Enable TLS Fingerprinting configuration (JA3/JA4)

[WUMUXIAN]

internal/(envoy): Make it possible to enable TLS fingerprinting in Envoy's TLS Inspector Listener filter, useful for security monitoring, analytics, and bot detection. Provides independent control over JA3 and JA4 fingerprinting methods.

enableJA3Fingerprinting: Enable JA3 fingerprinting (requires Envoy 1.21.0+)
enableJA4Fingerprinting: Enable JA4 fingerprinting (requires Envoy 1.35.0+)
Both settings default to false.

Updates #7307
Release note: release-note/minor

Signed-off-by: Muxian Wu wumuxian1988@gmail.com

[github-actions]

Hi @WUMUXIAN! Welcome to our community and thank you for opening your first Pull Request. Someone will review it soon. Thank you for committing to making Contour better. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace

[codecov]

Codecov Report

❌ Patch coverage is 60.00000% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 80.13%. Comparing base (8a51282) to head (04832c1).
⚠️ Report is 19 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/contour/servecontext.go	42.85%	3 Missing and 1 partial ⚠️
pkg/config/parameters.go	0.00%	3 Missing ⚠️
cmd/contour/serve.go	0.00%	2 Missing ⚠️
internal/envoy/v3/listener.go	87.50%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7372      +/-   ##
==========================================
- Coverage   81.18%   80.13%   -1.06%     
==========================================
  Files         130      130              
  Lines       15803    15788      -15     
==========================================
- Hits        12829    12651     -178     
- Misses       2613     2624      +11     
- Partials      361      513     +152     

Files with missing lines	Coverage Δ
internal/dag/policy.go	80.44% <100.00%> (-15.11%)	⬇️
internal/xdscache/v3/listener.go	76.61% <100.00%> (-0.71%)	⬇️
internal/envoy/v3/listener.go	84.22% <87.50%> (-13.94%)	⬇️
cmd/contour/serve.go	22.23% <0.00%> (+0.18%)	⬆️
pkg/config/parameters.go	66.78% <0.00%> (-12.17%)	⬇️
cmd/contour/servecontext.go	85.67% <42.85%> (+1.79%)	⬆️

... and 17 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[WUMUXIAN]

hi @tsaarni , @sunjayBhatia can you review this? thank you

[github-actions]

The Contour project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 30d of inactivity, lifecycle/stale is applied
• After 60d of inactivity since lifecycle/stale was applied, the PR is closed

You can:

• Ensure your PR is passing all CI checks. PRs that are fully green are more likely to be reviewed. If you are having trouble with CI checks, reach out to the #contour channel in the Kubernetes Slack workspace.
• Mark this PR as fresh by commenting or pushing a commit
• Close this PR
• Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

[tsaarni]

Hi @WUMUXIAN, Thank You for contribution and sorry for the delay!

Have you considered how these fingerprints will be consumed or observed? I do not see that reflected in this change. Based on what I understood from Envoy documentation, the options include:

• Logging fingerprints in HTTP access logs (this requires changes in apis/projectcontour/v1alpha1/accesslog.go).
• Setting dynamic request headers (this requires changes in internal/dag/policy.go). Header could make the fingerprints available to the backend service, and possibly to external authorization server.

We should also add some documentation regarding how to observe these fingerprints.

We need tests to verify this functionality. The simplest approach is to add unit tests in internal/featuretests/.

[WUMUXIAN]

Hi @WUMUXIAN, Thank You for contribution and sorry for the delay!

Have you considered how these fingerprints will be consumed or observed? I do not see that reflected in this change. Based on what I understood from Envoy documentation, the options include:

• Logging fingerprints in HTTP access logs (this requires changes in apis/projectcontour/v1alpha1/accesslog.go).
• Setting dynamic request headers (this requires changes in internal/dag/policy.go). Header could make the fingerprints available to the backend service, and possibly to external authorization server.

We should also add some documentation regarding how to observe these fingerprints.

We need tests to verify this functionality. The simplest approach is to add unit tests in internal/featuretests/.

Thanks for the thorough reviews! @tsaarni, I have updated the PR with all the comments addressed, please review again, ty!