feat: Traefik plugin for header rewrite in nativeUserMode (#938)

Signed-off-by: Michal Vala <mvala@redhat.com>
2021-07-21 13:43:32 +02:00 · 2021-07-21 13:43:32 +02:00 · 6bf5c65a44
parent 142b568026
commit 6bf5c65a44
13 changed files with 158 additions and 91 deletions
--- a/.gitignore
+++ b/.gitignore
@ -121,4 +121,4 @@ bundle/stable/eclipse-che-preview-openshift/generated

 testbin/setup-envtest.sh

-.DS_Store
+.DS_Store
--- a/9
+++ b/9
@ -15,6 +15,7 @@ ENV GOPATH=/go/
 ENV RESTIC_TAG=v0.12.0
 ARG DEV_WORKSPACE_CONTROLLER_VERSION="main"
 ARG DEV_WORKSPACE_CHE_OPERATOR_VERSION="main"
+ARG DEV_HEADER_REWRITE_TRAEFIK_PLUGIN="main"
 USER root

 # upstream, download zips for every build
@ -23,7 +24,8 @@ RUN mkdir -p $GOPATH/restic && \
    curl -sSLo- https://api.github.com/repos/restic/restic/tarball/${RESTIC_TAG} | tar --strip-components=1 -xz -C $GOPATH/restic && \
    cd $GOPATH/restic && go mod vendor && \
    curl -sSLo /tmp/asset-devworkspace-operator.zip https://api.github.com/repos/devfile/devworkspace-operator/zipball/${DEV_WORKSPACE_CONTROLLER_VERSION} && \
-    curl -sSLo /tmp/asset-devworkspace-che-operator.zip https://api.github.com/repos/che-incubator/devworkspace-che-operator/zipball/${DEV_WORKSPACE_CHE_OPERATOR_VERSION}
+    curl -sSLo /tmp/asset-devworkspace-che-operator.zip https://api.github.com/repos/che-incubator/devworkspace-che-operator/zipball/${DEV_WORKSPACE_CHE_OPERATOR_VERSION} && \
+    curl -sSLo /tmp/asset-header-rewrite-traefik-plugin.zip https://api.github.com/repos/che-incubator/header-rewrite-traefik-plugin/zipball/${DEV_HEADER_REWRITE_TRAEFIK_PLUGIN}

 WORKDIR /che-operator
 # Copy the Go Modules manifests
@ -50,6 +52,10 @@ RUN unzip /tmp/asset-devworkspace-che-operator.zip */deploy/deployment/* -d /tmp
    mkdir -p /tmp/devworkspace-che-operator/templates/ && \
    mv /tmp/che-incubator-devworkspace-che-operator-*/deploy /tmp/devworkspace-che-operator/templates/

+RUN unzip /tmp/asset-header-rewrite-traefik-plugin.zip -d /tmp && \
+    mkdir -p /tmp/header-rewrite-traefik-plugin && \
+    mv /tmp/*-header-rewrite-traefik-plugin-*/headerRewrite.go /tmp/*-header-rewrite-traefik-plugin-*/.traefik.yml /tmp/header-rewrite-traefik-plugin
+
 # Build restic. Needed for backup / restore capabilities
 RUN cd $GOPATH/restic && \
    export ARCH="$(uname -m)" && if [[ ${ARCH} == "x86_64" ]]; then export ARCH="amd64"; elif [[ ${ARCH} == "aarch64" ]]; then export ARCH="arm64"; fi && \
@ -62,6 +68,7 @@ COPY --from=builder /che-operator/che-operator /manager
 COPY --from=builder /che-operator/templates/*.sh /tmp/
 COPY --from=builder /tmp/devworkspace-operator/templates/deploy /tmp/devworkspace-operator/templates
 COPY --from=builder /tmp/devworkspace-che-operator/templates/deploy /tmp/devworkspace-che-operator/templates
+COPY --from=builder /tmp/header-rewrite-traefik-plugin /tmp/header-rewrite-traefik-plugin
 COPY --from=builder /tmp/restic/restic /usr/local/bin/restic
 COPY --from=builder /go/restic/LICENSE /usr/local/bin/restic-LICENSE.txt

