feat(interceptor): add direct-pod routing for cold-start requests

- Adds KEDA_HTTP_DIRECT_POD_ROUTING (disabled|cold-start-only); when set,
  rewrites upstream URL to a ready pod's ip:port after scale-from-zero
- ReadyEndpointsCache now tracks (ip, port) pairs keyed by named port via
  EndpointSlice updates; WaitForReady returns a podHost alongside isColdStart
- Empty podHost (no portName match) leaves upstream URL unchanged, falling
  back to ClusterIP as before
- TransportPool keyed on (responseHeaderTimeout, serverName) with per-transport
  TLSClientConfig.ServerName for correct SNI per pod
- Routing middleware stores intended TLS hostname in context before any URL
  rewrite so SNI always points to the original service

Signed-off-by: Atharva Pakade <pakade310@gmail.com>

Author: AtharvaPakade

CHANGELOG.md

@@ -32,11 +32,13 @@ This changelog keeps track of work items that have been completed and are ready
 
 ### New
 
-- **General**: TODO ([#TODO](https://github.com/kedacore/http-add-on/issues/TODO))
+- **Interceptor**: Add `KEDA_HTTP_DIRECT_POD_ROUTING` environment variable (`disabled` | `cold-start-only`). When set to `cold-start-only`, the interceptor routes cold-start requests directly to a ready pod IP instead of through the service ClusterIP, reducing latency when kube-proxy rules are slow to propagate. ([#1473](https://github.com/kedacore/http-add-on/issues/1473))
 
 ### Improvements
 
-- **General**: TODO ([#TODO](https://github.com/kedacore/http-add-on/issues/TODO))
+- **Interceptor**: `ReadyEndpointsCache` now tracks full `(ip, port)` pairs per named port from EndpointSlices, enabling direct-pod routing (replaces the previous bool-only ready state). ([#1473](https://github.com/kedacore/http-add-on/issues/1473))
+- **Interceptor**: `TransportPool` now keys on `(responseHeaderTimeout, serverName)` and applies TLS `ServerName` per transport, enabling correct SNI when the upstream URL is rewritten to a pod IP. ([#1473](https://github.com/kedacore/http-add-on/issues/1473))
+- **Interceptor**: TLS server name is captured in context by the routing middleware before any URL rewrites, so downstream transports always use the original service hostname for SNI. ([#1473](https://github.com/kedacore/http-add-on/issues/1473))
 
 ### Fixes
 

interceptor/config/serving.go

@@ -1,11 +1,24 @@
 package config
 
 import (
+	"fmt"
 	"time"
 
 	"github.com/caarlos0/env/v11"
 )
 
+// DirectPodRoutingMode controls whether and when the interceptor routes requests
+// directly to a ready pod IP instead of through the ClusterIP service.
+type DirectPodRoutingMode string
+
+const (
+	// DirectPodRoutingDisabled never bypasses the ClusterIP service (default).
+	DirectPodRoutingDisabled DirectPodRoutingMode = "disabled"
+	// DirectPodRoutingColdStartOnly bypasses the ClusterIP service only on cold
+	// starts, reducing latency when kube-proxy rules are slow to propagate.
+	DirectPodRoutingColdStartOnly DirectPodRoutingMode = "cold-start-only"
+)
+
 // Serving is configuration for how the interceptor serves the proxy
 // and admin server
 type Serving struct {
@@ -53,10 +66,21 @@ type Serving struct {
 	EnableColdStartHeader bool `env:"KEDA_HTTP_ENABLE_COLD_START_HEADER" envDefault:"true"`
 	// LogRequests enables/disables logging of incoming requests
 	LogRequests bool `env:"KEDA_HTTP_LOG_REQUESTS" envDefault:"false"`
+	// DirectPodRouting controls when the interceptor routes directly to a pod IP
+	// instead of the ClusterIP service. Valid values: "disabled", "cold-start-only".
+	DirectPodRouting DirectPodRoutingMode `env:"KEDA_HTTP_DIRECT_POD_ROUTING" envDefault:"disabled"`
 }
 
