github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-23 03:41:45 +00:00
Code Issues Projects Releases Wiki Activity

Validate ingress TLS secretName in v1

Browse Source
This commit is contained in:
Jordan Liggitt 2020-08-12 09:48:53 -04:00
parent abede62bf0
commit f87a846e65
3 changed files with 105 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
pkg/apis/networking/validation/validation.go
View File

@ -199,6 +199,8 @@ var ValidateIngressName = apimachineryvalidation.NameIsDNSSubdomain
// IngressValidationOptions cover beta to GA transitions for HTTP PathType // IngressValidationOptions cover beta to GA transitions for HTTP PathType
type IngressValidationOptions struct { type IngressValidationOptions struct {
// AllowInvalidSecretName indicates whether spec.tls[*].secretName values that are not valid Secret names should be allowed
AllowInvalidSecretName bool
} }
// ValidateIngress validates Ingresses on create and update. // ValidateIngress validates Ingresses on create and update.
@ -212,7 +214,9 @@ func validateIngress(ingress *networking.Ingress, opts IngressValidationOptions,
func ValidateIngressCreate(ingress *networking.Ingress, requestGV schema.GroupVersion) field.ErrorList { func ValidateIngressCreate(ingress *networking.Ingress, requestGV schema.GroupVersion) field.ErrorList {
allErrs := field.ErrorList{} allErrs := field.ErrorList{}
var opts IngressValidationOptions var opts IngressValidationOptions
opts = IngressValidationOptions{} opts = IngressValidationOptions{
AllowInvalidSecretName: allowInvalidSecretName(requestGV, nil),
}
allErrs = append(allErrs, validateIngress(ingress, opts, requestGV)...) allErrs = append(allErrs, validateIngress(ingress, opts, requestGV)...)
annotationVal, annotationIsSet := ingress.Annotations[annotationIngressClass] annotationVal, annotationIsSet := ingress.Annotations[annotationIngressClass]
if annotationIsSet && ingress.Spec.IngressClassName != nil { if annotationIsSet && ingress.Spec.IngressClassName != nil {
@ -226,26 +230,34 @@ func ValidateIngressCreate(ingress *networking.Ingress, requestGV schema.GroupVe
func ValidateIngressUpdate(ingress, oldIngress *networking.Ingress, requestGV schema.GroupVersion) field.ErrorList { func ValidateIngressUpdate(ingress, oldIngress *networking.Ingress, requestGV schema.GroupVersion) field.ErrorList {
allErrs := apivalidation.ValidateObjectMetaUpdate(&ingress.ObjectMeta, &oldIngress.ObjectMeta, field.NewPath("metadata")) allErrs := apivalidation.ValidateObjectMetaUpdate(&ingress.ObjectMeta, &oldIngress.ObjectMeta, field.NewPath("metadata"))
var opts IngressValidationOptions var opts IngressValidationOptions
opts = IngressValidationOptions{} opts = IngressValidationOptions{
AllowInvalidSecretName: allowInvalidSecretName(requestGV, oldIngress),
}
allErrs = append(allErrs, validateIngress(ingress, opts, requestGV)...) allErrs = append(allErrs, validateIngress(ingress, opts, requestGV)...)
return allErrs return allErrs
} }
func validateIngressTLS(spec *networking.IngressSpec, fldPath *field.Path) field.ErrorList { func validateIngressTLS(spec *networking.IngressSpec, fldPath *field.Path, opts IngressValidationOptions) field.ErrorList {
allErrs := field.ErrorList{} allErrs := field.ErrorList{}
// TODO: Perform a more thorough validation of spec.TLS.Hosts that takes // TODO: Perform a more thorough validation of spec.TLS.Hosts that takes
// the wildcard spec from RFC 6125 into account. // the wildcard spec from RFC 6125 into account.
for _, itls := range spec.TLS { for tlsIndex, itls := range spec.TLS {
for i, host := range itls.Hosts { for i, host := range itls.Hosts {
if strings.Contains(host, "*") { if strings.Contains(host, "*") {
for _, msg := range validation.IsWildcardDNS1123Subdomain(host) { for _, msg := range validation.IsWildcardDNS1123Subdomain(host) {
allErrs = append(allErrs, field.Invalid(fldPath.Index(i).Child("hosts"), host, msg)) allErrs = append(allErrs, field.Invalid(fldPath.Index(tlsIndex).Child("hosts").Index(i), host, msg))
} }
continue continue
} }
for _, msg := range validation.IsDNS1123Subdomain(host) { for _, msg := range validation.IsDNS1123Subdomain(host) {
allErrs = append(allErrs, field.Invalid(fldPath.Index(i).Child("hosts"), host, msg)) allErrs = append(allErrs, field.Invalid(fldPath.Index(tlsIndex).Child("hosts").Index(i), host, msg))
}
}
if !opts.AllowInvalidSecretName {
for _, msg := range validateTLSSecretName(itls.SecretName) {
allErrs = append(allErrs, field.Invalid(fldPath.Index(tlsIndex).Child("secretName"), itls.SecretName, msg))
} }
} }
} }
@ -278,7 +290,7 @@ func ValidateIngressSpec(spec *networking.IngressSpec, fldPath *field.Path, opts
allErrs = append(allErrs, validateIngressRules(spec.Rules, fldPath.Child("rules"), opts, requestGV)...) allErrs = append(allErrs, validateIngressRules(spec.Rules, fldPath.Child("rules"), opts, requestGV)...)
} }
if len(spec.TLS) > 0 { if len(spec.TLS) > 0 {
allErrs = append(allErrs, validateIngressTLS(spec, fldPath.Child("tls"))...) allErrs = append(allErrs, validateIngressTLS(spec, fldPath.Child("tls"), opts)...)
} }
if spec.IngressClassName != nil { if spec.IngressClassName != nil {
for _, msg := range ValidateIngressClassName(*spec.IngressClassName, false) { for _, msg := range ValidateIngressClassName(*spec.IngressClassName, false) {
@ -523,3 +535,26 @@ func validateIngressTypedLocalObjectReference(params *api.TypedLocalObjectRefere
return allErrs return allErrs
} }
func allowInvalidSecretName(gv schema.GroupVersion, oldIngress *networking.Ingress) bool {
if gv == networkingv1beta1.SchemeGroupVersion || gv == extensionsv1beta1.SchemeGroupVersion {
// backwards compatibility with released API versions that allowed invalid names
return true
}
if oldIngress != nil {
for _, tls := range oldIngress.Spec.TLS {
if len(validateTLSSecretName(tls.SecretName)) > 0 {
// backwards compatibility with existing persisted object
return true
}
}
}
return false
}
func validateTLSSecretName(name string) []string {
if len(name) == 0 {
return nil
}
return apivalidation.ValidateSecretName(name, false)
}

63
pkg/apis/networking/validation/validation_test.go
View File

@ -1379,6 +1379,31 @@ func TestValidateIngressCreate(t *testing.T) {
}, },
expectedErrs: field.ErrorList{}, expectedErrs: field.ErrorList{},
}, },
"v1: valid secret": {
groupVersion: &networkingv1.SchemeGroupVersion,
tweakIngress: func(ingress *networking.Ingress) {
ingress.Spec.TLS = []networking.IngressTLS{{SecretName: "valid"}}
},
},
"v1: invalid secret": {
groupVersion: &networkingv1.SchemeGroupVersion,
tweakIngress: func(ingress *networking.Ingress) {
ingress.Spec.TLS = []networking.IngressTLS{{SecretName: "invalid name"}}
},
expectedErrs: field.ErrorList{field.Invalid(field.NewPath("spec").Child("tls").Index(0).Child("secretName"), "invalid name", `a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')`)},
},
"v1beta1: valid secret": {
groupVersion: &networkingv1beta1.SchemeGroupVersion,
tweakIngress: func(ingress *networking.Ingress) {
ingress.Spec.TLS = []networking.IngressTLS{{SecretName: "valid"}}
},
},
"v1beta1: invalid secret": {
groupVersion: &networkingv1beta1.SchemeGroupVersion,
tweakIngress: func(ingress *networking.Ingress) {
ingress.Spec.TLS = []networking.IngressTLS{{SecretName: "invalid name 1"}}
},
},
} }
for name, testCase := range testCases { for name, testCase := range testCases {
@ -1431,6 +1456,7 @@ func TestValidateIngressUpdate(t *testing.T) {
} }
testCases := map[string]struct { testCases := map[string]struct {
gv schema.GroupVersion
tweakIngresses func(newIngress, oldIngress *networking.Ingress) tweakIngresses func(newIngress, oldIngress *networking.Ingress)
expectedErrs field.ErrorList expectedErrs field.ErrorList
}{ }{
@ -1714,6 +1740,35 @@ func TestValidateIngressUpdate(t *testing.T) {
}, },
expectedErrs: field.ErrorList{}, expectedErrs: field.ErrorList{},
}, },
"v1: change valid secret -> invalid secret": {
gv: networkingv1.SchemeGroupVersion,
tweakIngresses: func(newIngress, oldIngress *networking.Ingress) {
oldIngress.Spec.TLS = []networking.IngressTLS{{SecretName: "valid"}}
newIngress.Spec.TLS = []networking.IngressTLS{{SecretName: "invalid name"}}
},
expectedErrs: field.ErrorList{field.Invalid(field.NewPath("spec").Child("tls").Index(0).Child("secretName"), "invalid name", `a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')`)},
},
"v1: change invalid secret -> invalid secret": {
gv: networkingv1.SchemeGroupVersion,
tweakIngresses: func(newIngress, oldIngress *networking.Ingress) {
oldIngress.Spec.TLS = []networking.IngressTLS{{SecretName: "invalid name 1"}}
newIngress.Spec.TLS = []networking.IngressTLS{{SecretName: "invalid name 2"}}
},
},
"v1beta1: change valid secret -> invalid secret": {
gv: networkingv1beta1.SchemeGroupVersion,
tweakIngresses: func(newIngress, oldIngress *networking.Ingress) {
oldIngress.Spec.TLS = []networking.IngressTLS{{SecretName: "valid"}}
newIngress.Spec.TLS = []networking.IngressTLS{{SecretName: "invalid name"}}
},
},
"v1beta1: change invalid secret -> invalid secret": {
gv: networkingv1beta1.SchemeGroupVersion,
tweakIngresses: func(newIngress, oldIngress *networking.Ingress) {
oldIngress.Spec.TLS = []networking.IngressTLS{{SecretName: "invalid name 1"}}
newIngress.Spec.TLS = []networking.IngressTLS{{SecretName: "invalid name 2"}}
},
},
} }
for name, testCase := range testCases { for name, testCase := range testCases {
@ -1722,7 +1777,11 @@ func TestValidateIngressUpdate(t *testing.T) {
oldIngress := baseIngress.DeepCopy() oldIngress := baseIngress.DeepCopy()
testCase.tweakIngresses(newIngress, oldIngress) testCase.tweakIngresses(newIngress, oldIngress)
errs := ValidateIngressUpdate(newIngress, oldIngress, networkingv1beta1.SchemeGroupVersion) gv := testCase.gv
if gv.Empty() {
gv = networkingv1beta1.SchemeGroupVersion
}
errs := ValidateIngressUpdate(newIngress, oldIngress, gv)
if len(errs) != len(testCase.expectedErrs) { if len(errs) != len(testCase.expectedErrs) {
t.Fatalf("Expected %d errors, got %d (%+v)", len(testCase.expectedErrs), len(errs), errs) t.Fatalf("Expected %d errors, got %d (%+v)", len(testCase.expectedErrs), len(errs), errs)
@ -1978,7 +2037,7 @@ func TestValidateIngressTLS(t *testing.T) {
Hosts: []string{wildcardHost}, Hosts: []string{wildcardHost},
}, },
} }
badWildcardTLSErr := fmt.Sprintf("spec.tls[0].hosts: Invalid value: '%v'", wildcardHost) badWildcardTLSErr := fmt.Sprintf("spec.tls[0].hosts[0]: Invalid value: '%v'", wildcardHost)
errorCases[badWildcardTLSErr] = badWildcardTLS errorCases[badWildcardTLSErr] = badWildcardTLS
for k, v := range errorCases { for k, v := range errorCases {

4
pkg/registry/networking/ingress/storage/storage_test.go
View File

@ -60,7 +60,7 @@ var (
defaultPathType = networking.PathTypeImplementationSpecific defaultPathType = networking.PathTypeImplementationSpecific
defaultPathMap = map[string]string{defaultPath: defaultBackendName} defaultPathMap = map[string]string{defaultPath: defaultBackendName}
defaultTLS = []networking.IngressTLS{ defaultTLS = []networking.IngressTLS{
{Hosts: []string{"foo.bar.com", "*.bar.com"}, SecretName: "fooSecret"}, {Hosts: []string{"foo.bar.com", "*.bar.com"}, SecretName: "foosecret"},
} }
serviceBackend = &networking.IngressServiceBackend{ serviceBackend = &networking.IngressServiceBackend{
Name: "defaultbackend", Name: "defaultbackend",
@ -173,7 +173,7 @@ func TestUpdate(t *testing.T) {
}) })
object.Spec.TLS = append(object.Spec.TLS, networking.IngressTLS{ object.Spec.TLS = append(object.Spec.TLS, networking.IngressTLS{
Hosts: []string{"*.google.com"}, Hosts: []string{"*.google.com"},
SecretName: "googleSecret", SecretName: "googlesecret",
}) })
return object return object
}, },