Implementing allowed Ingress hostnames (#162)

Co-authored-by: Dario Tranchitella <[email protected]>
projectcapsule · Jan 13, 2021 · 89c66de · 89c66de
1 parent a2109b7
commit 89c66de
Show file tree

Hide file tree

Showing 17 changed files with 623 additions and 30 deletions.
diff --git a/.gitignore b/.gitignore
@@ -23,5 +23,6 @@ bin
 *.swo
 *~
 
-hack/*.kubeconfig
+**/*.kubeconfig
 .DS_Store
+
diff --git a/api/v1alpha1/ingress_hostnames_list.go b/api/v1alpha1/ingress_hostnames_list.go
@@ -0,0 +1,42 @@
+/*
+Copyright 2020 Clastix Labs.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"sort"
+)
+
+type IngressHostnamesList []string
+
+func (hostnames IngressHostnamesList) Len() int {
+	return len(hostnames)
+}
+
+func (hostnames IngressHostnamesList) Swap(i, j int) {
+	hostnames[i], hostnames[j] = hostnames[j], hostnames[i]
+}
+
+func (hostnames IngressHostnamesList) Less(i, j int) bool {
+	return hostnames[i] < hostnames[j]
+}
+
+func (hostnames IngressHostnamesList) IsStringInList(value string) (ok bool) {
+	sort.Sort(hostnames)
+	i := sort.SearchStrings(hostnames, value)
+	ok = i < hostnames.Len() && hostnames[i] == value
+	return
+}
diff --git a/api/v1alpha1/tenant_types.go b/api/v1alpha1/tenant_types.go
@@ -38,6 +38,11 @@ type IngressClassesSpec struct {
 	AllowedRegex string           `json:"allowedRegex,omitempty"`
 }
 
+type IngressHostnamesSpec struct {
+	Allowed      IngressHostnamesList `json:"allowed"`
+	AllowedRegex string               `json:"allowedRegex"`
+}
+
 type ContainerRegistriesSpec struct {
 	Allowed      RegistryList `json:"allowed,omitempty"`
 	AllowedRegex string       `json:"allowedRegex,omitempty"`
@@ -60,6 +65,7 @@ type TenantSpec struct {
 	ServicesMetadata       AdditionalMetadata               `json:"servicesMetadata,omitempty"`
 	StorageClasses         *StorageClassesSpec              `json:"storageClasses,omitempty"`
 	IngressClasses         *IngressClassesSpec              `json:"ingressClasses,omitempty"`
+	IngressHostnames       *IngressHostnamesSpec            `json:"ingressHostnames,omitempty"`
 	ContainerRegistries    *ContainerRegistriesSpec         `json:"containerRegistries,omitempty"`
 	NodeSelector           map[string]string                `json:"nodeSelector,omitempty"`
 	NetworkPolicies        []networkingv1.NetworkPolicySpec `json:"networkPolicies,omitempty"`

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/charts/capsule/crds/tenant-crd.yaml b/charts/capsule/crds/tenant-crd.yaml
@@ -132,6 +132,18 @@ spec:
                 allowedRegex:
                   type: string
               type: object
+            ingressHostnames:
+              properties:
+                allowed:
+                  items:
+                    type: string
+                  type: array
+                allowedRegex:
+                  type: string
+              required:
+                - allowed
+                - allowedRegex
+              type: object
             limitRanges:
               items:
                 description: LimitRangeSpec defines a min/max usage limit for resources

diff --git a/config/crd/bases/capsule.clastix.io_tenants.yaml b/config/crd/bases/capsule.clastix.io_tenants.yaml
@@ -134,6 +134,18 @@ spec:
                 allowedRegex:
                   type: string
               type: object
+            ingressHostnames:
+              properties:
+                allowed:
+                  items:
+                    type: string
+                  type: array
+                allowedRegex:
+                  type: string
+              required:
+              - allowed
+              - allowedRegex
+              type: object
             limitRanges:
               items:
                 description: LimitRangeSpec defines a min/max usage limit for resources

diff --git a/config/samples/capsule_v1alpha1_tenant.yaml b/config/samples/capsule_v1alpha1_tenant.yaml
@@ -4,6 +4,11 @@ kind: Tenant
 metadata:
   name: oil
 spec:
+  ingressHostnames:
+    allowed:
+      - my.oil.acmecorp.com
+      - my.gas.acmecorp.com
+    allowedRegex: "^.*acmecorp.com$"
   ingressClasses:
     allowed:
       - default

diff --git a/config/samples/ingress.yaml b/config/samples/ingress.yaml
diff --git a/docs/operator/use-cases/ingress-hostnames.md b/docs/operator/use-cases/ingress-hostnames.md
@@ -46,15 +46,19 @@ metadata:
     kubernetes.io/ingress.class: oil
 spec:
   rules:
-  - host: web.oil.acmecorp.com
-    http:
-      paths:
-      - backend:
-          serviceName: nginx
-          servicePort: 80
-        path: /
+    - host: web.oil.acmecorp.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: nginx
+                port:
+                  number: 80
 ```
 
+
 Any tentative of Alice to use a not valid hostname, e.g. `web.gas.acmecorp.org`, will fail.
 
 # What’s next