Merge pull request #144 from ori-edge/fix/annotation-as-label

Applied k8s subdomain checks to our custom hostname annotation

README.md

@@ -12,7 +12,7 @@ This plugin relies on its own connection to the k8s API server and doesn't share
 | ---- | ---------------- | -------- |
 | HTTPRoute<sup>[1](#foot1)</sup> | all FQDNs from `spec.hostnames` matching configured zones | `gateway.status.addresses`<sup>[2](#foot2)</sup> |
 | Ingress | all FQDNs from `spec.rules[*].host` matching configured zones | `.status.loadBalancer.ingress` |
-| Service<sup>[3](#foot3)</sup> | `name.namespace` + any of the configured zones OR any string specified in the `coredns.io/hostname` annotation (see [this](https://github.com/ori-edge/k8s_gateway/blob/master/kubernetes_test.go#L159) for an example) | `.status.loadBalancer.ingress` |
+| Service<sup>[3](#foot3)</sup> | `name.namespace` + any of the configured zones OR any string consisting of lower case alphanumeric characters, '-' or '.', specified in the `coredns.io/hostname` annotation (see [this](https://github.com/ori-edge/k8s_gateway/blob/master/test/service-annotation.yml#L8) for an example) | `.status.loadBalancer.ingress` |
 | VirtualServer<sup>[4](#foot4)</sup> | `spec.host` | `.status.externalEnpoints.ip` |
 
 

kubernetes.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"regexp"
 	"strings"
 
 	"github.com/miekg/dns"
@@ -336,10 +337,16 @@ func serviceHostnameIndexFunc(obj interface{}) ([]string, error) {
 
 	hostname := service.Name + "." + service.Namespace
 	if annotation, exists := service.Annotations[hostnameAnnotationKey]; exists {
+		// checking the hostname length limits
 		if _, ok := dns.IsDomainName(annotation); ok {
-			hostname = strings.ToLower(annotation)
+			// checking RFC 1123 conformance (same as metadata labels)
+			if valid := isdns1123Hostname(annotation); valid {
+				hostname = strings.ToLower(annotation)
+			} else {
+				log.Infof("RFC 1123 conformance failed for FQDN: %s", annotation)
+			}
 		} else {
-			log.Debugf("Invalid domain name in annotation: %s", annotation)
+			log.Infof("Invalid FQDN length: %s", annotation)
 		}
 	}
 
@@ -508,3 +515,16 @@ func fetchLoadBalancerIPs(lb core.LoadBalancerStatus) (results []netip.Addr) {
 	}
 	return
 }
+
+// the below is borrowed from k/k's github repo
+const dns1123ValueFmt string = "[a-z0-9]([-a-z0-9]*[a-z0-9])?"
+const dns1123SubdomainFmt string = dns1123ValueFmt + "(\\." + dns1123ValueFmt + ")*"
+
+var dns1123SubdomainRegexp = regexp.MustCompile("^" + dns1123SubdomainFmt + "$")
+
+func isdns1123Hostname(value string) bool {
+	if !dns1123SubdomainRegexp.MatchString(value) {
+		return false
+	}
+	return true
+}

test/service-annotation.yml

@@ -5,7 +5,7 @@ metadata:
   name: annotation-good
   namespace: default
   annotations:
-    "coredns.io/hostname": "good"
+    "coredns.io/hostname": "good.ok"
 spec:
   ipFamilyPolicy: RequireDualStack
   ports:
@@ -25,6 +25,25 @@ metadata:
   namespace: default
   annotations:
     "coredns.io/hostname": "abcd0123456789012345678901234567890123456789012345678901234567890"
+spec:
+  ipFamilyPolicy: RequireDualStack
+  ports:
+  - name: 80-80
+    port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: backend
+  sessionAffinity: None
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: annotation-bad-2
+  namespace: default
+  annotations:
+    "coredns.io/hostname": "foo_bar"
 spec:
   ipFamilyPolicy: RequireDualStack
   ports: