From 1294b89792f4f856055b096f922a5883fa600925 Mon Sep 17 00:00:00 2001 From: Maisem Ali Date: Wed, 11 Oct 2023 17:33:23 -0700 Subject: [PATCH] cmd/k8s-operator: allow setting same host value for tls and ingress rules We were too strict and required the user not specify the host field at all in the ingress rules, but that degrades compatibility with existing helm charts. Relax the constraint so that rule.Host can either be empty, or match the tls.Host[0] value exactly. Fixes #9548 Signed-off-by: Maisem Ali --- cmd/k8s-operator/ingress.go | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/cmd/k8s-operator/ingress.go b/cmd/k8s-operator/ingress.go index a3c7e1cd5..0c306fc52 100644 --- a/cmd/k8s-operator/ingress.go +++ b/cmd/k8s-operator/ingress.go @@ -192,8 +192,15 @@ func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.Suga } } addIngressBackend(ing.Spec.DefaultBackend, "/") + + var tlsHost string // hostname or FQDN or empty + if ing.Spec.TLS != nil && len(ing.Spec.TLS) > 0 && len(ing.Spec.TLS[0].Hosts) > 0 { + tlsHost = ing.Spec.TLS[0].Hosts[0] + } for _, rule := range ing.Spec.Rules { - if rule.Host != "" { + // Host is optional, but if it's present it must match the TLS host + // otherwise we ignore the rule. + if rule.Host != "" && rule.Host != tlsHost { a.recorder.Eventf(ing, corev1.EventTypeWarning, "InvalidIngressBackend", "rule with host %q ignored, unsupported", rule.Host) continue } @@ -208,8 +215,8 @@ func (a *IngressReconciler) maybeProvision(ctx context.Context, logger *zap.Suga tags = strings.Split(tstr, ",") } hostname := ing.Namespace + "-" + ing.Name + "-ingress" - if ing.Spec.TLS != nil && len(ing.Spec.TLS) > 0 && len(ing.Spec.TLS[0].Hosts) > 0 { - hostname, _, _ = strings.Cut(ing.Spec.TLS[0].Hosts[0], ".") + if tlsHost != "" { + hostname, _, _ = strings.Cut(tlsHost, ".") } sts := &tailscaleSTSConfig{