Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regex validation for tls secretName fails when using tls delegations #965

Closed
arminbuerkle opened this issue Mar 29, 2019 · 1 comment
Closed

Regex validation for tls secretName fails when using tls delegations #965

arminbuerkle opened this issue Mar 29, 2019 · 1 comment
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
0.11.0

Comments

@arminbuerkle
Copy link
Contributor

What steps did you take and what happened:

We deployed contour/deployment/common/common.yaml to our cluster and added an ingress route with a tls secret which referenced a different namespace.

It failed with

spec.virtualhost.tls.secretName in body should match '^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'

What did you expect to happen:

Creating an IngressRoute with a namespaced tls secretName should work with the addition of TLSCertificateDelegation.

Anything else you would like to add:

We're using the following regex for now:

^[a-z0-9]([-a-z0-9]*[a-z0-9])?([\.\/][a-z0-9]([-a-z0-9]*[a-z0-9])?)*$

Although it's not perfect since test/hello/world would also match although it shouldn't.

Yaml files for testing: 
---
apiVersion: contour.heptio.com/v1beta1
kind: IngressRoute
metadata:
  name: example-6kqcb
  namespace: example
spec:
  routes: []
  tcpproxy:
    services:
    - name: mys-service
      port: 8080
  virtualhost:
    fqdn: wildcard.example.com
    tls:
      secretName: heptio-contour/wildcard-cert
---
apiVersion: contour.heptio.com/v1beta1
kind: TLSCertificateDelegation
metadata:
  name: wildcard-cert
  namespace: heptio-contour
spec:
  delegations:
  - secretName: wildcard-cert
    targetNamespaces:
    - '*'
---
apiVersion: v1
data:
  tls.crt: aGVsbG8K
  tls.key: Z2l0aHViCg==
kind: Secret
metadata:
  name: wildcard-cert
  namespace: heptio-contour
type: kubernetes.io/tls

Environment:

  • Contour version:
    gcr.io/heptio-images/contour:v0.10.0
  • Kubernetes version: v1.12
@davecheney
Copy link
Contributor

Thank you for your PR. Please send a PR to update the regex, or just remove the verification entirely for that field.

@davecheney davecheney added this to the 0.11.0 milestone Mar 31, 2019
@davecheney davecheney added kind/bug Categorizes issue or PR as related to a bug. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Mar 31, 2019
@arminbuerkle arminbuerkle mentioned this issue Apr 1, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Milestone
0.11.0
Development

No branches or pull requests
2 participants
@davecheney @arminbuerkle