Allow users to set hosts to the wildcard specifier when TLS is disabled (#8083)
This allows easier demoing/testing of ingress gateways, while still preserving the validation we have for DNSSANs
This commit is contained in:
parent
f908fd0731
commit
cd93e0cd99
|
@ -171,7 +171,7 @@ func (e *IngressGatewayConfigEntry) Validate() error {
|
|||
return fmt.Errorf("Hosts must be unique within a specific listener (listener on port %d)", listener.Port)
|
||||
}
|
||||
declaredHosts[h] = true
|
||||
if err := validateHost(h); err != nil {
|
||||
if err := validateHost(e.TLS.Enabled, h); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
@ -181,7 +181,16 @@ func (e *IngressGatewayConfigEntry) Validate() error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func validateHost(host string) error {
|
||||
func validateHost(tlsEnabled bool, host string) error {
|
||||
// Special case '*' so that non-TLS ingress gateways can use it. This allows
|
||||
// an easy demo/testing experience.
|
||||
if host == "*" {
|
||||
if tlsEnabled {
|
||||
return fmt.Errorf("Host '*' is not allowed when TLS is enabled, all hosts must be valid DNS records to add as a DNSSAN")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
wildcardPrefix := "*."
|
||||
if _, ok := dns.IsDomainName(host); !ok {
|
||||
return fmt.Errorf("Host %q must be a valid DNS hostname", host)
|
||||
|
@ -191,10 +200,6 @@ func validateHost(host string) error {
|
|||
return fmt.Errorf("Host %q is not valid, a wildcard specifier is only allowed as the leftmost label", host)
|
||||
}
|
||||
|
||||
if host == "*" {
|
||||
return fmt.Errorf("Host '*' is not allowed, wildcards can only be used as a prefix/suffix")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
|
@ -392,6 +392,48 @@ func TestIngressConfigEntry_Validate(t *testing.T) {
|
|||
},
|
||||
expectErr: `Host "*-test.example.com" is not valid, a wildcard specifier is only allowed as the leftmost label`,
|
||||
},
|
||||
{
|
||||
name: "wildcard specifier is allowed for hosts when TLS is disabled",
|
||||
entry: IngressGatewayConfigEntry{
|
||||
Kind: "ingress-gateway",
|
||||
Name: "ingress-web",
|
||||
Listeners: []IngressListener{
|
||||
{
|
||||
Port: 1111,
|
||||
Protocol: "http",
|
||||
Services: []IngressService{
|
||||
{
|
||||
Name: "db",
|
||||
Hosts: []string{"*"},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "wildcard specifier is not allowed for hosts when TLS is enabled",
|
||||
entry: IngressGatewayConfigEntry{
|
||||
Kind: "ingress-gateway",
|
||||
Name: "ingress-web",
|
||||
TLS: GatewayTLSConfig{
|
||||
Enabled: true,
|
||||
},
|
||||
Listeners: []IngressListener{
|
||||
{
|
||||
Port: 1111,
|
||||
Protocol: "http",
|
||||
Services: []IngressService{
|
||||
{
|
||||
Name: "db",
|
||||
Hosts: []string{"*"},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
expectErr: `Host '*' is not allowed when TLS is enabled, all hosts must be valid DNS records to add as a DNSSAN`,
|
||||
},
|
||||
}
|
||||
|
||||
for _, test := range cases {
|
||||
|
|
Loading…
Reference in a new issue