Pattern validation for HTTP header values according to RFC 7230

[snorwin]

What type of PR is this?

/kind bug

What this PR does / why we need it:
This PR adds an experimental pattern validation to ensure that HTTP header values consist only of printable US-ASCII characters, optionally separated by spaces or tabs, as required by RFC 7230.

Which issue(s) this PR fixes:

Fixes #3669

Does this PR introduce a user-facing change?:

Pattern validation for HTTP header values according to RFC 7230

[k8s-ci-robot]

Hi @snorwin. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[snorwin]

While a CEL would offer a cleaner approach with meaningful error messages, the complexity appears to be too high.

[youngnick]

/ok-to-test
/approve

I think that @robscott should check this out as well though.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: snorwin, youngnick

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [youngnick]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[robscott]

Thanks @snorwin! I'm very hesitant to ever tighten validation on a GA API, but as long as we can have complete confidence that all configuration that would fail this validation would have been useless/invalid before this validation, this does seem like a net improvement.

/cc @htuch @mkosieradzki

[robscott]

Can you add some invalid and valid examples to https://github.com/kubernetes-sigs/gateway-api/tree/main/hack/invalid-examples/experimental and https://github.com/kubernetes-sigs/gateway-api/tree/main/examples/experimental respectively to confirm this is working as intended?

[robscott]

One note - this is a header value matcher that supports two types of matches - exact and regex. I believe all forms of regex matcher used here would also be contained within US-ASCII characters, but would appreciate another confirmation of that.

[snorwin]

That's a valid point. AFAIK, non-printable characters aren't used as meta characters in regex patterns.

[k8s-ci-robot]

@robscott: GitHub didn't allow me to request PR reviews from the following users: htuch, mkosieradzki.

Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

Thanks @snorwin! I'm very hesitant to ever tighten validation on a GA API, but as long as we can have complete confidence that all configuration that would fail this validation would have been useless/invalid before this validation, this does seem like a net improvement.

/cc @htuch @mkosieradzki

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.