Support for wildcard / catch-all host

[bennesp]

What happened?

Not writing any host in the Ingress resource results into pomerium not accepting the Ingress because:

{"level":"error","ts":"2024-04-22T08:58:44Z","logger":"pomerium-ingress","msg":"not reconciled","controller":"pomerium-ingress","controllerGroup":"networking.k8s.io","controllerKind":"Ingress","Ingress":{"name":"test","namespace":"test"},"namespace":"test","name":"test","reconcileID":"715a9096-eda6-41c1-97d9-832f85f76076","ingress":"test/test","error":"parsing ingress: host is required"}

What did you expect to happen?

Ingress specification allows to avoid specifying the host field, since it's optional.

When no host is specified, the rule applies to all inbound HTTP traffic through the IP address specified. (Source)

Since Pomerium supports wildcard (pomerium/pomerium#4131) the ingress controller should be able to map the absence of the host field to a * host.

It cannot be manually done because the host inside Ingress, if provided, must conform to a regex that do not allow to use just *: \*\.[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*

How'd it happen?

Create a simple Ingress with no host:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test
  namespace: test
spec:
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: test
                port:
                  number: 80

What's your environment like?

• Pomerium version (retrieve with pomerium --version): v0.25.1
• Server Operating System/Architecture/Cloud: Kubernetes

What's your config.yaml?

apiVersion: ingress.pomerium.io/v1
kind: Pomerium
metadata:
  name: global
spec:
  authenticate:
    url: https://example.com
  cookie:
    domain: example.com
  identityProvider:
    provider: auth0
    secret: pomerium/idp-auth0
    url: https://example.auth0.com
  secrets: pomerium/bootstrap
  storage:
    postgres:
      secret: pomerium/db-connection

[kralicky]

We should probably support leaving an empty host value, to allow routing all traffic through that ingress rule, as defined in the spec: https://github.com/kubernetes/api/blob/master/networking/v1/types.go#L397-L399

If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue.

However, a host value of '*' is disallowed (but the behavior you are looking for is covered by the empty-host case anyway): https://github.com/kubernetes/api/blob/master/networking/v1/types.go#L401-L405

host can be "precise" which is a domain name without the terminating dot of
a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name
prefixed with a single wildcard label (e.g. ".foo.com").
The wildcard character '' must appear by itself as the first DNS label and
matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*").