
+  - name: "fourth-route"
+    hostname: "*"
+    destination:
+      name: "fourth-route-dest"
+      settings:
+      - endpoints:
+        - host: "4.4.4.4"
+          port: 8084
+  headers:
+    forwardClientCertDetails: AppendForward
+- name: "fifth-listener"
+  address: "0.0.0.0"
+  port: 8085
+  hostnames:
+  - "*"
+  routes:
+  - name: "fifth-route"
+    hostname: "*"
+    destination:
+      name: "fifth-route-dest"
+      settings:
+      - endpoints:
+        - host: "5.5.5.5"
+          port: 8085
+  headers:
+    forwardClientCertDetails: SanitizeSet
+- name: "sixth-listener"
+  address: "0.0.0.0"
+  port: 8086
+  hostnames:
+  - "*"
+  routes:
+  - name: "sixth-route"
+    hostname: "*"
+    destination:
+      name: "sixth-route-dest"
+      settings:
+      - endpoints:
+        - host: "6.6.6.6"
+          port: 8086
+  headers:
+    forwardClientCertDetails: AlwaysForwardOnly

internal/xds/translator/testdata/out/xds-ir/headers-forward-client-cert-details.clusters.yaml

@@ -0,0 +1,102 @@
+- circuitBreakers:
+    thresholds:
+    - maxRetries: 1024
+  commonLbConfig:
+    localityWeightedLbConfig: {}
+  connectTimeout: 10s
+  dnsLookupFamily: V4_ONLY
+  edsClusterConfig:
+    edsConfig:
+      ads: {}
+      resourceApiVersion: V3
+    serviceName: first-route-dest
+  lbPolicy: LEAST_REQUEST
+  name: first-route-dest
+  outlierDetection: {}
+  perConnectionBufferLimitBytes: 32768
+  type: EDS
+- circuitBreakers:
+    thresholds:
+    - maxRetries: 1024
+  commonLbConfig:
+    localityWeightedLbConfig: {}
+  connectTimeout: 10s
+  dnsLookupFamily: V4_ONLY
+  edsClusterConfig:
+    edsConfig:
+      ads: {}
+      resourceApiVersion: V3
+    serviceName: second-route-dest
+  lbPolicy: LEAST_REQUEST
+  name: second-route-dest
+  outlierDetection: {}
+  perConnectionBufferLimitBytes: 32768
+  type: EDS
+- circuitBreakers:
+    thresholds:
+    - maxRetries: 1024
+  commonLbConfig:
+    localityWeightedLbConfig: {}
+  connectTimeout: 10s
+  dnsLookupFamily: V4_ONLY
+  edsClusterConfig:
+    edsConfig:
+      ads: {}
+      resourceApiVersion: V3
+    serviceName: third-route-dest
+  lbPolicy: LEAST_REQUEST
+  name: third-route-dest
+  outlierDetection: {}
+  perConnectionBufferLimitBytes: 32768
+  type: EDS
+- circuitBreakers:
+    thresholds:
+    - maxRetries: 1024
+  commonLbConfig:
+    localityWeightedLbConfig: {}
+  connectTimeout: 10s
+  dnsLookupFamily: V4_ONLY
+  edsClusterConfig:
+    edsConfig:
+      ads: {}
+      resourceApiVersion: V3
+    serviceName: fourth-route-dest
+  lbPolicy: LEAST_REQUEST
+  name: fourth-route-dest
+  outlierDetection: {}
+  perConnectionBufferLimitBytes: 32768
+  type: EDS
+- circuitBreakers:
+    thresholds:
+    - maxRetries: 1024
+  commonLbConfig:
+    localityWeightedLbConfig: {}
+  connectTimeout: 10s
+  dnsLookupFamily: V4_ONLY
+  edsClusterConfig:
+    edsConfig:
+      ads: {}
+      resourceApiVersion: V3
+    serviceName: fifth-route-dest
+  lbPolicy: LEAST_REQUEST
+  name: fifth-route-dest
+  outlierDetection: {}
+  perConnectionBufferLimitBytes: 32768
+  type: EDS
+- circuitBreakers:
+    thresholds:
+    - maxRetries: 1024
+  commonLbConfig:
+    localityWeightedLbConfig: {}
+  connectTimeout: 10s
+  dnsLookupFamily: V4_ONLY
+  edsClusterConfig:
+    edsConfig:
+      ads: {}
+      resourceApiVersion: V3
+    serviceName: sixth-route-dest
+  lbPolicy: LEAST_REQUEST
+  name: sixth-route-dest
+  outlierDetection: {}
+  perConnectionBufferLimitBytes: 32768
+  type: EDS

internal/xds/translator/testdata/out/xds-ir/headers-forward-client-cert-details.endpoints.yaml

@@ -0,0 +1,72 @@
+- clusterName: first-route-dest
+  endpoints:
+  - lbEndpoints:
+    - endpoint:
+        address:
+          socketAddress:
+            address: 1.1.1.1
+            portValue: 8081
+      loadBalancingWeight: 1
+    loadBalancingWeight: 1
+    locality:
+      region: first-route-dest/backend/0
+- clusterName: second-route-dest
+  endpoints:
+  - lbEndpoints:
+    - endpoint:
+        address:
+          socketAddress:
+            address: 2.2.2.2
+            portValue: 8082
+      loadBalancingWeight: 1
+    loadBalancingWeight: 1
+    locality:
+      region: second-route-dest/backend/0
+- clusterName: third-route-dest
+  endpoints:
+  - lbEndpoints:
+    - endpoint:
+        address:
+          socketAddress:
+            address: 3.3.3.3
+            portValue: 8083
+      loadBalancingWeight: 1
+    loadBalancingWeight: 1
+    locality:
+      region: third-route-dest/backend/0
+- clusterName: fourth-route-dest
+  endpoints:
+  - lbEndpoints:
+    - endpoint:
+        address:
+          socketAddress:
+            address: 4.4.4.4
+            portValue: 8084
+      loadBalancingWeight: 1
+    loadBalancingWeight: 1
+    locality:
+      region: fourth-route-dest/backend/0
+- clusterName: fifth-route-dest
+  endpoints:
+  - lbEndpoints:
+    - endpoint:
+        address:
+          socketAddress:
+            address: 5.5.5.5
+            portValue: 8085
+      loadBalancingWeight: 1
+    loadBalancingWeight: 1
+    locality:
+      region: fifth-route-dest/backend/0
+- clusterName: sixth-route-dest
+  endpoints:
+  - lbEndpoints:
+    - endpoint:
+        address:
+          socketAddress:
+            address: 6.6.6.6
+            portValue: 8086
+      loadBalancingWeight: 1
+    loadBalancingWeight: 1
+    locality:
+      region: sixth-route-dest/backend/0