Header

Specify a set of headers which incoming requests must match in entirety, such as with regular expressions (regex).

For more information, see the Kubernetes Gateway API documentation.

Before you begin

1. Set up an agentgateway proxy.
2. Install the httpbin sample app.

Set up exact header matching

Match headers by an exact string, such as version.

1. Create an HTTPRoute resource.

   kubectl apply -f- <<EOF
   apiVersion: gateway.networking.k8s.io/v1
   kind: HTTPRoute
   metadata:
     name: httpbin-match
     namespace: httpbin
   spec:
     parentRefs:
       - name: agentgateway-proxy
         namespace: agentgateway-system
     hostnames:
       - match.example
     rules:
       - matches:
         - headers:
           - name: version
             value: v2
             type: Exact
         backendRefs:
           - name: httpbin
             port: 8000
   EOF

2. Send a request to the httpbin app on the match.example domain without any headers. Verify that you get back a 404 HTTP response code as no matching request could be found.

   Cloud Provider LoadBalancerPort-forward for local testing

   curl -vi http://$INGRESS_GW_ADDRESS:80/status/200 \
   -H "host: match.example"

   curl -vi localhost:8080/status/200 \
   -H "host: match.example"

   Example output:

   < HTTP/1.1 404 Not Found
   HTTP/1.1 404 Not Found
   < content-length: 9
   content-length: 9
   < content-type: text/plain; charset=utf-8
   content-type: text/plain; charset=utf-8

3. Send another request to the httpbin app on the match.example domain. This time, add the version: v2 header that you configured in the HTTPRoute. Verify that your request now succeeds and you get back a 200 HTTP response code.

   Cloud Provider LoadBalancerPort-forward for local testing

   curl -vi http://$INGRESS_GW_ADDRESS:80/status/200 \
   -H "host: match.example" \
   -H "version: v2"

   curl -vi localhost:8080/status/200 \
   -H "host: match.example" \
   -H "version: v2"

   Example output:

   * Request completely sent off
   < HTTP/1.1 200 OK
   HTTP/1.1 200 OK
   < access-control-allow-credentials: true
   access-control-allow-credentials: true
   < access-control-allow-origin: *
   access-control-allow-origin: *
   < content-length: 0
   content-length: 0

Set up regex header matching

Match headers with regular expressions (regex).

1. Create an HTTPRoute resource to match multiple headers with regex. Only if all headers are present in the request, the request is accepted and processed by the gateway proxy. The following rules apply:

   • (dogs|cats): The value of the pet request header must either be dogs or cats.
   • \\d[.]\\d.*: The value of the version header must meet the following conditions:
     • \\d matches a single digit.
     • [.] matches a literal period.
     • \\d.* matches a single digit followed by zero or any character.
     • Allowed pattern: 3.0-game, not allowed: 30
   • Bearer\s.*: The value of the Authorization request header must be Bearer followed by a space (\s), followed by zero or any characters (.*).
     • Allowed pattern: Bearer 123, not allowed: Bearer

   kubectl apply -f- <<EOF
   apiVersion: gateway.networking.k8s.io/v1
   kind: HTTPRoute
   metadata:
     name: httpbin-match
     namespace: httpbin
   spec:
     parentRefs:
       - name: agentgateway-proxy
         namespace: agentgateway-system
     hostnames:
       - match.example
     rules:
       - matches:
         - headers:
           - name: pet
             value: (dogs|cats)
             type: RegularExpression
           - name: version
             value: \\d[.]\\d.*
             type: RegularExpression
           - name: Authorization
             value: Bearer\s.*
             type: RegularExpression
         backendRefs:
           - name: httpbin
             port: 8000
   EOF

2. Send a request to the httpbin app on the match.example domain and add valid values for each of your headers. Verify that the request succeeds and you get back a 200 HTTP response code.

   Cloud Provider LoadBalancerPort-forward for local testing

   curl -vi http://$INGRESS_GW_ADDRESS:80/status/200 -H "host: match.example" -H "host: match.example" \
   -H "Authorization: Bearer 123" \
   -H "pet: dogs" \
   -H "version: 3.0" 

   curl -vi localhost:8080/status/200 -H "host: match.example" -H "host: match.example" \
   -H "Authorization: Bearer 123" \
   -H "pet: dogs" \
   -H "version: 3.0"

   Example output:

   * Request completely sent off
   < HTTP/1.1 200 OK
   HTTP/1.1 200 OK
   < access-control-allow-credentials: true
   access-control-allow-credentials: true
   < access-control-allow-origin: *
   access-control-allow-origin: *
   < content-length: 0
   content-length: 0

3. Send another request to the httpbin app on the match.example domain. This time, you change the value of the version header to an invalid value that does not meet the regular expression that you defined. Verify that the request is denied with a 404 HTTP response code.

   Cloud Provider LoadBalancerPort-forward for local testing

   curl -vi http://$INGRESS_GW_ADDRESS:80/status/200 -H "host: match.example" -H "host: match.example" \
   -H "Authorization: Bearer 123" \
   -H "pet: dogs" \
   -H "version: 30"

   curl -vi localhost:8080/status/200 -H "host: match.example" -H "host: match.example" \
   -H "Authorization: Bearer 123" \
   -H "pet: dogs" \
   -H "version: 30"

   Example output:

   < HTTP/1.1 404 Not Found
   HTTP/1.1 404 Not Found
   < content-length: 9
   content-length: 9
   < content-type: text/plain; charset=utf-8
   content-type: text/plain; charset=utf-8

Cleanup

kubectl delete httproute httpbin-match -n httpbin