--- a/api/v1/checluster_types.go
+++ b/api/v1/checluster_types.go
@ -475,8 +475,7 @@ type CheClusterSpecAuth struct {
 	// See link:https://github.com/brancz/kube-rbac-proxy[kube-rbac-proxy] or link:https://github.com/openshift/kube-rbac-proxy[openshift/kube-rbac-proxy]
 	// +optional
 	GatewayAuthorizationSidecarImage string `json:"gatewayAuthorizationSidecarImage,omitempty"`
-	// Header Rewrite Proxy sidecar image is used to properly set authorization header.
-	// See link:https://github.com/che-incubator/header-rewrite-proxy[header-rewrite-proxy]
+	// Deprecated. The value of this flag is ignored. Sidecar functionality is now implemented in Traefik plugin.
 	GatewayHeaderRewriteSidecarImage string `json:"gatewayHeaderRewriteSidecarImage,omitempty"`
 }

--- a/bundle/nightly/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml
+++ b/bundle/nightly/eclipse-che-preview-kubernetes/manifests/che-operator.clusterserviceversion.yaml
@ -83,7 +83,7 @@ metadata:
    operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
    repository: https://github.com/eclipse-che/che-operator
    support: Eclipse Foundation
-  name: eclipse-che-preview-kubernetes.v7.34.0-265.nightly
+  name: eclipse-che-preview-kubernetes.v7.34.0-266.nightly
  namespace: placeholder
 spec:
  apiservicedefinitions: {}
@ -911,6 +911,8 @@ spec:
                        value: quay.io/eclipse/che-jwtproxy:0.10.0
                      - name: RELATED_IMAGE_single_host_gateway
                        value: quay.io/eclipse/che--traefik:v2.3.2-6e6d4dc5a19afe06778ca092cdbbb98e31cb9f9c313edafa23f81a0e6ddf8a23
+                      - name: RELATED_IMAGE_single_host_gateway_native_user_mode
+                        value: quay.io/eclipse/che--traefik:v2.5.0-rc2-df90799aaca1ad6fb9e06d311140035d2a0c2295a4f8f508f6b55ee056bb677e
                      - name: RELATED_IMAGE_single_host_gateway_config_sidecar
                        value: quay.io/che-incubator/configbump:0.1.4
                      - name: RELATED_IMAGE_devworkspace_che_operator
@ -1217,4 +1219,4 @@ spec:
  maturity: stable
  provider:
    name: Eclipse Foundation
-  version: 7.34.0-265.nightly
+  version: 7.34.0-266.nightly
--- a/bundle/nightly/eclipse-che-preview-kubernetes/manifests/org_v1_che_crd.yaml
+++ b/bundle/nightly/eclipse-che-preview-kubernetes/manifests/org_v1_che_crd.yaml
@ -52,7 +52,7 @@ spec:
                    description: Gateway sidecar responsible for authorization when NativeUserMode is enabled. See link:https://github.com/brancz/kube-rbac-proxy[kube-rbac-proxy] or link:https://github.com/openshift/kube-rbac-proxy[openshift/kube-rbac-proxy]
                    type: string
                  gatewayHeaderRewriteSidecarImage:
-                    description: Header Rewrite Proxy sidecar image is used to properly set authorization header. See link:https://github.com/che-incubator/header-rewrite-proxy[header-rewrite-proxy]
+                    description: Deprecated. The value of this flag is ignored. Sidecar functionality is now implemented in Traefik plugin.
                    type: string
                  identityProviderAdminUserName:
                    description: Overrides the name of the Identity Provider administrator user. Defaults to `admin`.
--- a/bundle/nightly/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml
+++ b/bundle/nightly/eclipse-che-preview-openshift/manifests/che-operator.clusterserviceversion.yaml
@ -74,7 +74,7 @@ metadata:
    operators.operatorframework.io/project_layout: go.kubebuilder.io/v3
    repository: https://github.com/eclipse-che/che-operator
    support: Eclipse Foundation
-  name: eclipse-che-preview-openshift.v7.34.0-265.nightly
+  name: eclipse-che-preview-openshift.v7.34.0-266.nightly
  namespace: placeholder
 spec:
  apiservicedefinitions: {}
@ -1043,6 +1043,8 @@ spec:
                        value: quay.io/eclipse/che-jwtproxy:0.10.0
                      - name: RELATED_IMAGE_single_host_gateway
                        value: quay.io/eclipse/che--traefik:v2.3.2-6e6d4dc5a19afe06778ca092cdbbb98e31cb9f9c313edafa23f81a0e6ddf8a23
