diff --git a/internal/cmd/egctl/testdata/translate/out/envoy-patch-policy.all.yaml b/internal/cmd/egctl/testdata/translate/out/envoy-patch-policy.all.yaml index b7e57c2ca9..ed3d146784 100644 --- a/internal/cmd/egctl/testdata/translate/out/envoy-patch-policy.all.yaml +++ b/internal/cmd/egctl/testdata/translate/out/envoy-patch-policy.all.yaml @@ -189,6 +189,7 @@ xds: typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit domain: eag-ratelimit + disableXEnvoyRatelimitedHeader: true failureModeDeny: true rateLimitService: grpcService: diff --git a/internal/xds/translator/ratelimit.go b/internal/xds/translator/ratelimit.go index 9f8501c5d5..be45709485 100644 --- a/internal/xds/translator/ratelimit.go +++ b/internal/xds/translator/ratelimit.go @@ -126,6 +126,12 @@ func createRateLimitFilter(t *Translator, irListener *ir.HTTPListener, domain, f rateLimitFilterProto.Timeout = durationpb.New(t.GlobalRateLimit.Timeout) } + // Disable the x-envoy-ratelimited header unless envoy headers are explicitly enabled. + rateLimitFilterProto.DisableXEnvoyRatelimitedHeader = true + if irListener.Headers != nil && irListener.Headers.EnableEnvoyHeaders { + rateLimitFilterProto.DisableXEnvoyRatelimitedHeader = false + } + // Configure the X-RateLimit headers based on the listener's header settings if irListener.Headers != nil && irListener.Headers.DisableRateLimitHeaders { rateLimitFilterProto.EnableXRatelimitHeaders = ratelimitfilterv3.RateLimit_OFF diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.listeners.yaml index 4347e1ff74..4aee3acf75 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-add-op-without-value.listeners.yaml @@ -19,6 +19,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit domain: eg-ratelimit + disableXEnvoyRatelimitedHeader: true failureModeDeny: true rateLimitService: grpcService: diff --git a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.listeners.yaml index 4347e1ff74..4aee3acf75 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jsonpatch-move-op-with-value.listeners.yaml @@ -19,6 +19,7 @@ typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit domain: eg-ratelimit + disableXEnvoyRatelimitedHeader: true failureModeDeny: true rateLimitService: grpcService: diff --git a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml index a4d81f0e11..800e15de95 100644 --- a/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/jwt-ratelimit.listeners.yaml @@ -40,6 +40,7 @@ - name: envoy.filters.http.ratelimit typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + disableXEnvoyRatelimitedHeader: true domain: first-listener enableXRatelimitHeaders: DRAFT_VERSION_03 rateLimitService: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml index 5848912b9c..68136c0253 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-custom-domain.listeners.yaml @@ -17,6 +17,7 @@ - name: envoy.filters.http.ratelimit typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + disableXEnvoyRatelimitedHeader: true domain: first-listener enableXRatelimitHeaders: DRAFT_VERSION_03 rateLimitService: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml index d7dc5d1295..af301069a2 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-disable-headers.listeners.yaml @@ -17,6 +17,7 @@ - name: envoy.filters.http.ratelimit typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + disableXEnvoyRatelimitedHeader: true domain: first-listener rateLimitService: grpcService: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml index 5848912b9c..68136c0253 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-endpoint-stats.listeners.yaml @@ -17,6 +17,7 @@ - name: envoy.filters.http.ratelimit typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + disableXEnvoyRatelimitedHeader: true domain: first-listener enableXRatelimitHeaders: DRAFT_VERSION_03 rateLimitService: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-global-shared.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-global-shared.listeners.yaml index 8576ebeb03..417121f9f7 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-global-shared.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-global-shared.listeners.yaml @@ -17,6 +17,7 @@ - name: envoy.filters.http.ratelimit typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + disableXEnvoyRatelimitedHeader: true domain: first-listener enableXRatelimitHeaders: DRAFT_VERSION_03 rateLimitService: @@ -27,6 +28,7 @@ - name: envoy.filters.http.ratelimit/test-namespace/test-policy-1 typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + disableXEnvoyRatelimitedHeader: true domain: test-namespace/test-policy-1 enableXRatelimitHeaders: DRAFT_VERSION_03 rateLimitService: @@ -37,6 +39,7 @@ - name: envoy.filters.http.ratelimit/test-namespace/test-policy-2 typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + disableXEnvoyRatelimitedHeader: true domain: test-namespace/test-policy-2 enableXRatelimitHeaders: DRAFT_VERSION_03 rateLimitService: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.listeners.yaml index 5848912b9c..68136c0253 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-headers-and-cidr.listeners.yaml @@ -17,6 +17,7 @@ - name: envoy.filters.http.ratelimit typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + disableXEnvoyRatelimitedHeader: true domain: first-listener enableXRatelimitHeaders: DRAFT_VERSION_03 rateLimitService: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-multi-global-shared.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-multi-global-shared.listeners.yaml index 8576ebeb03..417121f9f7 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-multi-global-shared.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-multi-global-shared.listeners.yaml @@ -17,6 +17,7 @@ - name: envoy.filters.http.ratelimit typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + disableXEnvoyRatelimitedHeader: true domain: first-listener enableXRatelimitHeaders: DRAFT_VERSION_03 rateLimitService: @@ -27,6 +28,7 @@ - name: envoy.filters.http.ratelimit/test-namespace/test-policy-1 typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + disableXEnvoyRatelimitedHeader: true domain: test-namespace/test-policy-1 enableXRatelimitHeaders: DRAFT_VERSION_03 rateLimitService: @@ -37,6 +39,7 @@ - name: envoy.filters.http.ratelimit/test-namespace/test-policy-2 typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + disableXEnvoyRatelimitedHeader: true domain: test-namespace/test-policy-2 enableXRatelimitHeaders: DRAFT_VERSION_03 rateLimitService: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml index 5848912b9c..68136c0253 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit-sourceip.listeners.yaml @@ -17,6 +17,7 @@ - name: envoy.filters.http.ratelimit typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + disableXEnvoyRatelimitedHeader: true domain: first-listener enableXRatelimitHeaders: DRAFT_VERSION_03 rateLimitService: diff --git a/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml index 5848912b9c..68136c0253 100644 --- a/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/ratelimit.listeners.yaml @@ -17,6 +17,7 @@ - name: envoy.filters.http.ratelimit typedConfig: '@type': type.googleapis.com/envoy.extensions.filters.http.ratelimit.v3.RateLimit + disableXEnvoyRatelimitedHeader: true domain: first-listener enableXRatelimitHeaders: DRAFT_VERSION_03 rateLimitService: diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 6e47191bf5..1516d01d09 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -31,6 +31,7 @@ bug fixes: | Fixed validation for grpc routes with extension ref filters. Fixed service account token handling in GatewayNamespaceMode to use SDS for properly refreshing expired token. Fixed handling of regex meta characters in prefix match replace for URL rewrite. + Disabled the default emission of `x-envoy-ratelimited` headers from the rate limit filter; re-enable with the `enableEnvoyHeaders` setting in ClientTrafficPolicy. # Enhancements that improve performance. performance improvements: |