Skip to content

Add x-istio-origin-network header to inner CONNECT requests in double HBONE#1727

Closed
Copilot wants to merge 6 commits intomasterfrom
copilot/add-x-origin-source-header
Closed

Add x-istio-origin-network header to inner CONNECT requests in double HBONE#1727
Copilot wants to merge 6 commits intomasterfrom
copilot/add-x-origin-source-header

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Jan 16, 2026
edited
Loading

Plan: Add x-istio-origin-network Header to Inner CONNECT Requests

  • Define the X_ORIGIN_SOURCE_HEADER constant in src/proxy.rs
  • Modify create_hbone_request() in src/proxy/outbound.rs to accept a parameter indicating whether this is an inner request
  • For double HBONE, add the x-istio-origin-network header with the network value from config when creating the inner CONNECT request
  • Code compiles successfully
  • Run existing tests to verify no regressions - all 21 outbound tests pass
  • Verify the header is only added for inner CONNECT requests in double HBONE scenarios - confirmed by code review
  • Add comment explaining why single HBONE doesn't need the header
  • Add test for x-istio-origin-network header (test_x_origin_source_header)
  • Rename header from x-origin-source to x-istio-origin-source for clarity
  • Rename header from x-istio-origin-source to x-istio-origin-network
  • Refocus test on double HBONE case (developer-facing contract for single HBONE is send_hbone_request)
  • Add explicit test validating header is NOT added when origin_network is None (single HBONE case)

Summary

The implementation adds the x-istio-origin-network header containing the network ztunnel is running in to inner CONNECT requests in double HBONE scenarios. This helps destination envoys know not to use metadata discovery. The changes are minimal and surgical:

  • Added header constant with value "x-istio-origin-network"
  • Modified create_hbone_request() to conditionally add the header
  • Only the inner CONNECT in double HBONE gets the header; outer CONNECT and single HBONE remain unchanged
  • Added explanatory comment for the single HBONE codepath
  • Added comprehensive test validating:
    • Header is NOT present when origin_network is None (single HBONE)
    • Header IS present with correct value when origin_network is provided (double HBONE inner request)
Original prompt

This section details on the original issue you should resolve

<issue_title>ztunnel should send an x-origin-source header in inner connect requests</issue_title>
<issue_description>This header will contain the network ztunnel is running in. This is to help destination envoys know not to use metadata discovery</issue_description>

<agent_instructions>For double HBONE, this header should be a part of the inner connect tunnel</agent_instructions>

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@istio-policy-bot
Copy link
Copy Markdown

istio-policy-bot commented Jan 16, 2026

😊 Welcome @Copilot! This is either your first contribution to the Istio ztunnel repo, or it's been
a while since you've been here.

You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

@istio-testing istio-testing added do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. needs-ok-to-test labels Jan 16, 2026
@istio-testing
Copy link
Copy Markdown
Contributor

istio-testing commented Jan 16, 2026

Hi @Copilot. Thanks for your PR.

I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@keithmattix
Add x-origin-source header to inner CONNECT requests in double HBONE
5051600 
Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com>
@istio-testing istio-testing added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jan 16, 2026
Copilot AI changed the title [WIP] Add x-origin-source header to inner connect requests Add x-origin-source header to inner CONNECT requests in double HBONE Jan 16, 2026
Copilot AI requested a review from keithmattix January 16, 2026 19:22
keithmattix
keithmattix reviewed Jan 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@keithmattix keithmattix left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot Address the code review comment and also add some tests for this header

@keithmattix
Copy link
Copy Markdown
Contributor

keithmattix commented Jan 16, 2026

@copilot When you're done with that, also change the name of the header to x-istio-origin-source for clarity

@keithmattix
Add comment explaining single HBONE codepath and tests for x-origin-s…
6fb7029 
…ource header

Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com>
@istio-testing istio-testing added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jan 16, 2026
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Jan 16, 2026

@copilot Address the code review comment and also add some tests for this header

Addressed the code review comment with an explanatory comment and added test test_x_origin_source_header that validates the header is added for double HBONE inner requests and not added for single HBONE (commit 6fb7029).

Copilot AI requested a review from keithmattix January 16, 2026 19:45
keithmattix
keithmattix reviewed Jan 16, 2026
View reviewed changes
@keithmattix
Rename header from x-origin-source to x-istio-origin-source
3f24b6b 
Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Jan 16, 2026

@copilot When you're done with that, also change the name of the header to x-istio-origin-source for clarity

Renamed the header from x-origin-source to x-istio-origin-source throughout the codebase, including the constant definition, comments, and test assertions (commit 3f24b6b).

Copilot AI changed the title Add x-origin-source header to inner CONNECT requests in double HBONE Add x-istio-origin-source header to inner CONNECT requests in double HBONE Jan 16, 2026
Copilot AI requested a review from keithmattix January 16, 2026 19:50
keithmattix
keithmattix reviewed Jan 16, 2026
View reviewed changes
@keithmattix
Rename header to x-istio-origin-network and refocus test on double HBONE
a044f6a 
Co-authored-by: keithmattix <1531662+keithmattix@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Jan 16, 2026

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Copilot AI changed the title Add x-istio-origin-source header to inner CONNECT requests in double HBONE Add x-istio-origin-network header to inner CONNECT requests in double HBONE Jan 16, 2026
Copilot AI requested a review from keithmattix January 16, 2026 19:58
keithmattix
keithmattix reviewed Jan 16, 2026
View reviewed changes
Copilot AI requested a review from keithmattix January 16, 2026 20:19
@keithmattix
Add test back
aee6060 
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
@keithmattix
Copy link
Copy Markdown
Contributor

keithmattix commented Jan 16, 2026

/ok-to-test

@istio-testing istio-testing added ok-to-test Set this label allow normal testing to take place for a PR not submitted by an Istio org member. and removed needs-ok-to-test labels Jan 16, 2026
@keithmattix keithmattix marked this pull request as ready for review January 16, 2026 20:43
@keithmattix keithmattix requested a review from a team as a code owner January 16, 2026 20:43
@istio-testing istio-testing removed the do-not-merge/work-in-progress Block merging of a PR because it isn't ready yet. label Jan 16, 2026
@keithmattix keithmattix mentioned this pull request Jan 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@keithmattix keithmattix Awaiting requested review from keithmattix

Assignees

@keithmattix keithmattix

Copilot code review Copilot

Labels

ok-to-test Set this label allow normal testing to take place for a PR not submitted by an Istio org member. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ztunnel should send an x-origin-source header in inner connect requests

4 participants

@istio-policy-bot @istio-testing @keithmattix