+                      - name: RELATED_IMAGE_single_host_gateway_native_user_mode
+                        value: quay.io/eclipse/che--traefik:v2.5.0-rc2-df90799aaca1ad6fb9e06d311140035d2a0c2295a4f8f508f6b55ee056bb677e
                      - name: RELATED_IMAGE_single_host_gateway_config_sidecar
                        value: quay.io/che-incubator/configbump:0.1.4
                      - name: RELATED_IMAGE_devworkspace_che_operator
@ -1360,4 +1362,4 @@ spec:
  maturity: stable
  provider:
    name: Eclipse Foundation
-  version: 7.34.0-265.nightly
+  version: 7.34.0-266.nightly
--- a/bundle/nightly/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml
+++ b/bundle/nightly/eclipse-che-preview-openshift/manifests/org_v1_che_crd.yaml
@ -75,8 +75,8 @@ spec:
                        or link:https://github.com/openshift/kube-rbac-proxy[openshift/kube-rbac-proxy]
                      type: string
                    gatewayHeaderRewriteSidecarImage:
-                      description: Header Rewrite Proxy sidecar image is used to properly
-                        set authorization header. See link:https://github.com/che-incubator/header-rewrite-proxy[header-rewrite-proxy]
+                      description: Deprecated. The value of this flag is ignored.
+                        Sidecar functionality is now implemented in Traefik plugin.
                      type: string
                    identityProviderAdminUserName:
                      description: Overrides the name of the Identity Provider administrator
--- a/config/crd/bases/org_v1_che_crd-v1beta1.yaml
+++ b/config/crd/bases/org_v1_che_crd-v1beta1.yaml
@ -71,8 +71,8 @@ spec:
                    or link:https://github.com/openshift/kube-rbac-proxy[openshift/kube-rbac-proxy]
                  type: string
                gatewayHeaderRewriteSidecarImage:
-                  description: Header Rewrite Proxy sidecar image is used to properly
-                    set authorization header. See link:https://github.com/che-incubator/header-rewrite-proxy[header-rewrite-proxy]
+                  description: Deprecated. The value of this flag is ignored. Sidecar
+                    functionality is now implemented in Traefik plugin.
                  type: string
                identityProviderAdminUserName:
                  description: Overrides the name of the Identity Provider administrator
--- a/config/crd/bases/org_v1_che_crd.yaml
+++ b/config/crd/bases/org_v1_che_crd.yaml
@ -75,8 +75,8 @@ spec:
                        or link:https://github.com/openshift/kube-rbac-proxy[openshift/kube-rbac-proxy]
                      type: string
                    gatewayHeaderRewriteSidecarImage:
-                      description: Header Rewrite Proxy sidecar image is used to properly
-                        set authorization header. See link:https://github.com/che-incubator/header-rewrite-proxy[header-rewrite-proxy]
+                      description: Deprecated. The value of this flag is ignored.
+                        Sidecar functionality is now implemented in Traefik plugin.
                      type: string
                    identityProviderAdminUserName:
                      description: Overrides the name of the Identity Provider administrator
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@ -71,6 +71,8 @@ spec:
              value: quay.io/eclipse/che-jwtproxy:0.10.0
            - name: RELATED_IMAGE_single_host_gateway
              value: quay.io/eclipse/che--traefik:v2.3.2-6e6d4dc5a19afe06778ca092cdbbb98e31cb9f9c313edafa23f81a0e6ddf8a23
+            - name: RELATED_IMAGE_single_host_gateway_native_user_mode
+              value: quay.io/eclipse/che--traefik:v2.5.0-rc2-df90799aaca1ad6fb9e06d311140035d2a0c2295a4f8f508f6b55ee056bb677e
            - name: RELATED_IMAGE_single_host_gateway_config_sidecar
              value: quay.io/che-incubator/configbump:0.1.4
            - name: RELATED_IMAGE_devworkspace_che_operator
--- a/pkg/deploy/defaults.go
+++ b/pkg/deploy/defaults.go
@ -27,23 +27,24 @@ import (
 )

