ingress: allow wildcard hosts in IngressRule

Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
This commit is contained in:
Christopher M. Luciano 2020-03-05 11:45:43 -05:00
parent a5f7151a15
commit e931e30647
No known key found for this signature in database
GPG Key ID: 5148DBB31F2843F1
9 changed files with 134 additions and 44 deletions

View File

@ -10915,7 +10915,7 @@
"description": "IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.", "description": "IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.",
"properties": { "properties": {
"host": { "host": {
"description": "Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in the RFC: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the\n\t IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t Currently the port of an Ingress is implicitly :80 for http and\n\t :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.", "description": "Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to\n the IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t Currently the port of an Ingress is implicitly :80 for http and\n\t :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.\n\nHost can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.bar.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. \"*.foo.com\"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == \"*\"). Requests will be matched against the Host field in the following way: 1. If Host is precise, the request matches this rule if the http host header is equal to Host. 2. If Host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.",
"type": "string" "type": "string"
}, },
"http": { "http": {
@ -11923,7 +11923,7 @@
"description": "IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.", "description": "IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.",
"properties": { "properties": {
"host": { "host": {
"description": "Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in the RFC: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the\n\t IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t Currently the port of an Ingress is implicitly :80 for http and\n\t :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.", "description": "Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to\n the IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t Currently the port of an Ingress is implicitly :80 for http and\n\t :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.\n\nHost can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.bar.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. \"*.foo.com\"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == \"*\"). Requests will be matched against the Host field in the following way: 1. If Host is precise, the request matches this rule if the http host header is equal to Host. 2. If Host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.",
"type": "string" "type": "string"
}, },
"http": { "http": {

View File

@ -349,18 +349,28 @@ type IngressStatus struct {
// host match, then routed to the backend associated with the matching // host match, then routed to the backend associated with the matching
// IngressRuleValue. // IngressRuleValue.
type IngressRule struct { type IngressRule struct {
// Host is the fully qualified domain name of a network host, as defined // Host is the fully qualified domain name of a network host, as defined by RFC 3986.
// by RFC 3986. Note the following deviations from the "host" part of the // Note the following deviations from the "host" part of the
// URI as defined in the RFC: // URI as defined in RFC 3986:
// 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the // 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
// IP in the Spec of the parent Ingress. // the IP in the Spec of the parent Ingress.
// 2. The `:` delimiter is not respected because ports are not allowed. // 2. The `:` delimiter is not respected because ports are not allowed.
// Currently the port of an Ingress is implicitly :80 for http and // Currently the port of an Ingress is implicitly :80 for http and
// :443 for https. // :443 for https.
// Both these may change in the future. // Both these may change in the future.
// Incoming requests are matched against the host before the IngressRuleValue. // Incoming requests are matched against the host before the
// If the host is unspecified, the Ingress routes all traffic based on the // IngressRuleValue. If the host is unspecified, the Ingress routes all
// specified IngressRuleValue. // traffic based on the specified IngressRuleValue.
//
// Host can be "precise" which is a domain name without the terminating dot of
// a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name
// prefixed with a single wildcard label (e.g. "*.foo.com").
// The wildcard character '*' must appear by itself as the first DNS label and
// matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*").
// Requests will be matched against the Host field in the following way:
// 1. If Host is precise, the request matches this rule if the http host header is equal to Host.
// 2. If Host is a wildcard, then the request matches this rule if the http host header
// is to equal to the suffix (removing the first label) of the wildcard rule.
// +optional // +optional
Host string Host string
// IngressRuleValue represents a rule to route requests for this // IngressRuleValue represents a rule to route requests for this

View File

@ -1008,6 +1008,28 @@ func TestValidateIngress(t *testing.T) {
"spec.rules[0].host", "spec.rules[0].host",
}, },
}, },
"valid wildcard host": {
tweakIngress: func(ing *networking.Ingress) {
ing.Spec.Rules[0].Host = "*.bar.com"
},
expectErrsOnFields: []string{},
},
"invalid wildcard host (foo.*.bar.com)": {
tweakIngress: func(ing *networking.Ingress) {
ing.Spec.Rules[0].Host = "foo.*.bar.com"
},
expectErrsOnFields: []string{
"spec.rules[0].host",
},
},
"invalid wildcard host (*)": {
tweakIngress: func(ing *networking.Ingress) {
ing.Spec.Rules[0].Host = "*"
},
expectErrsOnFields: []string{
"spec.rules[0].host",
},
},
} }
for name, testCase := range testCases { for name, testCase := range testCases {
@ -1683,6 +1705,24 @@ func TestValidateIngressTLS(t *testing.T) {
} }
} }
} }
// Test for wildcard host and wildcard TLS
validCases := map[string]networking.Ingress{}
wildHost := "*.bar.com"
goodWildcardTLS := newValid()
goodWildcardTLS.Spec.Rules[0].Host = "*.bar.com"
goodWildcardTLS.Spec.TLS = []networking.IngressTLS{
{
Hosts: []string{wildHost},
},
}
validCases[fmt.Sprintf("spec.tls[0].hosts: Valid value: '%v'", wildHost)] = goodWildcardTLS
for k, v := range validCases {
errs := validateIngress(&v, IngressValidationOptions{requireRegexPath: true}, networkingv1beta1.SchemeGroupVersion)
if len(errs) != 0 {
t.Errorf("expected success for %q", k)
}
}
} }
func TestValidateIngressStatusUpdate(t *testing.T) { func TestValidateIngressStatusUpdate(t *testing.T) {

View File

@ -533,18 +533,28 @@ message IngressList {
// the related backend services. Incoming requests are first evaluated for a host // the related backend services. Incoming requests are first evaluated for a host
// match, then routed to the backend associated with the matching IngressRuleValue. // match, then routed to the backend associated with the matching IngressRuleValue.
message IngressRule { message IngressRule {
// Host is the fully qualified domain name of a network host, as defined // Host is the fully qualified domain name of a network host, as defined by RFC 3986.
// by RFC 3986. Note the following deviations from the "host" part of the // Note the following deviations from the "host" part of the
// URI as defined in the RFC: // URI as defined in RFC 3986:
// 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the // 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
// IP in the Spec of the parent Ingress. // the IP in the Spec of the parent Ingress.
// 2. The `:` delimiter is not respected because ports are not allowed. // 2. The `:` delimiter is not respected because ports are not allowed.
// Currently the port of an Ingress is implicitly :80 for http and // Currently the port of an Ingress is implicitly :80 for http and
// :443 for https. // :443 for https.
// Both these may change in the future. // Both these may change in the future.
// Incoming requests are matched against the host before the IngressRuleValue. // Incoming requests are matched against the host before the
// If the host is unspecified, the Ingress routes all traffic based on the // IngressRuleValue. If the host is unspecified, the Ingress routes all
// specified IngressRuleValue. // traffic based on the specified IngressRuleValue.
//
// Host can be "precise" which is a domain name without the terminating dot of
// a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name
// prefixed with a single wildcard label (e.g. "*.foo.com").
// The wildcard character '*' must appear by itself as the first DNS label and
// matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*").
// Requests will be matched against the Host field in the following way:
// 1. If Host is precise, the request matches this rule if the http host header is equal to Host.
// 2. If Host is a wildcard, then the request matches this rule if the http host header
// is to equal to the suffix (removing the first label) of the wildcard rule.
// +optional // +optional
optional string host = 1; optional string host = 1;

