Normalize EPP headers to lowercase

Author: ciarams87

cmd/gateway/endpoint_picker.go

@@ -7,6 +7,7 @@ import (
 	"io"
 	"net"
 	"net/http"
+	"strings"
 	"time"
 
 	corev3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
@@ -37,7 +38,7 @@ func realExtProcClientFactory() extProcClientFactory {
 	return func(target string) (extprocv3.ExternalProcessorClient, func() error, error) {
 		creds := credentials.NewTLS(&tls.Config{
 			// add RootCAs or, if you have a self-signed server cert:
-			InsecureSkipVerify: true,
+			InsecureSkipVerify: true, //nolint:gosec
 		})
 		conn, err := grpc.NewClient(target, grpc.WithTransportCredentials(creds))
 		if err != nil {
@@ -153,8 +154,13 @@ func buildHeaderRequest(r *http.Request) *extprocv3.ProcessingRequest {
 
 	for key, values := range r.Header {
 		for _, value := range values {
+			// Normalize header keys to lowercase for case-insensitive matching
+			// This fixes the issue where Go's HTTP header normalization (Title-Case)
+			// doesn't match EPP's expected lowercase header keys
+			normalizedKey := strings.ToLower(key)
+
 			headerMap.Headers = append(headerMap.Headers, &corev3.HeaderValue{
-				Key:   key,
+				Key:   normalizedKey,
 				Value: value,
 			})
 		}

internal/controller/nginx/config/servers.go

@@ -459,7 +459,7 @@ func createInternalLocationsForRule(
 					}
 					intInfLocation.EPPInternalPath = intLocation.Path
 					if b.EndpointPickerNsName != "" {
-						intInfLocation.EPPHost = string(b.EndpointPickerConfig.Name) + "." + b.EndpointPickerNsName
+						intInfLocation.EPPHost = string(b.EndpointPickerConfig.Name) + "." + b.EndpointPickerNsName + ".svc.cluster.local"
 					} else {
 						intInfLocation.EPPHost = string(b.EndpointPickerConfig.Name)
 					}
@@ -517,7 +517,11 @@ func createInferenceLocationsForRule(
 						portNum = int(b.EndpointPickerConfig.Port.Number)
 					}
 					extLocations[i].EPPInternalPath = intLocation.Path
-					extLocations[i].EPPHost = string(b.EndpointPickerConfig.Name)
+					if b.EndpointPickerNsName != "" {
+						extLocations[i].EPPHost = (string(b.EndpointPickerConfig.Name) + "." + b.EndpointPickerNsName + ".svc.cluster.local") //nolint:lll
+					} else {
+						extLocations[i].EPPHost = string(b.EndpointPickerConfig.Name)
+					}
 					extLocations[i].EPPPort = portNum
 				}
 			}

internal/controller/nginx/modules/src/epp.js

@@ -10,48 +10,40 @@ const WORKLOAD_ENDPOINT_VAR = 'inference_workload_endpoint';
 const SHIM_URI = 'http://127.0.0.1:54800';
 
 async function getEndpoint(r) {
-	const headerEndpoint = r.headersIn['test-epp-endpoint-selection'];
-	if (headerEndpoint) {
-		// Header is provided: Use endpoints directly and bypass Shim server
-		const endpoints = headerEndpoint.split(',').map(e => e.trim());
-		r.variables[WORKLOAD_ENDPOINT_VAR] = endpoints.join(',');
-		r.log(`Using header-specified endpoints: ${r.variables[WORKLOAD_ENDPOINT_VAR]}`);
-	} else {
-		if (!r.variables[EPP_HOST_HEADER_VAR] || !r.variables[EPP_PORT_HEADER_VAR]) {
-			throw Error(
-				`Missing required variables: ${EPP_HOST_HEADER_VAR} and/or ${EPP_PORT_HEADER_VAR}`,
-			);
-		}
-		if (!r.variables[EPP_INTERNAL_PATH_VAR]) {
-			throw Error(`Missing required variable: ${EPP_INTERNAL_PATH_VAR}`);
-		}
+	if (!r.variables[EPP_HOST_HEADER_VAR] || !r.variables[EPP_PORT_HEADER_VAR]) {
+		throw Error(
+			`Missing required variables: ${EPP_HOST_HEADER_VAR} and/or ${EPP_PORT_HEADER_VAR}`,
+		);
+	}
+	if (!r.variables[EPP_INTERNAL_PATH_VAR]) {
+		throw Error(`Missing required variable: ${EPP_INTERNAL_PATH_VAR}`);
+	}
 