 // MustParseServing parses standard configs and returns the
 // newly created config. It panics if parsing fails.
 func MustParseServing() Serving {
-	return env.Must(env.ParseAs[Serving]())
+	s := env.Must(env.ParseAs[Serving]())
+	switch s.DirectPodRouting {
+	case DirectPodRoutingDisabled, DirectPodRoutingColdStartOnly:
+		// valid
+	default:
+		panic(fmt.Sprintf("invalid KEDA_HTTP_DIRECT_POD_ROUTING value %q: must be %q or %q",
+			s.DirectPodRouting, DirectPodRoutingDisabled, DirectPodRoutingColdStartOnly))
+	}
+	return s
 }

interceptor/handler/upstream.go

@@ -68,7 +68,7 @@ func (uh *Upstream) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	transport := uh.transportPool.Get(responseHeaderTimeout)
+	transport := uh.transportPool.Get(responseHeaderTimeout, util.UpstreamServerNameFromContext(ctx))
 
 	var rt http.RoundTripper = transport
 	if uh.tracingCfg.Enabled {

interceptor/middleware/constants.go

@@ -0,0 +1,6 @@
+package middleware
+
+const (
+	schemeHTTP  = "http"
+	schemeHTTPS = "https"
+)

interceptor/middleware/endpoint_resolver.go

@@ -18,6 +18,7 @@ const defaultFallbackReadinessTimeout = 30 * time.Second
 type EndpointResolverConfig struct {
 	ReadinessTimeout      time.Duration
 	EnableColdStartHeader bool
+	DirectPodOnColdStart  bool // route to pod IP directly during cold start
 }
 
 type EndpointResolver struct {
@@ -64,7 +65,7 @@ func (er *EndpointResolver) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 
 	serviceKey := ir.Namespace + "/" + ir.Spec.Target.Service
-	isColdStart, err := er.readyCache.WaitForReady(waitCtx, serviceKey)
+	isColdStart, podHost, err := er.readyCache.WaitForReady(waitCtx, serviceKey, ir.Spec.Target.PortName)
 	if err != nil {
 		// No fallback, return an error
 		if !hasFallback {
@@ -90,12 +91,30 @@ func (er *EndpointResolver) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		// Fall back to alternate upstream.
 		fallbackURL := util.FallbackURLFromContext(ctx)
 		ctx = util.ContextWithUpstreamURL(ctx, fallbackURL)
+		// Update SNI to the fallback service hostname for TLS upstreams so the
+		// transport uses the correct server name instead of the primary service's.
+		// For non-TLS fallbacks the context may still hold the primary service's
+		// server name, but the transport ignores it for plain HTTP — no update needed.
+		if fallbackURL.Scheme == schemeHTTPS {
+			ctx = util.ContextWithUpstreamServerName(ctx, fallbackURL.Hostname())
+		}
 		r = r.WithContext(ctx)
-	}
+	} else {
+		// isColdStart is only meaningful when the backend resolved without errors
+		if er.cfg.EnableColdStartHeader {
+			w.Header().Set(kedahttp.HeaderColdStart, strconv.FormatBool(isColdStart))
+		}
 
-	// isColdStart is only meaningful when the backend resolved without errors
-	if err == nil && er.cfg.EnableColdStartHeader {
-		w.Header().Set(kedahttp.HeaderColdStart, strconv.FormatBool(isColdStart))
+		// Cold-start direct-to-pod routing: rewrites upstream to a pod IP, reducing latency when kube-proxy rules are slow to propagate.
+		// TLS SNI uses the original service hostname captured in context. Empty podHost leaves the upstream URL unchanged.
+		if isColdStart && er.cfg.DirectPodOnColdStart && podHost != "" {
+			if upstreamURL := util.UpstreamURLFromContext(ctx); upstreamURL != nil {
+				podURL := *upstreamURL
+				podURL.Host = podHost
+				ctx = util.ContextWithUpstreamURL(ctx, &podURL)
+				r = r.WithContext(ctx)
+			}
+		}
 	}
 
 	er.next.ServeHTTP(w, r)