Should K8sUniqueIngressHost allow duplicate hosts within a namespace?

[mac-chaffee]

The code is here: https://github.com/open-policy-agent/gatekeeper-library/blob/1da0facae99658accb73c291cb79f497fcddf641/library/general/uniqueingresshost/template.yaml#L21-L23

Looks like this will block ingress with the same host within the same namespace: https://play.openpolicyagent.org/p/7O2UVOvrbN

But I think that is a valid use-case. For example, cert-manager might create a second Ingress to solve ACME challenges if you need it to use a separate ingress class: https://cert-manager.io/docs/configuration/acme/http01/#class

Additionally, if someone's using ingress-nginx annotations on their Ingress, they may need to create two separate ingress to apply different annotations to different paths. I've used this feature to add an auth_url to a subpath on the same host.

Should the default K8sUniqueIngressHost be changed to allow duplicate hosts within a namespace (maybe if the path is different?). Or can we add a parameter to the Constraint to optionally allow duplicate hosts within a namespace?

[maxsmythe]

Thanks for the feedback!

I'm okay with adding the option as a parameter, just changing the behavior would be backwards-incompatible.

@shomron @ritazh @sozercan thoughts?

[stale[bot]]

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.