-		let headers = Object.assign({}, r.headersIn);
-		headers[EPP_HOST_HEADER] = r.variables[EPP_HOST_HEADER_VAR];
-		headers[EPP_PORT_HEADER] = r.variables[EPP_PORT_HEADER_VAR];
+	let headers = Object.assign({}, r.headersIn);
+	headers[EPP_HOST_HEADER] = r.variables[EPP_HOST_HEADER_VAR];
+	headers[EPP_PORT_HEADER] = r.variables[EPP_PORT_HEADER_VAR];
 
-		try {
-			const response = await ngx.fetch(SHIM_URI, {
-				method: r.method,
-				headers: headers,
-				body: r.requestText,
-			});
-			const endpointHeader = response.headers.get(ENDPOINT_HEADER);
-			if (response.status === 200 && endpointHeader) {
-				r.variables[WORKLOAD_ENDPOINT_VAR] = endpointHeader;
-				r.log(
-					`found inference endpoint from EndpointPicker: ${r.variables[WORKLOAD_ENDPOINT_VAR]}`,
-				);
-			} else {
-				const body = await response.text();
-				r.error(
-					`could not get specific inference endpoint from EndpointPicker; ` +
-						`status: ${response.status}; body: ${body}`,
-				);
-			}
-		} catch (err) {
-			r.error(`Error in ngx.fetch: ${err}`);
+	try {
+		const response = await ngx.fetch(SHIM_URI, {
+			method: r.method,
+			headers: headers,
+			body: r.requestText,
+		});
+		const endpointHeader = response.headers.get(ENDPOINT_HEADER);
+		if (response.status === 200 && endpointHeader) {
+			r.variables[WORKLOAD_ENDPOINT_VAR] = endpointHeader;
+			r.log(
+				`found inference endpoint from EndpointPicker: ${r.variables[WORKLOAD_ENDPOINT_VAR]}`,
+			);
+		} else {
+			const body = await response.text();
+			r.error(
+				`could not get specific inference endpoint from EndpointPicker; ` +
+					`status: ${response.status}; body: ${body}`,
+			);
 		}
+	} catch (err) {
+		r.error(`Error in ngx.fetch: ${err}`);
 	}
 
 	// If performing a rewrite, $request_uri won't be used,
@@ -63,4 +55,5 @@ async function getEndpoint(r) {
 
 	r.internalRedirect(r.variables[EPP_INTERNAL_PATH_VAR] + args);
 }
+
 export default { getEndpoint };

internal/controller/nginx/modules/test/epp.test.js

@@ -40,7 +40,7 @@ describe('getEndpoint', () => {
 	});
 
 	it('sets endpoint and logs on 200 with endpoint header', async () => {
-		const endpoint = 'http://endpoint';
+		const endpoint = '10.0.0.1:8080';
 		globalThis.ngx = {
 			fetch: vi.fn().mockResolvedValue({
 				status: 200,
@@ -49,7 +49,11 @@ describe('getEndpoint', () => {
 			}),
 		};
 		const r = makeRequest({
-			variables: { epp_host: 'host', epp_port: '1234', epp_internal_path: '/foo' },
+			variables: {
+				epp_host: 'host',
+				epp_port: '1234',
+				epp_internal_path: '/foo',
+			},
 		});
 		await epp.getEndpoint(r);
 		expect(r.variables.inference_workload_endpoint).toBe(endpoint);
@@ -66,7 +70,11 @@ describe('getEndpoint', () => {
 			}),
 		};
 		const r = makeRequest({
-			variables: { epp_host: 'host', epp_port: '1234', epp_internal_path: '/foo' },
+			variables: {
+				epp_host: 'host',
+				epp_port: '1234',
+				epp_internal_path: '/foo',
+			},
 		});
 		await epp.getEndpoint(r);
 		expect(r.error).toHaveBeenCalledWith(
@@ -80,15 +88,19 @@ describe('getEndpoint', () => {
 			fetch: vi.fn().mockRejectedValue(new Error('network fail')),
 		};
 		const r = makeRequest({
-			variables: { epp_host: 'host', epp_port: '1234', epp_internal_path: '/foo' },
+			variables: {
+				epp_host: 'host',
+				epp_port: '1234',
+				epp_internal_path: '/foo',
+			},
 		});
 		await epp.getEndpoint(r);
 		expect(r.error).toHaveBeenCalledWith(expect.stringContaining('Error in ngx.fetch'));
 		expect(r.internalRedirect).toHaveBeenCalledWith('/foo');
 	});
 
