fix: support gzip-encoded responses from the server

Author: ecordell

e2e/proxy_test.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"strings"
 	"time"
 
 	v1 "github.com/authzed/authzed-go/proto/authzed/api/v1"
@@ -1197,6 +1198,62 @@ var _ = Describe("Proxy", func() {
 				})
 			})
 		})
+
+		When("getting a large configmap through the proxy", func() {
+			It("succeeds even when the upstream response is gzip-encoded", func(ctx context.Context) {
+				// Allow configmap gets unconditionally (no SpiceDB check needed).
+				// The point of this test is to verify the proxy correctly handles
+				// gzip-encoded responses from the kube API server.
+				//
+				// We use GET (not CREATE) because the kube API server only gzip-encodes
+				// *responses* above ~128KB. A GET of a pre-existing large object reliably
+				// triggers gzip encoding without going through the workflow engine.
+				// Without the Accept-Encoding fix in the proxy's Director, FilterResp
+				// would receive a gzip-compressed body and fail to decode it as JSON.
+				configMapRule := proxyrule.Config{
+					Spec: proxyrule.Spec{
+						Matches: []proxyrule.Match{{
+							GroupVersion: "v1",
+							Resource:     "configmaps",
+							Verbs:        []string{"get"},
+						}},
+						// No Checks: unconditional allow for matched requests.
+					},
+				}
+				matcher, err := rules.NewMapMatcher([]proxyrule.Config{configMapRule})
+				Expect(err).To(Succeed())
+				*proxySrv.Matcher = matcher
+
+				// Create the namespace and configmap directly via adminClient (bypasses
+				// the proxy entirely). The proxy is only involved in the GET below.
+				Expect(CreateNamespace(ctx, adminClient, paulNamespace)).To(Succeed())
+				const dataSize = 300 * 1024 // 300KB — large enough to trigger kube's gzip encoding
+				cmName := names.SimpleNameGenerator.GenerateName("large-cm-")
+				_, err = adminClient.CoreV1().ConfigMaps(paulNamespace).Create(ctx,
+					&corev1.ConfigMap{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      cmName,
+							Namespace: paulNamespace,
+						},
+						Data: map[string]string{
+							"payload": strings.Repeat("x", dataSize),
+						},
+					}, metav1.CreateOptions{})
+				Expect(err).To(Succeed())
+
+				// GET the large configmap through the proxy.
+				// kube will gzip-encode the ~300KB response because paulClient sends
+				// Accept-Encoding: gzip. The proxy strips this header in its Director
+				// so its own transport takes ownership of gzip negotiation and
+				// auto-decompresses before FilterResp runs — ensuring FilterResp always
+				// sees plain JSON regardless of response size.
+				cm, err := paulClient.CoreV1().ConfigMaps(paulNamespace).Get(ctx, cmName, metav1.GetOptions{})
+				Expect(err).To(Succeed())
+				Expect(cm.Name).To(Equal(cmName))
+				// Verify the full payload came back intact (not truncated or corrupted).
+				Expect(cm.Data["payload"]).To(HaveLen(dataSize))
+			})
+		})
 	})
 })
 

pkg/proxy/server.go

@@ -99,6 +99,12 @@ func NewServer(ctx context.Context, c *CompletedConfig) (*Server, error) {
 			host := strings.TrimPrefix(clusterHost, "https://")
 			req.URL.Host = strings.TrimSuffix(host, "/")
 			req.URL.Scheme = "https"
+			// Remove Accept-Encoding so the proxy's transport owns gzip negotiation.
+			// When the transport adds Accept-Encoding: gzip itself, it also auto-decompresses
+			// the response and strips Content-Encoding: gzip before ModifyResponse/FilterResp
+			// runs. This ensures FilterResp always receives uncompressed bytes regardless of
+			// response size.
+			req.Header.Del("Accept-Encoding")
 		},
 		ModifyResponse: func(response *http.Response) error {
 			klog.V(3).InfoSDepth(1, "upstream Kubernetes API response",