 var (
-	defaultCheServerImage                      string
-	defaultCheVersion                          string
-	defaultDashboardImage                      string
-	defaultDevworkspaceCheOperatorImage        string
-	defaultDevworkspaceControllerImage         string
-	defaultPluginRegistryImage                 string
-	defaultDevfileRegistryImage                string
-	defaultCheTLSSecretsCreationJobImage       string
-	defaultPvcJobsImage                        string
-	defaultPostgresImage                       string
-	defaultKeycloakImage                       string
-	defaultSingleHostGatewayImage              string
-	defaultSingleHostGatewayConfigSidecarImage string
-	defaultInternalRestBackupServerImage       string
-	defaultGatewayAuthenticationSidecarImage   string
-	defaultGatewayAuthorizationSidecarImage    string
-	defaultGatewayHeaderProxySidecarImage      string
+	defaultCheServerImage                       string
+	defaultCheVersion                           string
+	defaultDashboardImage                       string
+	defaultDevworkspaceCheOperatorImage         string
+	defaultDevworkspaceControllerImage          string
+	defaultPluginRegistryImage                  string
+	defaultDevfileRegistryImage                 string
+	defaultCheTLSSecretsCreationJobImage        string
+	defaultPvcJobsImage                         string
+	defaultPostgresImage                        string
+	defaultKeycloakImage                        string
+	defaultSingleHostGatewayImage               string
+	defaultSingleHostGatewayImageNativeUserMode string
+	defaultSingleHostGatewayConfigSidecarImage  string
+	defaultInternalRestBackupServerImage        string
+	defaultGatewayAuthenticationSidecarImage    string
+	defaultGatewayAuthorizationSidecarImage     string
+	defaultGatewayHeaderProxySidecarImage       string

 	defaultCheWorkspacePluginBrokerMetadataImage  string
 	defaultCheWorkspacePluginBrokerArtifactsImage string
@ -183,6 +184,7 @@ func InitDefaultsFromFile(defaultsPath string) {
 	defaultPostgresImage = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_postgres"))
 	defaultKeycloakImage = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_keycloak"))
 	defaultSingleHostGatewayImage = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_single_host_gateway"))
+	defaultSingleHostGatewayImageNativeUserMode = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_single_host_gateway_native_user_mode"))
 	defaultSingleHostGatewayConfigSidecarImage = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_single_host_gateway_config_sidecar"))
 	defaultGatewayAuthenticationSidecarImage = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_gateway_authentication_sidecar"))
 	defaultGatewayAuthorizationSidecarImage = util.GetDeploymentEnv(operatorDeployment, util.GetArchitectureDependentEnv("RELATED_IMAGE_gateway_authorization_sidecar"))
@ -329,7 +331,15 @@ func DefaultCheServerSecureExposerJwtProxyImage(cr *orgv1.CheCluster) string {
 }

 func DefaultSingleHostGatewayImage(cr *orgv1.CheCluster) string {
-	return patchDefaultImageName(cr, defaultSingleHostGatewayImage)
+	// `nativeUserMode` uses Traefik local plugins, which is supported from version 2.5 that is
+	// currently in Release Candidate. As we don't want to use RC version in our stable release,
+	// we're using 2 images now. As soon as Traefik 2.5 stable will be releases, we will remove
+	// `defaultSingleHostGatewayImageNativeUserMode` and use single image again.
+	if util.IsNativeUserModeEnabled(cr) {
+		return patchDefaultImageName(cr, defaultSingleHostGatewayImageNativeUserMode)
+	} else {
+		return patchDefaultImageName(cr, defaultSingleHostGatewayImage)
+	}
 }

