Allow to disable envoy server header injection

config/200-config.yaml

@@ -80,3 +80,6 @@ data:
     # Use ',' separated values like "ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-CHACHA20-POLY1305"
     # The default uses the default cipher suites of the envoy version.
     cipher-suites: ""
+
+    # Disable the Envoy server header injection in the response when response has no such header.
+    disable-envoy-server-header: "false"

pkg/config/configmap.go

@@ -52,6 +52,8 @@ const (
 
 	// TracingCollectorFullEndpoint is the config map key to configure tracing at kourier gateway level
 	TracingCollectorFullEndpoint = "tracing-collector-full-endpoint"
+
+	disableEnvoyServerHeader = "disable-envoy-server-header"
 )
 
 func DefaultConfig() *Kourier {
@@ -64,6 +66,7 @@ func DefaultConfig() *Kourier {
 		CipherSuites:               nil,
 		EnableCryptoMB:             false,
 		UseRemoteAddress:           false,
+		DisableEnvoyServerHeader:   false,
 	}
 }
 
@@ -81,6 +84,7 @@ func NewConfigFromMap(configMap map[string]string) (*Kourier, error) {
 		cm.AsStringSet(cipherSuites, &nc.CipherSuites),
 		cm.AsBool(enableCryptoMB, &nc.EnableCryptoMB),
 		asTracing(TracingCollectorFullEndpoint, &nc.Tracing),
+		cm.AsBool(disableEnvoyServerHeader, &nc.DisableEnvoyServerHeader),
 	); err != nil {
 		return nil, err
 	}
@@ -161,4 +165,6 @@ type Kourier struct {
 	CipherSuites sets.Set[string]
 	// Tracing specifies the configuration for gateway tracing
 	Tracing Tracing
+	// Disable Server Header
+	DisableEnvoyServerHeader bool
 }

pkg/envoy/api/http_connection_manager.go

@@ -52,6 +52,7 @@ func NewHTTPConnectionManager(routeConfigName string, kourierConfig *config.Kour
 	})
 	enableAccessLog := kourierConfig.EnableServiceAccessLogging
 	enableProxyProtocol := kourierConfig.EnableProxyProtocol
+	disableEnvoyServerHeader := kourierConfig.DisableEnvoyServerHeader
 	idleTimeout := kourierConfig.IdleTimeout
 
 	mgr := &hcm.HttpConnectionManager{
@@ -80,6 +81,11 @@ func NewHTTPConnectionManager(routeConfigName string, kourierConfig *config.Kour
 		mgr.UseRemoteAddress = &wrapperspb.BoolValue{Value: true}
 	}
 
+	if disableEnvoyServerHeader {
+		//Force the connection manager to skip envoy's server header if none is present
+		mgr.ServerHeaderTransformation = hcm.HttpConnectionManager_PASS_THROUGH
+	}
+
 	if enableAccessLog {
 		// Write access logs to stdout by default.
 		accessLog, _ := anypb.New(&accesslog_file_v3.FileAccessLog{

pkg/envoy/api/http_connection_manager_test.go

@@ -17,6 +17,7 @@ limitations under the License.
 package envoy
 
 import (
+	hcm "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
 	"math"
 	"testing"
 	"time"
@@ -158,3 +159,37 @@ func TestNewHTTPConnectionManagerWithUseRemoteAddress(t *testing.T) {
 	connManager := NewHTTPConnectionManager("test", &kourierConfig)
 	assert.Check(t, connManager.UseRemoteAddress.Value == true)
 }
+
+func TestNewHTTPConnectionManagerWithDisableEnvoyServerHeader(t *testing.T) {
+	tests := []struct {
+		name                             string
+		configKourer                     config.Kourier
+		wantedServerHeaderTransformation hcm.HttpConnectionManager_ServerHeaderTransformation
+	}{
+		{
+			name: "test disable envoy server header",
+			configKourer: config.Kourier{
+				DisableEnvoyServerHeader: true,
+			},
+			wantedServerHeaderTransformation: hcm.HttpConnectionManager_PASS_THROUGH,
+		},
+		{
+			name: "test allow envoy server header",
+			configKourer: config.Kourier{
+				DisableEnvoyServerHeader: false,
+			},
+			wantedServerHeaderTransformation: hcm.HttpConnectionManager_OVERWRITE,
+		},
+		{
+			name:                             "test allow envoy server header, no setting",
+			configKourer:                     config.Kourier{},
+			wantedServerHeaderTransformation: hcm.HttpConnectionManager_OVERWRITE,
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			connManager := NewHTTPConnectionManager("test", &test.configKourer)
+			assert.Equal(t, test.wantedServerHeaderTransformation, connManager.ServerHeaderTransformation)
+		})
+	}
+}