feat(translator): make append_x_forwarded_host configurable in HTTPRouteFilter

[rborale5]

What type of PR is this?

feat(translator): make append_x_forwarded_host configurable in HTTPRouteFilter

What this PR does / why we need it:

Problem

Currently, Envoy Gateway hardcodes append_x_forwarded_host: true when hostname rewriting is configured via HTTPRouteFilter, with no way to disable it. In some scenarios, users need to prevent the original Host header from being leaked to backend services via the X-Forwarded-Host header — for example, when the upstream misinterprets it, when a custom tracking mechanism is in place, or for security policies that restrict header forwarding.

Code reference: https://github.com/envoyproxy/gateway/blob/main/internal/xds/translator/route.go#L582

Solution

Added a new optional appendXForwardedHost field to the HTTPURLRewriteFilter in the HTTPRouteFilter CRD. The field defaults to true when unset, preserving full backward compatibility.

Changes

• Added AppendXForwardedHost *bool field to HTTPURLRewriteFilter API type (api/v1alpha1/httproutefilter_types.go)
• Added AppendXForwardedHost *bool field to the IR URLRewrite struct (internal/ir/xds.go)
• Updated GatewayAPI translator to propagate the field from API to IR (internal/gatewayapi/filters.go)
• Updated xDS translator to conditionally set append_x_forwarded_host instead of hardcoding true (internal/xds/translator/route.go)
• Updated CRDs via make manifests
• Updated generated deepcopy and API docs via make generate
• Added documentation section "Disabling X-Forwarded-Host Header" in site/content/en/latest/tasks/traffic/http-urlrewrite.md
• Added changelog entry in release-notes/current.yaml

Testing

• GatewayAPI translator golden file test (httproute-with-urlrewrite-hostname-filter-append-x-forwarded-host.in/out.yaml) — tests true and false propagation to IR
• xDS translator golden file test (http-route-rewrite-url-host-no-append-x-forwarded-host) — tests IR-to-xDS translation for true, false, and default (nil → true)
• Unit test TestBuildXdsURLRewriteAction_AppendXForwardedHost in route_test.go — directly tests nil, true, and false cases
• CEL validation tests in httproutefilter_test.go — verifies Kubernetes accepts the CRD with the new field
• All existing tests pass (backward compatible)
• Verified locally on Kind cluster with live traffic

Which issue(s) this PR fixes:

Fixes #8386

Release Notes: Yes

[netlify]

✅ Deploy Preview for cerulean-figolla-1f9435 canceled.

Name	Link
🔨 Latest commit	876f8ef
🔍 Latest deploy log	https://app.netlify.com/projects/cerulean-figolla-1f9435/deploys/69ba5fdbfa224c00088b05eb

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.11%. Comparing base (ed9abc9) to head (876f8ef).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8527      +/-   ##
==========================================
- Coverage   74.13%   74.11%   -0.03%     
==========================================
  Files         242      242              
  Lines       37669    37674       +5     
==========================================
- Hits        27925    27921       -4     
- Misses       7787     7795       +8     
- Partials     1957     1958       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[zirain]

@rborale5 unneed to rebase too often, the first time comtribute need approval to kick CI.

let's wait for review from another maintainer(need 2 for API changes.)

[rborale5]

Got it @zirain, thanks.

[arkodg]

should this live next to other hrf.Spec.URLRewrite logic, or is this intentionally chosen so its also applied to native route filter URLRewrite logic ?