feat: add env var to control X-KEDA-HTTP-Cold-Start response header (#1354)

Add KEDA_HTTP_ENABLE_COLD_START_HEADER environment variable to allow
users to control whether the X-KEDA-HTTP-Cold-Start response header
is included in HTTP responses.

Changes:
- Add EnableColdStartHeader config option to Serving config (default: true)
- Add enableColdStartHeader field to forwardingConfig struct
- Conditionally add X-KEDA-HTTP-Cold-Start header based on configuration
- Update runProxyServer to accept serving config parameter
- Update all tests to reflect default behavior (header enabled by default)
- Update CHANGELOG.md with improvement entry
- Add comprehensive documentation in docs/operate.md

The header is enabled by default to maintain current behavior. Users can
disable it by setting KEDA_HTTP_ENABLE_COLD_START_HEADER=false.

Fixes #1355

Signed-off-by: Sean Redmond <[email protected]>

Author: sean-redmond

CHANGELOG.md

@@ -34,6 +34,7 @@ This changelog keeps track of work items that have been completed and are ready
 ### Improvements
 
 - **Interceptor**: Support HTTPScaledObject scoped timeout ([#813](https://github.com/kedacore/http-add-on/issues/813))
+- **Interceptor**: Add environment variable to control X-KEDA-HTTP-Cold-Start response header ([#1355](https://github.com/kedacore/http-add-on/issues/1355))
 
 ### Fixes
 

docs/operate.md

@@ -31,6 +31,17 @@ For setting multiple TLS certs, set `KEDA_HTTP_PROXY_TLS_CERT_STORE_PATHS` with
 To disable certificate chain verification, set `KEDA_HTTP_PROXY_TLS_SKIP_VERIFY` to `false`
 
 The matching between certs and requests is performed during the TLS ClientHelo message, where the SNI service name is compared to SANs provided in each cert and the first matching cert will be used for the rest of the TLS handshake.
+
+# Configuring cold start header for the KEDA HTTP Add-on interceptor proxy
+
+The interceptor proxy includes a `X-KEDA-HTTP-Cold-Start` response header in HTTP responses to indicate whether a cold start occurred. By default, this header is **enabled**.
+
+The header can be controlled via the environment variable `KEDA_HTTP_ENABLE_COLD_START_HEADER` on the interceptor deployment (`true` by default). When enabled, the header will contain `true` if a cold start occurred (i.e., the workload was scaled from zero), or `false` if the workload was already running.
+
+To disable the cold start header (for example, to reduce information disclosure in production environments), set `KEDA_HTTP_ENABLE_COLD_START_HEADER` to `false`.
+
+This header is useful for debugging and monitoring cold start behavior.
+
 # Configuring tracing for the KEDA HTTP Add-on interceptor proxy
 
 ### Supported Exporters:

interceptor/config/serving.go

@@ -49,6 +49,8 @@ type Serving struct {
 	TLSPort int `envconfig:"KEDA_HTTP_PROXY_TLS_PORT" default:"8443"`
 	// ProfilingAddr if not empty, pprof will be available on this address, assuming host:port here
 	ProfilingAddr string `envconfig:"PROFILING_BIND_ADDRESS" default:""`
+	// EnableColdStartHeader enables/disables the X-KEDA-HTTP-Cold-Start response header
+	EnableColdStartHeader bool `envconfig:"KEDA_HTTP_ENABLE_COLD_START_HEADER" default:"true"`
 }
 
 // Parse parses standard configs using envconfig and returns a pointer to the

interceptor/main.go

@@ -198,7 +198,7 @@ func main() {
 
 			setupLog.Info("starting the proxy server with TLS enabled", "port", proxyTLSPort)
 
-			if err := runProxyServer(ctx, ctrl.Log, queues, waitFunc, routingTable, svcCache, timeoutCfg, proxyTLSPort, proxyTLSEnabled, proxyTLSConfig, tracingCfg); !util.IsIgnoredErr(err) {
+			if err := runProxyServer(ctx, ctrl.Log, queues, waitFunc, routingTable, svcCache, timeoutCfg, servingCfg, proxyTLSPort, proxyTLSEnabled, proxyTLSConfig, tracingCfg); !util.IsIgnoredErr(err) {
 				setupLog.Error(err, "tls proxy server failed")
 				return err
 			}
@@ -212,7 +212,7 @@ func main() {
 		setupLog.Info("starting the proxy server with TLS disabled", "port", proxyPort)
 