 func DefaultSingleHostGatewayConfigSidecarImage(cr *orgv1.CheCluster) string {
@ -455,6 +465,7 @@ func InitDefaultsFromEnv() {
 	defaultPostgresImage = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_postgres"))
 	defaultKeycloakImage = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_keycloak"))
 	defaultSingleHostGatewayImage = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_single_host_gateway"))
+	defaultSingleHostGatewayImageNativeUserMode = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_single_host_gateway_native_user_mode"))
 	defaultSingleHostGatewayConfigSidecarImage = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_single_host_gateway_config_sidecar"))
 	defaultInternalRestBackupServerImage = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_internal_rest_backup_server"))
 	defaultGatewayAuthenticationSidecarImage = getDefaultFromEnv(util.GetArchitectureDependentEnv("RELATED_IMAGE_gateway_authentication_sidecar"))
--- a/pkg/deploy/gateway/gateway.go
+++ b/pkg/deploy/gateway/gateway.go
@ -15,6 +15,7 @@ import (
 	"context"
 	"encoding/base64"
 	"fmt"
+	"io/ioutil"
 	"strconv"

 	"github.com/sirupsen/logrus"
@ -93,8 +94,11 @@ func syncAll(deployContext *deploy.DeployContext) error {
 			return err
 		}

-		headerRewriteProxyConfig := getGatewayHeaderRewriteProxyConfigSpec(instance)
-		if _, err := deploy.Sync(deployContext, &headerRewriteProxyConfig, configMapDiffOpts); err != nil {
+		if headerRewritePluginConfig, err := getGatewayHeaderRewritePluginConfigSpec(instance); err == nil {
+			if _, err := deploy.Sync(deployContext, headerRewritePluginConfig, configMapDiffOpts); err != nil {
+				return err
+			}
+		} else {
 			return err
 		}
 	}
@ -241,6 +245,7 @@ func delete(clusterAPI deploy.ClusterAPI, obj metav1.Object) error {
 // new configuration for workspaces, so the name should not resemble any of the names created by the Che server.
 func GetGatewayRouteConfig(deployContext *deploy.DeployContext, component string, serviceName string, pathPrefix string, priority int, internalUrl string, stripPrefix bool) corev1.ConfigMap {
 	pathRewrite := pathPrefix != "/" && stripPrefix
+	nativeUser := util.IsNativeUserModeEnabled(deployContext.CheCluster)

 	data := `---
 http:
@ -248,11 +253,16 @@ http:
    ` + serviceName + `:
      rule: "PathPrefix(` + "`" + pathPrefix + "`" + `)"
      service: ` + serviceName + `
-      priority: ` + strconv.Itoa(priority)
+      priority: ` + strconv.Itoa(priority) + `
+      middlewares: `
+
+	if nativeUser {
+		data += `
+      - "` + serviceName + `-header"`
+	}

 	if pathRewrite {
 		data += `
-      middlewares:
      - "` + serviceName + `"`
 	}

@ -261,11 +271,20 @@ http:
    ` + serviceName + `:
      loadBalancer:
        servers:
-        - url: '` + internalUrl + `'`
+        - url: '` + internalUrl + `'
+  middlewares:`
+	if nativeUser {
+		data += `
+    ` + serviceName + `-header:
+      plugin:
+        header-rewrite:
+          from: X-Forwarded-Access-Token
+          to: Authorization
+          prefix: 'Bearer '`
+	}

 	if pathRewrite {
 		data += `
-  middlewares:
    ` + serviceName + `:
      stripPrefix:
        prefixes:
@ -408,45 +427,43 @@ func generateRandomCookieSecret() []byte {
 	return []byte(base64.StdEncoding.EncodeToString([]byte(util.GeneratePasswd(16))))
 }