 	it('preserves args in internal redirect when args are present', async () => {
-		const endpoint = 'http://endpoint';
+		const endpoint = '10.0.0.1:8080';
 		globalThis.ngx = {
 			fetch: vi.fn().mockResolvedValue({
 				status: 200,
@@ -97,21 +109,51 @@ describe('getEndpoint', () => {
 			}),
 		};
 		const r = makeRequest({
-			variables: { epp_host: 'host', epp_port: '1234', epp_internal_path: '/foo' },
+			variables: {
+				epp_host: 'host',
+				epp_port: '1234',
+				epp_internal_path: '/foo',
+			},
 			args: { a: '1', b: '2' },
 		});
 		await epp.getEndpoint(r);
 		expect(r.internalRedirect).toHaveBeenCalledWith('/foo?a=1&b=2');
 	});
-	it('returns the header-specified endpoints if provided', async () => {
+
+	it('forwards all headers including test headers to EPP', async () => {
+		const endpoint = '10.0.0.1:8080';
+		const fetchMock = vi.fn().mockResolvedValue({
+			status: 200,
+			headers: { get: () => endpoint },
+			text: vi.fn(),
+		});
+		globalThis.ngx = {
+			fetch: fetchMock,
+		};
 		const r = makeRequest({
-			variables: {},
-			headersIn: { 'X-Endpoint-Selector': '10.1.2.3, 10.1.2.4' },
+			variables: {
+				epp_host: 'host',
+				epp_port: '1234',
+				epp_internal_path: '/foo',
+			},
+			headersIn: {
+				'test-epp-endpoint-selection': '10.0.0.1:8080,10.0.0.2:8080',
+				'content-type': 'application/json',
+			},
 		});
 		await epp.getEndpoint(r);
-		expect(r.variables.inference_workload_endpoint).toBe('10.1.2.3,10.1.2.4');
-		expect(r.log).toHaveBeenCalledWith(
-			expect.stringContaining('Using header-specified endpoints'),
+
+		// Verify that all headers (including test header) were forwarded to EPP
+		expect(fetchMock).toHaveBeenCalledWith(
+			'http://127.0.0.1:54800',
+			expect.objectContaining({
+				headers: expect.objectContaining({
+					'test-epp-endpoint-selection': '10.0.0.1:8080,10.0.0.2:8080',
+					'content-type': 'application/json',
+					'X-EPP-Host': 'host',
+					'X-EPP-Port': '1234',
+				}),
+			}),
 		);
 	});
-});
+});

internal/controller/state/graph/backend_refs.go

@@ -77,6 +77,8 @@ func addBackendRefsToRouteRules(
 
 // addHTTPBackendRefsToRules iterates over the rules of a Route and adds a list of BackendRef to each rule.
 // If a reference in a rule is invalid, the function will add a condition to the rule.
+//
+//nolint:gocyclo
 func addBackendRefsToRules(
 	route *L7Route,
 	refGrantResolver *referenceGrantResolver,

