Always require Host header values for http services (#7990)

Previously, we did not require the 'service-name.*' host header value
when on a single http service was exposed. However, this allows a user
to get into a situation where, if they add another service to the
listener, suddenly the previous service's traffic might not be routed
correctly. Thus, we always require the Host header, even if there is
only 1 service.

Also, we add the make the default domain matching more restrictive by
matching "service-name.ingress.*" by default. This lines up better with
the namespace case and more accurately matches the Consul DNS value we
expect people to use in this case.
This commit is contained in:
Chris Piraino 2020-06-08 13:16:24 -05:00 committed by hashicorp-ci
parent c675166e1b
commit 165a9af053
8 changed files with 13 additions and 19 deletions

View File

@ -101,20 +101,14 @@ func routesFromSnapshotIngressGateway(cfgSnap *proxycfg.ConfigSnapshot) ([]proto
namespace := u.GetEnterpriseMeta().NamespaceOrDefault()
var domains []string
switch {
case len(upstreams) == 1:
// Don't require a service prefix on the domain if there is only 1
// upstream. This makes it a smoother experience when only having a
// single service associated to a listener, which is probably a common
// case when demoing/testing
domains = []string{"*"}
case len(u.IngressHosts) > 0:
// If a user has specified hosts, do not add the default
// "<service-name>.*" prefix
// "<service-name>.ingress.*" prefixes
domains = u.IngressHosts
case namespace != structs.IntentionDefaultNamespace:
domains = []string{fmt.Sprintf("%s.ingress.%s.*", chain.ServiceName, namespace)}
default:
domains = []string{fmt.Sprintf("%s.*", chain.ServiceName)}
domains = []string{fmt.Sprintf("%s.ingress.*", chain.ServiceName)}
}
virtualHost, err := makeUpstreamRouteForDiscoveryChain(upstreamID, chain, domains)

View File

@ -8,7 +8,7 @@
{
"name": "baz",
"domains": [
"baz.*"
"baz.ingress.*"
],
"routes": [
{
@ -24,7 +24,7 @@
{
"name": "qux",
"domains": [
"qux.*"
"qux.ingress.*"
],
"routes": [
{
@ -64,7 +64,7 @@
{
"name": "bar",
"domains": [
"bar.*"
"bar.ingress.*"
],
"routes": [
{

View File

@ -8,7 +8,7 @@
{
"name": "db",
"domains": [
"*"
"db.ingress.*"
],
"routes": [
{

View File

@ -8,7 +8,7 @@
{
"name": "db",
"domains": [
"*"
"db.ingress.*"
],
"routes": [
{

View File

@ -8,7 +8,7 @@
{
"name": "db",
"domains": [
"*"
"db.ingress.*"
],
"routes": [
{

View File

@ -8,7 +8,7 @@
{
"name": "db",
"domains": [
"*"
"db.ingress.*"
],
"routes": [
{

View File

@ -31,10 +31,10 @@ load helpers
}
@test "ingress should be able to connect to s1 via configured path" {
assert_expected_fortio_name s1 localhost 9999 /s1
assert_expected_fortio_name s1 router.ingress.consul 9999 /s1
}
@test "ingress should be able to connect to s2 via configured path" {
assert_expected_fortio_name s2 localhost 9999 /s2
assert_expected_fortio_name s2 router.ingress.consul 9999 /s2
}

View File

@ -31,11 +31,11 @@ load helpers
}
@test "ingress should be able to connect to s1 using Host header" {
assert_expected_fortio_name s1 s1.example.consul 9999
assert_expected_fortio_name s1 s1.ingress.consul 9999
}
@test "ingress should be able to connect to s2 using Host header" {
assert_expected_fortio_name s2 s2.example.consul 9999
assert_expected_fortio_name s2 s2.ingress.consul 9999
}
@test "ingress should be able to connect to s1 using a user-specified Host" {