View File

@ -633,18 +633,28 @@ type IngressStatus struct {
// the related backend services. Incoming requests are first evaluated for a host // the related backend services. Incoming requests are first evaluated for a host
// match, then routed to the backend associated with the matching IngressRuleValue. // match, then routed to the backend associated with the matching IngressRuleValue.
type IngressRule struct { type IngressRule struct {
// Host is the fully qualified domain name of a network host, as defined // Host is the fully qualified domain name of a network host, as defined by RFC 3986.
// by RFC 3986. Note the following deviations from the "host" part of the // Note the following deviations from the "host" part of the
// URI as defined in the RFC: // URI as defined in RFC 3986:
// 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the // 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
// IP in the Spec of the parent Ingress. // the IP in the Spec of the parent Ingress.
// 2. The `:` delimiter is not respected because ports are not allowed. // 2. The `:` delimiter is not respected because ports are not allowed.
// Currently the port of an Ingress is implicitly :80 for http and // Currently the port of an Ingress is implicitly :80 for http and
// :443 for https. // :443 for https.
// Both these may change in the future. // Both these may change in the future.
// Incoming requests are matched against the host before the IngressRuleValue. // Incoming requests are matched against the host before the
// If the host is unspecified, the Ingress routes all traffic based on the // IngressRuleValue. If the host is unspecified, the Ingress routes all
// specified IngressRuleValue. // traffic based on the specified IngressRuleValue.
//
// Host can be "precise" which is a domain name without the terminating dot of
// a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name
// prefixed with a single wildcard label (e.g. "*.foo.com").
// The wildcard character '*' must appear by itself as the first DNS label and
// matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*").
// Requests will be matched against the Host field in the following way:
// 1. If Host is precise, the request matches this rule if the http host header is equal to Host.
// 2. If Host is a wildcard, then the request matches this rule if the http host header
// is to equal to the suffix (removing the first label) of the wildcard rule.
// +optional // +optional
Host string `json:"host,omitempty" protobuf:"bytes,1,opt,name=host"` Host string `json:"host,omitempty" protobuf:"bytes,1,opt,name=host"`
// IngressRuleValue represents a rule to route requests for this IngressRule. // IngressRuleValue represents a rule to route requests for this IngressRule.

View File

@ -312,7 +312,7 @@ func (IngressList) SwaggerDoc() map[string]string {
var map_IngressRule = map[string]string{ var map_IngressRule = map[string]string{
"": "IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.", "": "IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.",
"host": "Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in the RFC: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the\n\t IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t Currently the port of an Ingress is implicitly :80 for http and\n\t :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.", "host": "Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to\n the IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t Currently the port of an Ingress is implicitly :80 for http and\n\t :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.\n\nHost can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.bar.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. \"*.foo.com\"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == \"*\"). Requests will be matched against the Host field in the following way: 1. If Host is precise, the request matches this rule if the http host header is equal to Host. 2. If Host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.",
} }
func (IngressRule) SwaggerDoc() map[string]string { func (IngressRule) SwaggerDoc() map[string]string {

View File

@ -163,18 +163,28 @@ message IngressList {
// the related backend services. Incoming requests are first evaluated for a host // the related backend services. Incoming requests are first evaluated for a host
// match, then routed to the backend associated with the matching IngressRuleValue. // match, then routed to the backend associated with the matching IngressRuleValue.
message IngressRule { message IngressRule {
// Host is the fully qualified domain name of a network host, as defined // Host is the fully qualified domain name of a network host, as defined by RFC 3986.
// by RFC 3986. Note the following deviations from the "host" part of the // Note the following deviations from the "host" part of the
// URI as defined in the RFC: // URI as defined in RFC 3986:
// 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the // 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
// IP in the Spec of the parent Ingress. // the IP in the Spec of the parent Ingress.
// 2. The `:` delimiter is not respected because ports are not allowed. // 2. The `:` delimiter is not respected because ports are not allowed.
// Currently the port of an Ingress is implicitly :80 for http and // Currently the port of an Ingress is implicitly :80 for http and
// :443 for https. // :443 for https.
// Both these may change in the future. // Both these may change in the future.
// Incoming requests are matched against the host before the IngressRuleValue. // Incoming requests are matched against the host before the
// If the host is unspecified, the Ingress routes all traffic based on the // IngressRuleValue. If the host is unspecified, the Ingress routes all
// specified IngressRuleValue. // traffic based on the specified IngressRuleValue.
//
// Host can be "precise" which is a domain name without the terminating dot of
// a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name
// prefixed with a single wildcard label (e.g. "*.foo.com").
// The wildcard character '*' must appear by itself as the first DNS label and
// matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*").
// Requests will be matched against the Host field in the following way:
// 1. If Host is precise, the request matches this rule if the http host header is equal to Host.
// 2. If Host is a wildcard, then the request matches this rule if the http host header
// is to equal to the suffix (removing the first label) of the wildcard rule.
// +optional // +optional
optional string host = 1; optional string host = 1;