 		k8sSharedInformerFactory.WaitForCacheSync(ctx.Done())
-		if err := runProxyServer(ctx, ctrl.Log, queues, waitFunc, routingTable, svcCache, timeoutCfg, proxyPort, false, nil, tracingCfg); !util.IsIgnoredErr(err) {
+		if err := runProxyServer(ctx, ctrl.Log, queues, waitFunc, routingTable, svcCache, timeoutCfg, servingCfg, proxyPort, false, nil, tracingCfg); !util.IsIgnoredErr(err) {
 			setupLog.Error(err, "proxy server failed")
 			return err
 		}
@@ -405,6 +405,7 @@ func runProxyServer(
 	routingTable routing.Table,
 	svcCache k8s.ServiceCache,
 	timeouts *config.Timeouts,
+	serving *config.Serving,
 	port int,
 	tlsEnabled bool,
 	tlsConfig map[string]interface{},
@@ -440,7 +441,7 @@ func runProxyServer(
 		logger,
 		dialContextFunc,
 		waitFunc,
-		newForwardingConfigFromTimeouts(timeouts),
+		newForwardingConfigFromTimeouts(timeouts, serving),
 		forwardingTLSCfg,
 		tracingConfig,
 	)

interceptor/main_test.go

@@ -90,6 +90,7 @@ func TestRunProxyServerCountMiddleware(t *testing.T) {
 			routingTable,
 			svcCache,
 			timeouts,
+			&config.Serving{EnableColdStartHeader: true},
 			port,
 			false,
 			map[string]interface{}{},
@@ -230,6 +231,7 @@ func TestRunProxyServerWithTLSCountMiddleware(t *testing.T) {
 			routingTable,
 			svcCache,
 			timeouts,
+			&config.Serving{EnableColdStartHeader: true},
 			port,
 			true,
 			map[string]interface{}{"certificatePath": "../certs/tls.crt", "keyPath": "../certs/tls.key", "skipVerify": true},
@@ -380,6 +382,7 @@ func TestRunProxyServerWithMultipleCertsTLSCountMiddleware(t *testing.T) {
 			routingTable,
 			svcCache,
 			timeouts,
+			&config.Serving{EnableColdStartHeader: true},
 			port,
 			true,
 			map[string]interface{}{"certstorePaths": "../certs"},

interceptor/proxy_handlers.go

@@ -25,9 +25,10 @@ type forwardingConfig struct {
 	idleConnTimeout       time.Duration
 	tlsHandshakeTimeout   time.Duration
 	expectContinueTimeout time.Duration
+	enableColdStartHeader bool
 }
 
-func newForwardingConfigFromTimeouts(t *config.Timeouts) forwardingConfig {
+func newForwardingConfigFromTimeouts(t *config.Timeouts, s *config.Serving) forwardingConfig {
 	return forwardingConfig{
 		waitTimeout:           t.WorkloadReplicas,
 		respHeaderTimeout:     t.ResponseHeader,
@@ -36,6 +37,7 @@ func newForwardingConfigFromTimeouts(t *config.Timeouts) forwardingConfig {
 		idleConnTimeout:       t.IdleConnTimeout,
 		tlsHandshakeTimeout:   t.TLSHandshakeTimeout,
 		expectContinueTimeout: t.ExpectContinueTimeout,
+		enableColdStartHeader: s.EnableColdStartHeader,
 	}
 }
 
@@ -101,7 +103,9 @@ func newForwardingHandler(
 			}
 			return
 		}
-		w.Header().Add("X-KEDA-HTTP-Cold-Start", strconv.FormatBool(isColdStart))
+		if fwdCfg.enableColdStartHeader {
+			w.Header().Add("X-KEDA-HTTP-Cold-Start", strconv.FormatBool(isColdStart))
+		}
 		r.Header.Add("X-KEDA-HTTP-Cold-Start-Ref-Name", httpso.Spec.ScaleTargetRef.Name)
 		r.Header.Add("X-KEDA-HTTP-Cold-Start-Ref-Namespace", httpso.Namespace)
 

