Istio admission webhook fails when time formatting with odd number %

[liron-telemessage]

Bug Description

Hi,
when trying to reformat a certificate expiration date I use format sting to create a new date format.
seen here:
https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-start-time
and using the sting formats seen here:
https://en.cppreference.com/w/cpp/io/manip/put_time
here is an example of my configuration:

  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        host: my-svc
        port:
          number: 443
      headers:
        request:
          add:
            X-Forwarded-For: '%DOWNSTREAM_REMOTE_ADDRESS%'
            X-SSL-Client-Cert-Exp: '%DOWNSTREAM_PEER_CERT_V_END(%b %d %H:%M:%S %Y %Z)%'
            X-SSL-Client-Cert-Issuer: '%DOWNSTREAM_PEER_ISSUER%'
            X-SSL-Client-Cert-Subject: '%DOWNSTREAM_PEER_SUBJECT%'

But when saving the configuration Istio admission webhook fails the configuration with the following error:
could not be patched: admission webhook "validation.istio.io" denied the request: configuration is invalid: single % not allowed. Escape by doubling to %% or encase Envoy variable name in pair of %

function code can be found here:
https://github.com/istio/istio/blob/master/pkg/config/validation/validation.go
detailed explanation can be found here:
https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers.html#custom-request-response-headers
from what I can tell is that this validation is required for space within a URL phrase but should not be enforced on a time format as seen above

Thank you for taking a look at this

Version

istioctl
client version: 1.14.1
control plane version: 1.13.2
data plane version: 1.13.2 (7 proxies)

kubectl
Client Version: v1.24.1
Kustomize Version: v4.5.4
Server Version: v1.23.5

helm
v3.10.3+g835b733

Additional Information

No response

[howardjohn]

Just to clarify, are you 100% sure it is valid in envoy? And escaping via %% is not needed?

[liron-telemessage]

100% sure, once I've disabled the validation hook it works as expected @howardjohn.
escaping using %% is NOT needed.

[zirain]

how can you use that on http headers?
that format should be used for accessLogFormat on https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/?

[liron-telemessage]

@zirain just like that X-SSL-Client-Cert-Exp: '%DOWNSTREAM_PEER_CERT_V_END(%b %d %H:%M:%S %Y %Z)%'
(this is the format I need).
and it works as expected (only when I disabled the validation web hook).

[zirain]

yeah, I got what you wanted.

[zirain]

the following lines need improved

istio/pkg/config/validation/validation.go

Line 381 in 066f4b4

if strings.Count(value, "%")%2 != 0 {