View File

@ -127,18 +127,28 @@ type IngressStatus struct {
// the related backend services. Incoming requests are first evaluated for a host // the related backend services. Incoming requests are first evaluated for a host
// match, then routed to the backend associated with the matching IngressRuleValue. // match, then routed to the backend associated with the matching IngressRuleValue.
type IngressRule struct { type IngressRule struct {
// Host is the fully qualified domain name of a network host, as defined // Host is the fully qualified domain name of a network host, as defined by RFC 3986.
// by RFC 3986. Note the following deviations from the "host" part of the // Note the following deviations from the "host" part of the
// URI as defined in the RFC: // URI as defined in RFC 3986:
// 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the // 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
// IP in the Spec of the parent Ingress. // the IP in the Spec of the parent Ingress.
// 2. The `:` delimiter is not respected because ports are not allowed. // 2. The `:` delimiter is not respected because ports are not allowed.
// Currently the port of an Ingress is implicitly :80 for http and // Currently the port of an Ingress is implicitly :80 for http and
// :443 for https. // :443 for https.
// Both these may change in the future. // Both these may change in the future.
// Incoming requests are matched against the host before the IngressRuleValue. // Incoming requests are matched against the host before the
// If the host is unspecified, the Ingress routes all traffic based on the // IngressRuleValue. If the host is unspecified, the Ingress routes all
// specified IngressRuleValue. // traffic based on the specified IngressRuleValue.
//
// Host can be "precise" which is a domain name without the terminating dot of
// a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name
// prefixed with a single wildcard label (e.g. "*.foo.com").
// The wildcard character '*' must appear by itself as the first DNS label and
// matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*").
// Requests will be matched against the Host field in the following way:
// 1. If Host is precise, the request matches this rule if the http host header is equal to Host.
// 2. If Host is a wildcard, then the request matches this rule if the http host header
// is to equal to the suffix (removing the first label) of the wildcard rule.
// +optional // +optional
Host string `json:"host,omitempty" protobuf:"bytes,1,opt,name=host"` Host string `json:"host,omitempty" protobuf:"bytes,1,opt,name=host"`
// IngressRuleValue represents a rule to route requests for this IngressRule. // IngressRuleValue represents a rule to route requests for this IngressRule.

View File

@ -110,7 +110,7 @@ func (IngressList) SwaggerDoc() map[string]string {
var map_IngressRule = map[string]string{ var map_IngressRule = map[string]string{
"": "IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.", "": "IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue.",
"host": "Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in the RFC: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the\n\t IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t Currently the port of an Ingress is implicitly :80 for http and\n\t :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.", "host": "Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the \"host\" part of the URI as defined in RFC 3986: 1. IPs are not allowed. Currently an IngressRuleValue can only apply to\n the IP in the Spec of the parent Ingress.\n2. The `:` delimiter is not respected because ports are not allowed.\n\t Currently the port of an Ingress is implicitly :80 for http and\n\t :443 for https.\nBoth these may change in the future. Incoming requests are matched against the host before the IngressRuleValue. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.\n\nHost can be \"precise\" which is a domain name without the terminating dot of a network host (e.g. \"foo.bar.com\") or \"wildcard\", which is a domain name prefixed with a single wildcard label (e.g. \"*.foo.com\"). The wildcard character '*' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == \"*\"). Requests will be matched against the Host field in the following way: 1. If Host is precise, the request matches this rule if the http host header is equal to Host. 2. If Host is a wildcard, then the request matches this rule if the http host header is to equal to the suffix (removing the first label) of the wildcard rule.",
} }
func (IngressRule) SwaggerDoc() map[string]string { func (IngressRule) SwaggerDoc() map[string]string {