I'm trying to troubleshoot an issue where I'm unsure if it originates on the Kyma side or the calling client side (NetWeaver in this case); this is the companion question to an SAP forum question in the Kyma area and the question I raised on the Kyma repo (which has more technical information including logs and examples.)
I'm unsure how to proceed. This seems to be an issue only with NetWeaver calls (though I was able to reproduce it using another Windows client app, Apidog, but that app's HTTP/2 support is only experimental). So the questions I have are:
I now have an answer that includes a workaround.
Cause #1: A Bug Within Envoy
I confirmed that this appears to be an issue in the Envoy proxy used by Istio, which is then used by BTP Kyma:
Any client that sends both the ":authority" pseudo-header and the "Host" header will run into this problem with Envoy it seems, as Envoy will incorrectly concatenate into the ":authority" field which winds up with an authority that Istio then doesn't find any routes for, because it's looking for a single instance of the name.
Cause #2: NetWeaver Sending Both ":authority" and "Host" headers
NetWeaver sends both ":authority" and "Host" headers even when those values are the same. While allowed by the HTTP/2 spec, this is still slightly unusual behavior for a client (curl, Insomnia, and others appear to interpret the HTTP/2 spec the same way that Envoy did initially).
The only workaround until Envoy releases a fix, it seems, is to get clients (such as NetWeaver) to only send one of the ":authority" or "Host" headers as part of the request. This will result in a request that does not encounter the Envoy bug with Kyma, and thus the request can complete successfully.
(Slightly Hacky) Workaround: Remove hostname from request_url
In our SAP code that utilizes the NetWeaver client to make the HTTP request, we we modify the request_url field to remove the hostname prior to sending the request to Kyma. It's missing the Host header when it goes out, but it has the :authority header already set. Because of that, the header isn't duplicated, and therefore it doesn't hit the Envoy bug.