Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Host wildcard policy for supporting wildcard routes #11550

Merged
merged 7 commits into from
Nov 2, 2016
Merged

Host wildcard policy for supporting wildcard routes #11550

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
3117d54
Fix an issue with route ordering: it was possible for a newer route t…
ramr Oct 14, 2016
0e75c1d
o Split out cert list and use commit from PR 11217
ramr Oct 13, 2016
1b98d1c
Data structure rework
liggitt Oct 25, 2016
629921f
Change to use helper function and fix up helper function expectations
ramr Oct 26, 2016
fead74e
Fixes as per @liggitt review comments:
ramr Oct 27, 2016
438b1df
Fix as per @liggitt review comments - write wildcard spec as is in th…
ramr Oct 28, 2016
482a044
Fix the failing serialization test - need a custom fuzzer to default the
ramr Nov 1, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions api/protobuf-spec/github_com_openshift_origin_pkg_route_api_v1.proto
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 4 additions & 0 deletions api/swagger-spec/oapi-v1.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27429,6 +27429,10 @@
"tls": {
"$ref": "v1.TLSConfig",
"description": "The tls field provides the ability to configure certificates and termination for the route."
},
"wildcardPolicy": {
"type": "string",
"description": "Wildcard policy if any for the route. Currently only 'Subdomain' or 'None' is allowed."
}
}
},
Expand Down
4 changes: 4 additions & 0 deletions api/swagger-spec/openshift-openapi-spec.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51351,6 +51351,10 @@
},
"to": {
"$ref": "#/definitions/v1.RouteTargetReference"
},
"wildcardPolicy": {
"description": "Wildcard policy if any for the route. Currently only 'Subdomain' or 'None' is allowed.",
"type": "string"
}
}
},
Expand Down
12 changes: 12 additions & 0 deletions contrib/completions/bash/openshift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19859,6 +19859,10 @@ _openshift_infra_f5-router()
flags_with_completion=()
flags_completion=()

flags+=("--allow-wildcard-routes")
local_nonpersistent_flags+=("--allow-wildcard-routes")
flags+=("--allowed-domains=")
local_nonpersistent_flags+=("--allowed-domains=")
flags+=("--as=")
local_nonpersistent_flags+=("--as=")
flags+=("--certificate-authority=")
Expand All @@ -19881,6 +19885,8 @@ _openshift_infra_f5-router()
local_nonpersistent_flags+=("--config=")
flags+=("--context=")
local_nonpersistent_flags+=("--context=")
flags+=("--denied-domains=")
local_nonpersistent_flags+=("--denied-domains=")
flags+=("--f5-host=")
local_nonpersistent_flags+=("--f5-host=")
flags+=("--f5-http-vserver=")
Expand Down Expand Up @@ -20024,6 +20030,10 @@ _openshift_infra_router()
flags_with_completion=()
flags_completion=()

flags+=("--allow-wildcard-routes")
local_nonpersistent_flags+=("--allow-wildcard-routes")
flags+=("--allowed-domains=")
local_nonpersistent_flags+=("--allowed-domains=")
flags+=("--as=")
local_nonpersistent_flags+=("--as=")
flags+=("--certificate-authority=")
Expand Down Expand Up @@ -20052,6 +20062,8 @@ _openshift_infra_router()
local_nonpersistent_flags+=("--default-certificate-dir=")
flags+=("--default-certificate-path=")
local_nonpersistent_flags+=("--default-certificate-path=")
flags+=("--denied-domains=")
local_nonpersistent_flags+=("--denied-domains=")
flags+=("--extended-validation")
local_nonpersistent_flags+=("--extended-validation")
flags+=("--fields=")
Expand Down
12 changes: 12 additions & 0 deletions contrib/completions/zsh/openshift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20020,6 +20020,10 @@ _openshift_infra_f5-router()
flags_with_completion=()
flags_completion=()

flags+=("--allow-wildcard-routes")
local_nonpersistent_flags+=("--allow-wildcard-routes")
flags+=("--allowed-domains=")
local_nonpersistent_flags+=("--allowed-domains=")
flags+=("--as=")
local_nonpersistent_flags+=("--as=")
flags+=("--certificate-authority=")
Expand All @@ -20042,6 +20046,8 @@ _openshift_infra_f5-router()
local_nonpersistent_flags+=("--config=")
flags+=("--context=")
local_nonpersistent_flags+=("--context=")
flags+=("--denied-domains=")
local_nonpersistent_flags+=("--denied-domains=")
flags+=("--f5-host=")
local_nonpersistent_flags+=("--f5-host=")
flags+=("--f5-http-vserver=")
Expand Down Expand Up @@ -20185,6 +20191,10 @@ _openshift_infra_router()
flags_with_completion=()
flags_completion=()

