PathRewitePolicy behaving weird with condition prefix and header match

[shivgana]

What question do you have?:
We have a conflict of endpoint "/ui" with two Frontend(one is owned by us, other is 2pp) application under same FDQN. So, we decided use pathRewritePolicy for our frontend application without any effort on application. If cookie contain token then update endpoint with pathRewritePolicy, else send request with no endpoint change to service for authentication if header cookie doesn't contain token.

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: name-example-foo
spec:
  virtualhost:
    fqdn: foo.bar.com
  routes:
    - conditions:
      - prefix: /ui
      services:
        - name: 2pp-frontend
          port: 80
    - conditions:
      - prefix: /our-app
      - header:
          name: cookie
          contains: token
      pathRewritePolicy:
        replacePrefix:
        - prefix: /our-app
          replacement: /
      services:
        - name: our-frontend
          port: 80
    - conditions:
      - prefix: /our-app
      - header:
          name: cookie
          notcontains: token
      services:
        - name: our-frontend
          port: 80

Flow we need of request to be happen:

1. On new request http://foo.bar.com/our-app/ui
2. Ingress validate and redirect to Authentication:
   a. Request check from Ingress second route will fail, and pass the third route.
   b. Application redirect to authentication with callback url as http://foo.bar.com/our-app/ui
3. Callback after authentication Ingress validate again.
   a. Now, request will pass in second route condition(cookie contain token) and replace prefix then forward the request to application with http://foo.bar.com/ui

But flow actually happenning:
From above flow step 1 and step 2 working fine. But after authentication, callback url validate and replace prefix. Now updated request, re-evaluated at ingress and pass through first route condition, forwarding to 2pp-frontend.

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

• Contour version:
• Kubernetes version: (use kubectl version):
• Kubernetes installer & version:
• Cloud provider or hardware configuration:
• OS (e.g. from /etc/os-release):

[github-actions]

Hey @shivgana! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace

[github-actions]

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

• After 60d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

• Mark this Issue as fresh by commenting
• Close this Issue
• Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack