HTTPRequestRedirectFilter allows for wildcard hostnames

[stevesloka]

What happened:

Looking through the HTTPRequestRedirectFilter spec, the Hostname used has a default kubebuilder validation regex which would allow a user to specify a redirect of *.foo.com which might not make sense as a redirect hostname.

Controllers could catch this and set a condition, we could update the field to use a new hostname type which removes the ability to have a wildcard in the value, or maybe there's a use-case I'm not thinking of that folks would want this?

What you expected to happen:

Hostnames with wildcards would be rejected.

How to reproduce it (as minimally and precisely as possible):

Here's a sample HTTPRoute:

kind: HTTPRoute
apiVersion: gateway.networking.k8s.io/v1alpha2
metadata:
  name: kuard
  namespace: projectcontour
  labels:
    app: kuard
spec:
  parentRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: contour
  hostnames:
  - "local.projectcontour.io"
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /
    filters:
      - requestRedirect:
          hostname: "*.stevesloka.com"
          scheme: https
          statusCode: 302
        type: RequestRedirect
    backendRefs:
    - kind: Service
      name: kuard
      port: 80

Right now Contour configures Envoy:

$ curl -i local.projectcontour.io                                                                                                                                 
HTTP/1.1 302 Found
location: https://*.stevesloka.com/
vary: Accept-Encoding
date: Tue, 30 Nov 2021 17:37:35 GMT
server: envoy
content-length: 0

But doesn't route properly:

[hbagdi]

Controllers could catch this and set a condition, we could update the field to use a new hostname type which removes the ability to have a wildcard in the value, or maybe there's a use-case I'm not thinking of that folks would want this?

gateway-api/apis/v1alpha2/httproute_types.go

Lines 678 to 685 in 88013b5

	// Hostname is the hostname to be used in the value of the `Location`
	// header in the response.
	// When empty, the hostname of the request is used.
	//
	// Support: Core
	//
	// +optional
	Hostname *Hostname `json:"hostname,omitempty"`

My reading of the spec is the hostname of the request should be used as is - not the hostname defined in the route rule. So if the request is foo.example.com and the route hostname is *.example.com, the location header has foo.exampl.com as the hostname.

[stevesloka]

I agree with what you said @hbagdi, maybe we're confusing two different bits.

In my example above, my route hostname is local.projectcontour.io which is matched on the incoming request, but the route match has a redirect to *.stevesloka.com, so the response has the HTTP 302 set with a Location: *.stevesloka.com which would be invalid (or just not make much sense).

[youngnick]

Yeah, I agree that the hostname in a redirect shouldn't be able to be a wildcard, it should be a precise hostname.

[hbagdi]

Ah, I understood this wrong.
This needs an update to the validation function for HTTPRoute which then should be executed in the validation webhook.

[stevesloka]

Could we just introduce a new type referenced here (

gateway-api/apis/v1alpha2/httproute_types.go

Line 743 in 06754c5

Hostname *Hostname `json:"hostname,omitempty"`

) which removes the wildcard from the beginning? This way you would't need the admission controller change at all and just rely on the kubebuilder validation.

Happy to work on this!

[robscott]

Could we just introduce a new type

Agree, this is probably the best approach. Maybe we have WildcardHostname to represent the current value and Hostname that does not allow for wildcard values.

[stevesloka]

Yup makes sense to me. I can take this up and get it updated.