search

pomerium / ingress-controller

Pomerium Kubernetes Ingress Controller
https://pomerium.com
Apache License 2.0
22 stars 11 forks source link

Support for wildcard / catch-all host #941

Closed bennesp closed 4 months ago

bennesp commented 4 months ago

What happened?

Not writing any host in the Ingress resource results into pomerium not accepting the Ingress because:

{"level":"error","ts":"2024-04-22T08:58:44Z","logger":"pomerium-ingress","msg":"not reconciled","controller":"pomerium-ingress","controllerGroup":"networking.k8s.io","controllerKind":"Ingress","Ingress":{"name":"test","namespace":"test"},"namespace":"test","name":"test","reconcileID":"715a9096-eda6-41c1-97d9-832f85f76076","ingress":"test/test","error":"parsing ingress: host is required"}

What did you expect to happen?

Ingress specification allows to avoid specifying the host field, since it's optional.

When no host is specified, the rule applies to all inbound HTTP traffic through the IP address specified. (Source)

Since Pomerium supports wildcard (https://github.com/pomerium/pomerium/pull/4131) the ingress controller should be able to map the absence of the host field to a * host.

It cannot be manually done because the host inside Ingress, if provided, must conform to a regex that do not allow to use just *: \*\.[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*

Screenshot 2024-04-22 alle 11 15 51

How'd it happen?

Create a simple Ingress with no host:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test
  namespace: test
spec:
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: test
                port:
                  number: 80

What's your environment like?

What's your config.yaml?

apiVersion: ingress.pomerium.io/v1
kind: Pomerium
metadata:
  name: global
spec:
  authenticate:
    url: https://example.com
  cookie:
    domain: example.com
  identityProvider:
    provider: auth0
    secret: pomerium/idp-auth0
    url: https://example.auth0.com
  secrets: pomerium/bootstrap
  storage:
    postgres:
      secret: pomerium/db-connection
kralicky commented 4 months ago

We should probably support leaving an empty host value, to allow routing all traffic through that ingress rule, as defined in the spec: https://github.com/kubernetes/api/blob/master/networking/v1/types.go#L397-L399

If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.

However, a host value of '*' is disallowed (but the behavior you are looking for is covered by the empty-host case anyway): https://github.com/kubernetes/api/blob/master/networking/v1/types.go#L401-L405

host can be "precise" which is a domain name without the terminating dot of a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name prefixed with a single wildcard label (e.g. ".foo.com"). The wildcard character '' must appear by itself as the first DNS label and matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*").