flags+=("--allow-wildcard-routes")
local_nonpersistent_flags+=("--allow-wildcard-routes")
flags+=("--allowed-domains=")
local_nonpersistent_flags+=("--allowed-domains=")
flags+=("--as=")
local_nonpersistent_flags+=("--as=")
flags+=("--certificate-authority=")
Expand Down Expand Up @@ -20213,6 +20223,8 @@ _openshift_infra_router()
local_nonpersistent_flags+=("--default-certificate-dir=")
flags+=("--default-certificate-path=")
local_nonpersistent_flags+=("--default-certificate-path=")
flags+=("--denied-domains=")
local_nonpersistent_flags+=("--denied-domains=")
flags+=("--extended-validation")
local_nonpersistent_flags+=("--extended-validation")
flags+=("--fields=")
Expand Down
12 changes: 12 additions & 0 deletions docs/man/man1/openshift-infra-f5-router.1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,14 @@ You may restrict the set of routes exposed to a single project (with \-\-namespa


.SH OPTIONS
.PP
\fB\-\-allow\-wildcard\-routes\fP=false
Allow wildcard host names for routes

.PP
\fB\-\-allowed\-domains\fP=[]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need some kind of depth restriction for wildcards to prevent someone from trying to claim *.com and other TLDs? Not as a fixed number, but as an env with a default?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is what the router admin would setup - allowed domains for this router instance.
E.g. acme.auto, acme.test, acme.com.
The routes that users create would need to be in that domain set ala www.dev.acme.test.

List of comma separated domains to allow in routes. If specified, only the domains in this list will be allowed routes. Note that domains in the denied list take precedence over the ones in the allowed list

.PP
\fB\-\-api\-version\fP=""
DEPRECATED: The API version to use when talking to the server
Expand Down Expand Up @@ -55,6 +63,10 @@ You may restrict the set of routes exposed to a single project (with \-\-namespa
\fB\-\-context\fP=""
The name of the kubeconfig context to use

.PP
\fB\-\-denied\-domains\fP=[]
List of comma separated domains to deny in routes

.PP
\fB\-\-f5\-host\fP=""
The host of F5 BIG\-IP's management interface
Expand Down
12 changes: 12 additions & 0 deletions docs/man/man1/openshift-infra-router.1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,14 @@ You may restrict the set of routes exposed to a single project (with \-\-namespa


.SH OPTIONS
.PP
\fB\-\-allow\-wildcard\-routes\fP=false
Allow wildcard host names for routes

.PP
\fB\-\-allowed\-domains\fP=[]
List of comma separated domains to allow in routes. If specified, only the domains in this list will be allowed routes. Note that domains in the denied list take precedence over the ones in the allowed list

.PP
\fB\-\-api\-version\fP=""
DEPRECATED: The API version to use when talking to the server
Expand Down Expand Up @@ -73,6 +81,10 @@ You may restrict the set of routes exposed to a single project (with \-\-namespa
\fB\-\-default\-certificate\-path\fP=""
A path to default certificate to use for routes that don't expose a TLS server cert; in PEM format

.PP
\fB\-\-denied\-domains\fP=[]
List of comma separated domains to deny in routes

.PP
\fB\-\-extended\-validation\fP=true
If set, then an additional extended validation step is performed on all routes admitted in by this router. Defaults to true and enables the extended validation checks.
Expand Down
2 changes: 1 addition & 1 deletion images/router/haproxy/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ RUN INSTALL_PKGS="haproxy" && \
yum clean all && \
mkdir -p /var/lib/haproxy/router/{certs,cacerts} && \
mkdir -p /var/lib/haproxy/{conf,run,bin,log} && \
touch /var/lib/haproxy/conf/{{os_http_be,os_edge_http_be,os_tcp_be,os_sni_passthrough,os_reencrypt,os_edge_http_expose,os_edge_http_redirect,cert_config}.map,haproxy.config} && \
touch /var/lib/haproxy/conf/{{os_http_be,os_edge_http_be,os_tcp_be,os_sni_passthrough,os_reencrypt,os_edge_http_expose,os_edge_http_redirect,cert_config,os_wildcard_domain}.map,haproxy.config} && \
chmod -R 777 /var && \
setcap 'cap_net_bind_service=ep' /usr/sbin/haproxy

Expand Down
Loading