interceptor/proxy_handlers_test.go

@@ -75,8 +75,9 @@ func TestImmediatelySuccessfulProxy(t *testing.T) {
 		dialCtxFunc,
 		waitFunc,
 		forwardingConfig{
-			waitTimeout:       timeouts.WorkloadReplicas,
-			respHeaderTimeout: timeouts.ResponseHeader,
+			waitTimeout:           timeouts.WorkloadReplicas,
+			respHeaderTimeout:     timeouts.ResponseHeader,
+			enableColdStartHeader: true,
 		},
 		&tls.Config{},
 		&config.Tracing{},
@@ -127,8 +128,9 @@ func TestImmediatelySuccessfulProxyTLS(t *testing.T) {
 		dialCtxFunc,
 		waitFunc,
 		forwardingConfig{
-			waitTimeout:       timeouts.WorkloadReplicas,
-			respHeaderTimeout: timeouts.ResponseHeader,
+			waitTimeout:           timeouts.WorkloadReplicas,
+			respHeaderTimeout:     timeouts.ResponseHeader,
+			enableColdStartHeader: true,
 		},
 		&TestTLSConfig,
 		&config.Tracing{},
@@ -183,8 +185,9 @@ func TestImmediatelySuccessfulFailoverProxy(t *testing.T) {
 		dialCtxFunc,
 		waitFunc,
 		forwardingConfig{
-			waitTimeout:       0,
-			respHeaderTimeout: timeouts.ResponseHeader,
+			waitTimeout:           0,
+			respHeaderTimeout:     timeouts.ResponseHeader,
+			enableColdStartHeader: true,
 		},
 		&tls.Config{},
 		&config.Tracing{},
@@ -243,8 +246,9 @@ func TestWaitFailedConnection(t *testing.T) {
 		dialCtxFunc,
 		waitFunc,
 		forwardingConfig{
-			waitTimeout:       timeouts.WorkloadReplicas,
-			respHeaderTimeout: timeouts.ResponseHeader,
+			waitTimeout:           timeouts.WorkloadReplicas,
+			respHeaderTimeout:     timeouts.ResponseHeader,
+			enableColdStartHeader: true,
 		},
 		&tls.Config{},
 		&config.Tracing{},
@@ -294,8 +298,9 @@ func TestWaitFailedConnectionTLS(t *testing.T) {
 		dialCtxFunc,
 		waitFunc,
 		forwardingConfig{
-			waitTimeout:       timeouts.WorkloadReplicas,
-			respHeaderTimeout: timeouts.ResponseHeader,
+			waitTimeout:           timeouts.WorkloadReplicas,
+			respHeaderTimeout:     timeouts.ResponseHeader,
+			enableColdStartHeader: true,
 		},
 		&TestTLSConfig,
 		&config.Tracing{},
@@ -346,8 +351,9 @@ func TestTimesOutOnWaitFunc(t *testing.T) {
 		dialCtxFunc,
 		waitFunc,
 		forwardingConfig{
-			waitTimeout:       timeouts.WorkloadReplicas,
-			respHeaderTimeout: timeouts.ResponseHeader,
+			waitTimeout:           timeouts.WorkloadReplicas,
+			respHeaderTimeout:     timeouts.ResponseHeader,
+			enableColdStartHeader: true,
 		},
 		&tls.Config{},
 		&config.Tracing{},
@@ -419,8 +425,9 @@ func TestTimesOutOnWaitFuncTLS(t *testing.T) {
 		dialCtxFunc,
 		waitFunc,
 		forwardingConfig{
-			waitTimeout:       timeouts.WorkloadReplicas,
-			respHeaderTimeout: timeouts.ResponseHeader,
+			waitTimeout:           timeouts.WorkloadReplicas,
+			respHeaderTimeout:     timeouts.ResponseHeader,
+			enableColdStartHeader: true,
 		},
 		&TestTLSConfig,
 		&config.Tracing{},
@@ -503,8 +510,9 @@ func TestWaitsForWaitFunc(t *testing.T) {
 		dialCtxFunc,
 		waitFunc,
 		forwardingConfig{
-			waitTimeout:       timeouts.WorkloadReplicas,
-			respHeaderTimeout: timeouts.ResponseHeader,
+			waitTimeout:           timeouts.WorkloadReplicas,
+			respHeaderTimeout:     timeouts.ResponseHeader,
+			enableColdStartHeader: true,
 		},
 		&tls.Config{},
 		&config.Tracing{},
@@ -570,8 +578,9 @@ func TestWaitsForWaitFuncTLS(t *testing.T) {
 		dialCtxFunc,
 		waitFunc,
 		forwardingConfig{
-			waitTimeout:       timeouts.WorkloadReplicas,
-			respHeaderTimeout: timeouts.ResponseHeader,
+			waitTimeout:           timeouts.WorkloadReplicas,
+			respHeaderTimeout:     timeouts.ResponseHeader,
+			enableColdStartHeader: true,
 		},
 		&TestTLSConfig,
 		&config.Tracing{},
@@ -641,8 +650,9 @@ func TestWaitHeaderTimeout(t *testing.T) {
 		dialCtxFunc,
 		waitFunc,
 		forwardingConfig{
-			waitTimeout:       timeouts.WorkloadReplicas,
-			respHeaderTimeout: timeouts.ResponseHeader,
+			waitTimeout:           timeouts.WorkloadReplicas,
+			respHeaderTimeout:     timeouts.ResponseHeader,
+			enableColdStartHeader: true,
 		},
 		&tls.Config{},
 		&config.Tracing{},
@@ -700,8 +710,9 @@ func TestWaitHeaderTimeoutTLS(t *testing.T) {
 		dialCtxFunc,
 		waitFunc,
 		forwardingConfig{
-			waitTimeout:       timeouts.WorkloadReplicas,
-			respHeaderTimeout: timeouts.ResponseHeader,
+			waitTimeout:           timeouts.WorkloadReplicas,
+			respHeaderTimeout:     timeouts.ResponseHeader,
+			enableColdStartHeader: true,
 		},
 		&TestTLSConfig,
 		&config.Tracing{},