Clarifying that wildcard hostname matching is suffix matching #1173
Conversation
k8s-ci-robot
added
do-not-merge/hold
|
@robscott: GitHub didn't allow me to request PR reviews from the following users: howardjohn, mikemorris. Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: robscott The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
As I said in #1159, although I would slightly prefer to keep this similar to a single label, it's not worth excluding already-working implementations from conformance (which would be the cost of not making this change). So, this LGTM to me, but interested to hear from others. |
|
I would slightly prefer to keep it a single label [and have someone make Envoy support single labels efficiently]. |
Although I agree that it would be nice to match the Ingress spec and more closely align with TLS certs, I think there's likely a compelling reason that so many APIs/implementations (envoy, nginx, GCP, Azure, etc) chose to interpret this as suffix matching. The fact that some of those can only implement suffix matching makes me think it's our only real option here. |
| Request: http.ExpectedRequest{Host: "multiple.prefixes.bar.com", Path: "/"}, | ||
| Backend: "infra-backend-v3", | ||
| Namespace: ns, |
There was a problem hiding this comment.
I might be reading this wrong: this test proves the change by making sure the * match works right? Are we missing the test for the assertion that the suffix without a prefix doesn't match?
e.g. we need these tests:
*.ocean.example.commatcheswhales.ocean.example.comandsharks.ocean.example.com*.ocean.example.comdoes not matchocean.example.com
There was a problem hiding this comment.
Good call, added test case for that. On a related note - I'm a big fan of those example domains. Trying to keep the surface area of this PR small, but if anyone wants to move our tests to ocean themed example.com/net/org domains, that would also be great.
There was a problem hiding this comment.
fits right in with our already nautical software themes 😂
robscott
force-pushed
the
wildcard-hostname-spec
branch
from
6d506d0 to
2672b1a
Compare
k8s-ci-robot
added
size/M
|
Also ran this by @mikemorris to confirm this made sense for their implementation. I think there's enough consensus here to remove the hold - still need someone to add an LGTM though. /hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/lgtm |
k8s-ci-robot
added
the
lgtm
What type of PR is this?
/kind documentation
/area conformance
What this PR does / why we need it:
This is a follow up from #1159 that clarifies that wildcard hostname matching should be considered equivalent to suffix matching. This is a change from the Ingress spec but is more widely implementable and matches the most widespread default behavior, including nginx, envoy, GCP, and Azure.
Which issue(s) this PR fixes:
Fixes #1159
Does this PR introduce a user-facing change?:
If merged, this will cause conformance tests to start failing for some implementations, adding a temporary hold so everyone has a chance to weigh in.
/hold
/cc @bowei @shaneutt @youngnick @mikemorris @howardjohn