-func getGatewayHeaderRewriteProxyConfigSpec(instance *orgv1.CheCluster) corev1.ConfigMap {
-	return corev1.ConfigMap{
+func getGatewayHeaderRewritePluginConfigSpec(instance *orgv1.CheCluster) (*corev1.ConfigMap, error) {
+	headerRewrite, err := ioutil.ReadFile("/tmp/header-rewrite-traefik-plugin/headerRewrite.go")
+	if err != nil {
+		if !util.IsTestMode() {
+			return nil, err
+		}
+	}
+	pluginMeta, err := ioutil.ReadFile("/tmp/header-rewrite-traefik-plugin/.traefik.yml")
+	if err != nil {
+		if !util.IsTestMode() {
+			return nil, err
+		}
+	}
+
+	return &corev1.ConfigMap{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: corev1.SchemeGroupVersion.String(),
 			Kind:       "ConfigMap",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      "che-gateway-config-header-rewrite-proxy",
+			Name:      "che-gateway-config-header-rewrite-traefik-plugin",
 			Namespace: instance.Namespace,
 			Labels:    deploy.GetLabels(instance, GatewayServiceName),
 		},
 		Data: map[string]string{
-			"rules.yaml": `
-rules:
- from: X-Forwarded-Access-Token
-  to: Authorization
-  prefix: 'Bearer '
-`,
+			"headerRewrite.go": string(headerRewrite),
+			".traefik.yml":     string(pluginMeta),
 		},
-	}
+	}, nil
 }

 func getGatewayTraefikConfigSpec(instance *orgv1.CheCluster) corev1.ConfigMap {
 	traefikPort := 8080
 	if util.IsNativeUserModeEnabled(instance) {
-		traefikPort = 8088
+		traefikPort = 8081
 	}
-	return corev1.ConfigMap{
-		TypeMeta: metav1.TypeMeta{
-			APIVersion: corev1.SchemeGroupVersion.String(),
-			Kind:       "ConfigMap",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "che-gateway-config",
-			Namespace: instance.Namespace,
-			Labels:    deploy.GetLabels(instance, GatewayServiceName),
-		},
-		Data: map[string]string{
-			"traefik.yml": fmt.Sprintf(`
+	data := fmt.Sprintf(`
 entrypoints:
  http:
    address: ":%d"
@ -464,7 +481,28 @@ providers:
    directory: "/dynamic-config"
    watch: true
 log:
-  level: "INFO"`, traefikPort),
+  level: "INFO"`, traefikPort)
+
+	if util.IsNativeUserModeEnabled(instance) {
+		data += `
+experimental:
+  localPlugins:
+    header-rewrite:
+      moduleName: github.com/che-incubator/header-rewrite-traefik-plugin`
+	}
+
+	return corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: corev1.SchemeGroupVersion.String(),
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "che-gateway-config",
+			Namespace: instance.Namespace,
+			Labels:    deploy.GetLabels(instance, GatewayServiceName),
+		},
+		Data: map[string]string{
+			"traefik.yml": data,
 		},
 	}
 }
@ -513,7 +551,6 @@ func getContainersSpec(instance *orgv1.CheCluster) []corev1.Container {
 	configSidecarImage := util.GetValue(instance.Spec.Server.SingleHostGatewayConfigSidecarImage, deploy.DefaultSingleHostGatewayConfigSidecarImage(instance))
 	authnImage := util.GetValue(instance.Spec.Auth.GatewayAuthenticationSidecarImage, deploy.DefaultGatewayAuthenticationSidecarImage(instance))
 	authzImage := util.GetValue(instance.Spec.Auth.GatewayAuthorizationSidecarImage, deploy.DefaultGatewayAuthorizationSidecarImage(instance))
-	headerProxyImage := util.GetValue(instance.Spec.Auth.GatewayHeaderRewriteSidecarImage, deploy.DefaultGatewayHeaderProxySidecarImage(instance))
 	configLabels := labels.FormatLabels(configLabelsMap)

