fix: disable -shadow host suffix append (#7229)

shreealt · web-flow · commit fc08dbd643b9 · 2025-10-16T12:11:16.000-07:00
* fix: disable `-shadow` host suffix append

Signed-off-by: Shreemaan Abhishek &lt;shreemaanabhishek@apache.org&gt;
diff --git a/internal/xds/translator/route.go b/internal/xds/translator/route.go
@@ -543,6 +543,8 @@ func buildXdsRequestMirrorPolicies(mirrorPolicies []*ir.MirrorPolicy) []*routev3
 			xdsMirrorPolicies = append(xdsMirrorPolicies, &routev3.RouteAction_RequestMirrorPolicy{
 				Cluster:         policy.Destination.Name,
 				RuntimeFraction: mp,
+				// We don't need to append the shadow host suffix as the mirror policy already uses a different cluster which is enough to distinguish the mirrored traffic
+				DisableShadowHostSuffixAppend: true,
 			})
 		}
 	}
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-mirrors-percentage.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-mirrors-percentage.routes.yaml
@@ -12,6 +12,7 @@
         cluster: route-dest
         requestMirrorPolicies:
         - cluster: mirror-route-dest
+          disableShadowHostSuffixAppend: true
           runtimeFraction:
             defaultValue:
               denominator: MILLION
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors-percentage.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors-percentage.routes.yaml
@@ -12,11 +12,13 @@
         cluster: route-dest
         requestMirrorPolicies:
         - cluster: mirror-route-dest
+          disableShadowHostSuffixAppend: true
           runtimeFraction:
             defaultValue:
               denominator: MILLION
               numerator: 250000
         - cluster: mirror-route-dest1
+          disableShadowHostSuffixAppend: true
           runtimeFraction:
             defaultValue:
               denominator: MILLION
diff --git a/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.routes.yaml b/internal/xds/translator/testdata/out/xds-ir/http-route-multiple-mirrors.routes.yaml
@@ -12,10 +12,12 @@
         cluster: route-dest
         requestMirrorPolicies:
         - cluster: mirror-route-dest
+          disableShadowHostSuffixAppend: true
           runtimeFraction:
             defaultValue:
               numerator: 100
         - cluster: mirror-route-dest1
+          disableShadowHostSuffixAppend: true
           runtimeFraction:
             defaultValue:
               numerator: 100
diff --git a/release-notes/current.yaml b/release-notes/current.yaml
@@ -5,6 +5,7 @@ breaking changes: |
   ALPNProtocols in EnvoyProxy Backend TLS setting use [h2, http/1.1] if not set.
   When a Backend resource specifies TLS settings and SNI is not specified or a BackendTLSPolicy is not attached to it, the value of upstream TLS SNI is determined by the HTTP Host header.
   When a Backend resource specifies TLS settings and SNI is not specified or a BackendTLSPolicy is not attached to it, the upstream certificate is validated for DNS SAN matching the SNI value sent.
+  When a MirrorPolicy is used, the shadow host suffix is not appended to the mirrored cluster name.
 
 # Updates addressing vulnerabilities, security flaws, or compliance requirements.
 security updates: |

Original file line number	Diff line number	Diff line change
`@@ -543,6 +543,8 @@ func buildXdsRequestMirrorPolicies(mirrorPolicies []ir.MirrorPolicy) []routev3`
`543`	`543`	`xdsMirrorPolicies = append(xdsMirrorPolicies, &routev3.RouteAction_RequestMirrorPolicy{`
`544`	`544`	`Cluster: policy.Destination.Name,`
`545`	`545`	`RuntimeFraction: mp,`
	`546`	`+ // We don't need to append the shadow host suffix as the mirror policy already uses a different cluster which is enough to distinguish the mirrored traffic`
	`547`	`+ DisableShadowHostSuffixAppend: true,`
`546`	`548`	`})`
`547`	`549`	`}`
`548`	`550`	`}`