Update the response status based on headers being present in a response.

Before you begin

  1. Follow the Get started guide to install Gloo Gateway.

  2. Follow the Sample app guide to create a gateway proxy with an HTTP listener and deploy the httpbin sample app.

  3. Get the external address of the gateway and save it in an environment variable.

      export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-system http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}")
echo $INGRESS_GW_ADDRESS  
  
      kubectl port-forward deployment/http -n gloo-system 8080:8080

Change the response status

  1. Create a GlooTrafficPolicy resource with your transformation rules. In this example, you change the value of the :status pseudo response header to 401 if the response header foo:bar is present. If the foo:bar response header is not present, you return a 403 HTTP response code.

      kubectl apply -f- <<EOF
apiVersion: gloo.solo.io/v1alpha1
kind: GlooTrafficPolicy
metadata:
  name: transformation
  namespace: httpbin
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: httpbin
  transformation:
    response:
      set:
      - name: ":status"
        value: '{% if header("foo") == "bar" %}401{% else %}403{% endif %}'
EOF
  
      kubectl apply -f- <<EOF
apiVersion: gloo.solo.io/v1alpha1
kind: GlooTrafficPolicy
metadata:
  name: transformation
  namespace: httpbin
spec:
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: httpbin
  transformation:
    response:
      set:
      - name: ":status"
        value: 'request.uri.contains("foo=bar") ? 401 : 403'
EOF

  2. Send a request to the httpbin app and include the foo:bar query parameter. This query parameter automatically gets added as a response header and therefore triggers the transformation rule that you set up. Verify that you get back a 401 HTTP response code.

      curl -vi http://$INGRESS_GW_ADDRESS:8080/response-headers?foo=bar \
 -H "host: www.example.com:8080" 
  
      curl -vi "localhost:8080/response-headers?foo=bar" \
-H "host: www.example.com"

    Example output:

      < HTTP/1.1 401 Unauthorized
HTTP/1.1 401 Unauthorized
< access-control-allow-credentials: true
access-control-allow-credentials: true
< access-control-allow-origin: *
access-control-allow-origin: *
< content-type: application/json; encoding=utf-8
content-type: application/json; encoding=utf-8
< foo: bar
foo: bar
< content-length: 29
content-length: 29
< x-envoy-upstream-service-time: 4
x-envoy-upstream-service-time: 4
< server: envoy
server: envoy
< 

{
  "foo": [
    "bar"
  ]
}

  3. Send another request to the httpbin app. This time, you include the foo:baz query parameter. Verify that you get back a 403 HTTP response code.

      curl -vi http://$INGRESS_GW_ADDRESS:8080/response-headers?foo=baz \
 -H "host: www.example.com:8080" 
  
      curl -vi "localhost:8080/response-headers?foo=baz" \
-H "host: www.example.com"

    Example output:

      < HTTP/1.1 403 Forbidden
HTTP/1.1 403 Forbidden
< access-control-allow-credentials: true
access-control-allow-credentials: true
< access-control-allow-origin: *
access-control-allow-origin: *
< content-type: application/json; encoding=utf-8
content-type: application/json; encoding=utf-8
< foo: bar
foo: bar
< content-length: 29
content-length: 29
< x-envoy-upstream-service-time: 4
x-envoy-upstream-service-time: 4
< server: envoy
server: envoy
< 

{
  "foo": [
    "bar2"
  ]
}

Cleanup

You can remove the resources that you created in this guide.
  kubectl delete GlooTrafficPolicy transformation -n httpbin