 	containers := []corev1.Container{
@ -521,16 +558,7 @@ func getContainersSpec(instance *orgv1.CheCluster) []corev1.Container {
 			Name:            "gateway",
 			Image:           gatewayImage,
 			ImagePullPolicy: corev1.PullAlways,
-			VolumeMounts: []corev1.VolumeMount{
-				{
-					Name:      "static-config",
-					MountPath: "/etc/traefik",
-				},
-				{
-					Name:      "dynamic-config",
-					MountPath: "/dynamic-config",
-				},
-			},
+			VolumeMounts:    getTraefikContainerVolumeMounts(instance),
 		},
 		{
 			Name:            "configbump",
@ -583,18 +611,6 @@ func getContainersSpec(instance *orgv1.CheCluster) []corev1.Container {
 					{ContainerPort: 8080},
 				},
 			},
-			corev1.Container{
-				Name:            "header-rewrite-proxy",
-				Image:           headerProxyImage,
-				ImagePullPolicy: corev1.PullAlways,
-				Args:            []string{"--upstream=http://127.0.0.1:8088", "--bind=127.0.0.1:8081", "--rules=/etc/rules/rules.yaml"},
-				VolumeMounts: []corev1.VolumeMount{
-					{
-						Name:      "header-rewrite-proxy-rules",
-						MountPath: "/etc/rules",
-					},
-				},
-			},
 			corev1.Container{
 				Name:            "kube-rbac-proxy",
 				Image:           authzImage,
@ -603,7 +619,6 @@ func getContainersSpec(instance *orgv1.CheCluster) []corev1.Container {
 					"--insecure-listen-address=127.0.0.1:8089",
 					"--upstream=http://127.0.0.1:8090/ping",
 					"--logtostderr=true",
-					"--v=10",
 				},
 			})
 	}
@ -611,6 +626,27 @@ func getContainersSpec(instance *orgv1.CheCluster) []corev1.Container {
 	return containers
 }

+func getTraefikContainerVolumeMounts(instance *orgv1.CheCluster) []corev1.VolumeMount {
+	mounts := []corev1.VolumeMount{
+		{
+			Name:      "static-config",
+			MountPath: "/etc/traefik",
+		},
+		{
+			Name:      "dynamic-config",
+			MountPath: "/dynamic-config",
+		},
+	}
+	if util.IsNativeUserModeEnabled(instance) {
+		mounts = append(mounts, corev1.VolumeMount{
+			Name:      "header-rewrite-traefik-plugin",
+			MountPath: "/plugins-local/src/github.com/che-incubator/header-rewrite-traefik-plugin",
+		})
+	}
+
+	return mounts
+}
+
 func getVolumesSpec(instance *orgv1.CheCluster) []corev1.Volume {
 	volumes := []corev1.Volume{
 		{
@ -644,11 +680,11 @@ func getVolumesSpec(instance *orgv1.CheCluster) []corev1.Volume {
 		})

 		volumes = append(volumes, corev1.Volume{
-			Name: "header-rewrite-proxy-rules",
+			Name: "header-rewrite-traefik-plugin",
 			VolumeSource: corev1.VolumeSource{
 				ConfigMap: &corev1.ConfigMapVolumeSource{
 					LocalObjectReference: corev1.LocalObjectReference{
-						Name: "che-gateway-config-header-rewrite-proxy",
+						Name: "che-gateway-config-header-rewrite-traefik-plugin",
 					},
 				},
 			},
--- a/pkg/deploy/gateway/gateway_test.go
+++ b/pkg/deploy/gateway/gateway_test.go
@ -102,8 +102,16 @@ func TestNativeUserGateway(t *testing.T) {
 		t.Fatalf("Failed to get deployment: %v", err)
 	}

-	if len(deployment.Spec.Template.Spec.Containers) != 5 {
-		t.Fatalf("With native user mode, there should be 5 containers in the gateway.. But it has '%d' containers.", len(deployment.Spec.Template.Spec.Containers))
+	if len(deployment.Spec.Template.Spec.Containers) != 4 {
+		t.Fatalf("With native user mode, there should be 4 containers in the gateway.. But it has '%d' containers.", len(deployment.Spec.Template.Spec.Containers))
+	}
+
+	for _, c := range deployment.Spec.Template.Spec.Containers {
+		if c.Name == "gateway" {
+			if len(c.VolumeMounts) != 3 {
+				t.Fatalf("gateway container should have 3 mounts, but it has '%d' ... \n%+v", len(c.VolumeMounts), c.VolumeMounts)
+			}
+		}
 	}

 	service := &corev1.Service{}