XFCC header support

[gautierdelorme]

This is required to let apps use details from client certificates (e.g. Subject, SAN...). Since the certificate (or the certificate chain) could exceed the web server header size limit, we give the ability to select what specific part of the certificate to expose in the x-forwarded-client-cert header.

Fixes #2885 (I've read through this issue and since that feature is only usable when ClientValidation is used (since that's required for the server to request certs) I think having ForwardClientCertificate under ClientValidation makes more sense)

Signed-off-by: Gautier Delorme [email protected]

[codecov]

Codecov Report

Merging #4797 (b7e8dab) into main (ece8a24) will increase coverage by 0.05%.
The diff coverage is 100.00%.

❗ Current head b7e8dab differs from pull request most recent head 16bbf9c. Consider uploading reports for the commit 16bbf9c to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4797      +/-   ##
==========================================
+ Coverage   76.10%   76.15%   +0.05%     
==========================================
  Files         140      140              
  Lines       16896    16932      +36     
==========================================
+ Hits        12858    12894      +36     
  Misses       3786     3786              
  Partials      252      252              

Impacted Files	Coverage Δ
internal/dag/dag.go	96.62% <ø> (ø)
internal/dag/httpproxy_processor.go	93.19% <100.00%> (+0.05%)	⬆️
internal/envoy/v3/listener.go	98.69% <100.00%> (+0.02%)	⬆️
internal/featuretests/v3/envoy.go	98.98% <100.00%> (+0.02%)	⬆️
internal/xdscache/v3/listener.go	91.30% <100.00%> (+0.16%)	⬆️

[gautierdelorme]

Do you think this change could make it to the 1.23 release?

[skriss]

Do you think this change could make it to the 1.23 release?

Unfortunately it's too late to get these into 1.23, but we'll pick up with reviews shortly.

[tsaarni]

Looking very good 👍 Just one tiny remark from me.

[tsaarni]

Needs merging & regenerating after the other PR was merged, but otherwise ready to go from my perspective.

[tsaarni]

Thank you @gautierdelorme 👍
Leaving for others to review as well.

[skriss]

LGTM, thanks @gautierdelorme! Will leave open for a bit in case @sunjayBhatia wants to take a look.

[sunjayBhatia]

looks great!

one thing that could be useful to help troubleshoot header size issues would be to enable upstream cluster req/resp statistics: https://www.envoyproxy.io/docs/envoy/latest/configuration/upstream/cluster_manager/cluster_stats#request-response-size-statistics

I can add a new issue for that so we can consider it (if we dont have one already)