Allow users to set hosts to the wildcard specifier when TLS is disabled (#8083)

This allows easier demoing/testing of ingress gateways, while still
preserving the validation we have for DNSSANs
pull/8089/head
Chris Piraino 2020-06-11 10:03:06 -05:00 committed by GitHub
parent b4b1a497e9
commit 6fa48c9512
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 53 additions and 6 deletions

View File

@ -171,7 +171,7 @@ func (e *IngressGatewayConfigEntry) Validate() error {
return fmt.Errorf("Hosts must be unique within a specific listener (listener on port %d)", listener.Port) return fmt.Errorf("Hosts must be unique within a specific listener (listener on port %d)", listener.Port)
} }
declaredHosts[h] = true declaredHosts[h] = true
if err := validateHost(h); err != nil { if err := validateHost(e.TLS.Enabled, h); err != nil {
return err return err
} }
} }
@ -181,7 +181,16 @@ func (e *IngressGatewayConfigEntry) Validate() error {
return nil return nil
} }
func validateHost(host string) error { func validateHost(tlsEnabled bool, host string) error {
// Special case '*' so that non-TLS ingress gateways can use it. This allows
// an easy demo/testing experience.
if host == "*" {
if tlsEnabled {
return fmt.Errorf("Host '*' is not allowed when TLS is enabled, all hosts must be valid DNS records to add as a DNSSAN")
}
return nil
}
wildcardPrefix := "*." wildcardPrefix := "*."
if _, ok := dns.IsDomainName(host); !ok { if _, ok := dns.IsDomainName(host); !ok {
return fmt.Errorf("Host %q must be a valid DNS hostname", host) return fmt.Errorf("Host %q must be a valid DNS hostname", host)
@ -191,10 +200,6 @@ func validateHost(host string) error {
return fmt.Errorf("Host %q is not valid, a wildcard specifier is only allowed as the leftmost label", host) return fmt.Errorf("Host %q is not valid, a wildcard specifier is only allowed as the leftmost label", host)
} }
if host == "*" {
return fmt.Errorf("Host '*' is not allowed, wildcards can only be used as a prefix/suffix")
}
return nil return nil
} }

View File

@ -392,6 +392,48 @@ func TestIngressConfigEntry_Validate(t *testing.T) {
}, },
expectErr: `Host "*-test.example.com" is not valid, a wildcard specifier is only allowed as the leftmost label`, expectErr: `Host "*-test.example.com" is not valid, a wildcard specifier is only allowed as the leftmost label`,
}, },
{
name: "wildcard specifier is allowed for hosts when TLS is disabled",
entry: IngressGatewayConfigEntry{
Kind: "ingress-gateway",
Name: "ingress-web",
Listeners: []IngressListener{
{
Port: 1111,
Protocol: "http",
Services: []IngressService{
{
Name: "db",
Hosts: []string{"*"},
},
},
},
},
},
},
{
name: "wildcard specifier is not allowed for hosts when TLS is enabled",
entry: IngressGatewayConfigEntry{
Kind: "ingress-gateway",
Name: "ingress-web",
TLS: GatewayTLSConfig{
Enabled: true,
},
Listeners: []IngressListener{
{
Port: 1111,
Protocol: "http",
Services: []IngressService{
{
Name: "db",
Hosts: []string{"*"},
},
},
},
},
},
expectErr: `Host '*' is not allowed when TLS is enabled, all hosts must be valid DNS records to add as a DNSSAN`,
},
} }
for _, test := range cases { for _, test := range cases {