tests/Makefile

@@ -18,8 +18,8 @@ EXPERIMENTAL_CONFORMANCE_PROFILES = GATEWAY-TLS
 CONFORMANCE_PROFILES = $(STANDARD_CONFORMANCE_PROFILES) # by default we use the standard conformance profiles. If experimental is enabled we override this and add the experimental profiles.
 SKIP_TESTS =
 CEL_TEST_TARGET =
-INFERENCE_SUPPORTED_FEATURES = GatewayFollowingEPPRouting
-INFERENCE_SKIP_TESTS = InferencePoolResolvedRefsCondition, EppUnAvailableFailOpen,HTTPRouteInvalidInferencePoolRef,InferencePoolAccepted,HTTPRouteMultipleGatewaysDifferentPools,HTTPRouteMultipleRulesDifferentPools,InferencePoolHTTPRoutePortValidation,InferencePoolInvalidEPPService
+INFERENCE_SUPPORTED_FEATURES = GatewayFollowingEPPRouting,EppUnAvailableFailOpen,HTTPRouteInvalidInferencePoolRef,InferencePoolAccepted,HTTPRouteMultipleGatewaysDifferentPools,HTTPRouteMultipleRulesDifferentPools,InferencePoolHTTPRoutePortValidation,InferencePoolInvalidEPPService
+INFERENCE_SKIP_TESTS = InferencePoolResolvedRefsCondition
 
 # Check if ENABLE_EXPERIMENTAL is true
 ifeq ($(ENABLE_EXPERIMENTAL),true)
@@ -188,7 +188,7 @@ add-local-ip-to-cluster: ## Add local IP to the GKE cluster master-authorized-ne
 update-firewall-with-local-ip: ## Update the firewall rule with local IP address
 	./scripts/update-firewall-with-local-ip.sh
 
-HELM_PARAMETERS += --set nginxGateway.name=nginx-gateway --set nginx.service.type=ClusterIP --skip-schema-validation --set nginxGateway.gwAPIInferenceExtension.enable=$(ENABLE_INFERENCE_EXTENSION) --set nginxGateway.config.logging.level=debug
+HELM_PARAMETERS += --set nginxGateway.name=nginx-gateway --set nginx.service.type=ClusterIP --set nginxGateway.gwAPIInferenceExtension.enable=$(ENABLE_INFERENCE_EXTENSION) --set nginxGateway.config.logging.level=debug
 
 # this target is used to install the gateway-api CRDs from the main branch (only used in the nightly CI job)
 # it overrides the target in the main Makefile when the GW_API_VERSION is set to main

tests/conformance/conformance_test.go

@@ -18,7 +18,6 @@ limitations under the License.
 package conformance
 
 import (
-	"fmt"
 	"os"
 	"testing"
 
@@ -96,7 +95,6 @@ func TestConformance(t *testing.T) {
 }
 
 func TestInferenceExtensionConformance(t *testing.T) {
-	g := NewWithT(t)
 
 	t.Logf(`Running inference conformance tests with %s GatewayClass\n cleanup: %t\n`+
 		`debug: %t\n enable all features: %t \n supported extended features: [%v]\n exempt features: [%v]\n`+
@@ -106,9 +104,6 @@ func TestInferenceExtensionConformance(t *testing.T) {
 	)
 
 	opts := inference_conformance.DefaultOptions(t)
-	ipaddressType := v1.IPAddressType
-	opts.UnusableNetworkAddresses = []v1beta1.GatewaySpecAddress{{Type: &ipaddressType, Value: unusableGatewayIPAddress}}
-	opts.UsableNetworkAddresses = []v1beta1.GatewaySpecAddress{{Type: &ipaddressType, Value: "192.0.2.1"}}
 
 	opts.Implementation = conf_v1.Implementation{
 		Organization: "nginx",
@@ -120,12 +115,6 @@ func TestInferenceExtensionConformance(t *testing.T) {
 		},
 	}
 
-	_, err := os.Stat(inferenceBaseManifest)
-	g.Expect(err).ToNot(HaveOccurred(), fmt.Sprintf("base manifest file %s not found", inferenceBaseManifest))
-
-	opts.ManifestFS = append(opts.ManifestFS, os.DirFS("."))
-	opts.BaseManifests = inferenceBaseManifest
-
 	opts.ConformanceProfiles.Insert(inference_conformance.GatewayLayerProfileName)
 	inference_conformance.RunConformanceWithOptions(t, opts)
 }