mirror of https://github.com/hashicorp/consul
Allow users to set hosts to the wildcard specifier when TLS is disabled (#8083)
This allows easier demoing/testing of ingress gateways, while still preserving the validation we have for DNSSANspull/8089/head
parent
b4b1a497e9
commit
6fa48c9512
|
@ -171,7 +171,7 @@ func (e *IngressGatewayConfigEntry) Validate() error {
|
||||||
return fmt.Errorf("Hosts must be unique within a specific listener (listener on port %d)", listener.Port)
|
return fmt.Errorf("Hosts must be unique within a specific listener (listener on port %d)", listener.Port)
|
||||||
}
|
}
|
||||||
declaredHosts[h] = true
|
declaredHosts[h] = true
|
||||||
if err := validateHost(h); err != nil {
|
if err := validateHost(e.TLS.Enabled, h); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -181,7 +181,16 @@ func (e *IngressGatewayConfigEntry) Validate() error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func validateHost(host string) error {
|
func validateHost(tlsEnabled bool, host string) error {
|
||||||
|
// Special case '*' so that non-TLS ingress gateways can use it. This allows
|
||||||
|
// an easy demo/testing experience.
|
||||||
|
if host == "*" {
|
||||||
|
if tlsEnabled {
|
||||||
|
return fmt.Errorf("Host '*' is not allowed when TLS is enabled, all hosts must be valid DNS records to add as a DNSSAN")
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
wildcardPrefix := "*."
|
wildcardPrefix := "*."
|
||||||
if _, ok := dns.IsDomainName(host); !ok {
|
if _, ok := dns.IsDomainName(host); !ok {
|
||||||
return fmt.Errorf("Host %q must be a valid DNS hostname", host)
|
return fmt.Errorf("Host %q must be a valid DNS hostname", host)
|
||||||
|
@ -191,10 +200,6 @@ func validateHost(host string) error {
|
||||||
return fmt.Errorf("Host %q is not valid, a wildcard specifier is only allowed as the leftmost label", host)
|
return fmt.Errorf("Host %q is not valid, a wildcard specifier is only allowed as the leftmost label", host)
|
||||||
}
|
}
|
||||||
|
|
||||||
if host == "*" {
|
|
||||||
return fmt.Errorf("Host '*' is not allowed, wildcards can only be used as a prefix/suffix")
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -392,6 +392,48 @@ func TestIngressConfigEntry_Validate(t *testing.T) {
|
||||||
},
|
},
|
||||||
expectErr: `Host "*-test.example.com" is not valid, a wildcard specifier is only allowed as the leftmost label`,
|
expectErr: `Host "*-test.example.com" is not valid, a wildcard specifier is only allowed as the leftmost label`,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "wildcard specifier is allowed for hosts when TLS is disabled",
|
||||||
|
entry: IngressGatewayConfigEntry{
|
||||||
|
Kind: "ingress-gateway",
|
||||||
|
Name: "ingress-web",
|
||||||
|
Listeners: []IngressListener{
|
||||||
|
{
|
||||||
|
Port: 1111,
|
||||||
|
Protocol: "http",
|
||||||
|
Services: []IngressService{
|
||||||
|
{
|
||||||
|
Name: "db",
|
||||||
|
Hosts: []string{"*"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "wildcard specifier is not allowed for hosts when TLS is enabled",
|
||||||
|
entry: IngressGatewayConfigEntry{
|
||||||
|
Kind: "ingress-gateway",
|
||||||
|
Name: "ingress-web",
|
||||||
|
TLS: GatewayTLSConfig{
|
||||||
|
Enabled: true,
|
||||||
|
},
|
||||||
|
Listeners: []IngressListener{
|
||||||
|
{
|
||||||
|
Port: 1111,
|
||||||
|
Protocol: "http",
|
||||||
|
Services: []IngressService{
|
||||||
|
{
|
||||||
|
Name: "db",
|
||||||
|
Hosts: []string{"*"},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
expectErr: `Host '*' is not allowed when TLS is enabled, all hosts must be valid DNS records to add as a DNSSAN`,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, test := range cases {
|
for _, test := range cases {
|
||||||
|
|
Loading…
Reference in New Issue