Implement HTTP Forwarded header policy API

[Miciah]

This commit resolves NE-318.

• pkg/operator/controller/ingress/deployment.go (RouterForwardedHeadersPolicy): New constant with the name of the related environment variable.
  (desiredRouterDeployment): Set the ROUTER_SET_FORWARDED_HEADERS environment variable as appropriate.
• pkg/operator/controller/ingress/deployment_test.go (TestDesiredRouterDeployment): Verify that spec.httpHeaders.forwardedHeaderPolicy has the expected effect.
• test/e2e/forwarded_header_policy_test.go: New file.
  (buildEchoPod, buildEchoService, buildRoute, testRouteHeaders): New helper functions.
  (testPodCount): New helper variable for testRouteHeaders.
  (TestForwardedHeaderPolicyAppend, TestForwardedHeaderPolicyReplace, TestForwardedHeaderPolicyNever, TestForwardedHeaderPolicyIfNone): New tests.

---

Implements the following enhancement: openshift/enhancements#371

Corresponding router changes: openshift/router#134

Corresponding API changes: openshift/api#688

[Miciah]

Failed on TestForwardedHeaderPolicy, which is expected till openshift/router#134 merges.

[sgreene570]

Suggested change

	// the number that are in the request.
	// the number of headers specified in the request.

Does that make more sense, or am I missing something?

[Miciah]

I've updated the wording to be more explicit.

[Miciah]

Rebased.

[sgreene570]

Line 1263 checks for the case where numMatches > expectedMatches. Perhaps before the return on line 1268, we should check for numMatches > 0 && numMatches < expectedMatches and return an error if that condition is true. This way, for example, the polling loop would halt if only 1 x-forwarded-for header was found in the curl response when 2 were expected, and the test failure message would be more verbose. Thoughts? I may be overthinking this, but since you're calling testRoute several times I figured it would be worth mentioning.

[Miciah]

That makes sense. It is unlikely that the logs will have partial headers, so returning an error if 0 < numMatches < expectedMatches should safe to do.

[sgreene570]

This PR depends on openshift/router#134 for CI to pass, correct?

[Miciah]

This PR depends on openshift/router#134 for CI to pass, correct?

You're right; I mixed up my PRs. I have one PR that depends on an unmerged API change and another PR that depends on an unmerged router change...

[Miciah]

openshift/router#134 merged, so tests now should pass.
/test e2e-aws-operator

[Miciah]

/test e2e-aws-operator

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[Miciah]

/test e2e-aws-operator

[Miciah]

/test e2e-aws-operator

[Miciah]

Provisioning failure.
/test e2e-aws-operator

[Miciah]

Both TestForwardedHeaderPolicyAppend and TestRouteHTTP2EnableAndDisableIngressController timed out. I'll increase the timeout for TestForwardedHeaderPolicyAppend and related tests, but it looks like the cluster was not in good order.

[Miciah]

No build log output?!
/test e2e-aws-operator

[Miciah]

/retest

[Miciah]

/test e2e-aws-operator

[Miciah]

Last e2e-aws failure looks related to BZ1857928 – [sig-operator] an end user use OLM can subscribe to the cockroachdb operator.

e2e-aws-operator is reaching the 10-minute timeout. I'll try pushing a change to increase that timeout value.

[Miciah]

Seeing "an end user can use OLM can subscribe to the operator" fail again in e2e-aws, and seeing numerous timeouts in e2e-aws-operator that look like a generally unstable cluster.
/test e2e-aws
/test e2e-aws-operator

[Miciah]

Test container setup failed on an API failure.
/test e2e-aws

[frobware]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: frobware, Miciah, sgreene570

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Miciah,frobware,sgreene570]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment