Allow users to set hosts to the wildcard specifier when TLS is disabled (#8083)

This allows easier demoing/testing of ingress gateways, while still
preserving the validation we have for DNSSANs
This commit is contained in:
Chris Piraino 2020-06-11 10:03:06 -05:00 committed by GitHub
parent f908fd0731
commit cd93e0cd99
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 53 additions and 6 deletions

View file

@ -171,7 +171,7 @@ func (e *IngressGatewayConfigEntry) Validate() error {
return fmt.Errorf("Hosts must be unique within a specific listener (listener on port %d)", listener.Port)
}
declaredHosts[h] = true
if err := validateHost(h); err != nil {
if err := validateHost(e.TLS.Enabled, h); err != nil {
return err
}
}
@ -181,7 +181,16 @@ func (e *IngressGatewayConfigEntry) Validate() error {
return nil
}
func validateHost(host string) error {
func validateHost(tlsEnabled bool, host string) error {
// Special case '*' so that non-TLS ingress gateways can use it. This allows
// an easy demo/testing experience.
if host == "*" {
if tlsEnabled {
return fmt.Errorf("Host '*' is not allowed when TLS is enabled, all hosts must be valid DNS records to add as a DNSSAN")
}
return nil
}
wildcardPrefix := "*."
if _, ok := dns.IsDomainName(host); !ok {
return fmt.Errorf("Host %q must be a valid DNS hostname", host)
@ -191,10 +200,6 @@ func validateHost(host string) error {
return fmt.Errorf("Host %q is not valid, a wildcard specifier is only allowed as the leftmost label", host)
}
if host == "*" {
return fmt.Errorf("Host '*' is not allowed, wildcards can only be used as a prefix/suffix")
}
return nil
}

View file

@ -392,6 +392,48 @@ func TestIngressConfigEntry_Validate(t *testing.T) {
},
expectErr: `Host "*-test.example.com" is not valid, a wildcard specifier is only allowed as the leftmost label`,
},
{
name: "wildcard specifier is allowed for hosts when TLS is disabled",
entry: IngressGatewayConfigEntry{
Kind: "ingress-gateway",
Name: "ingress-web",
Listeners: []IngressListener{
{
Port: 1111,
Protocol: "http",
Services: []IngressService{
{
Name: "db",
Hosts: []string{"*"},
},
},
},
},
},
},
{
name: "wildcard specifier is not allowed for hosts when TLS is enabled",
entry: IngressGatewayConfigEntry{
Kind: "ingress-gateway",
Name: "ingress-web",
TLS: GatewayTLSConfig{
Enabled: true,
},
Listeners: []IngressListener{
{
Port: 1111,
Protocol: "http",
Services: []IngressService{
{
Name: "db",
Hosts: []string{"*"},
},
},
},
},
},
expectErr: `Host '*' is not allowed when TLS is enabled, all hosts must be valid DNS records to add as a DNSSAN`,
},
}
for _, test := range cases {