contour
contour copied to clipboard
projectcontour
Ingress object with no `hostnames` set in the `tls` stanza silentlly produces no config
What steps did you take and what happened:
If you create an Ingress object that is missing the hostnames list, Contour will process the object, but no Envoy config will be emitted.
Sample object:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: no-hostname-httpbin
annotations:
ingress.kubernetes.io/force-ssl-redirect: "false"
kubernetes.io/ingress.class: contour
spec:
tls:
- secretName: httpbin
rules:
- http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: httpbin
port:
number: 80
** Initial investigation notes **
In internal/dag/ingress_processor.go, in computeSecureVirtualHosts, we range across tls.Hosts, which will do nothing if the host list is empty, and we don't check if the host list is empty either.
We also don't have any testing that validates what happens if no hostnames are supplied in an Ingress object.
What did you expect to happen:
The Ingress contract is that, when no hostnames are specified, the wildcard * should be inferred, so the rule should end up as a catchall one. Although any requests that don't match the certificate included in secretName will fail to match anyway.
We should match the spec and infer * in the event hostnames are unspecified, and try to make people aware of this somehow. Open to suggestions here, I think the only option is to warn in Contour's log.
Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]
Environment:
- Contour version: all
- Kubernetes version: (use
kubectl version): doesn't matter.
