Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discuss domain match vs. wildcard match for listener hostnames #206

Closed
jpeach opened this issue Jun 4, 2020 · 12 comments
Closed

Discuss domain match vs. wildcard match for listener hostnames #206

jpeach opened this issue Jun 4, 2020 · 12 comments
Assignees
@bowei
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. priority/backlog Higher priority than priority/awaiting-more-evidence.

Comments

@jpeach
Copy link
Contributor

jpeach commented Jun 4, 2020

In #193, we define a "Domain" match type to match a set of hostnames to a single domain name. The semantics of matching the "example.com" domain are the same as matching a TLS wildcard of "*.example.com" (i.e. a single leftmost domain label is wild).

In #193 there was some discussion that "wildcard" terminology was easier to understand. So we could consider changing this:

hostname:
  match: Domain
  name: example.com

to this:

hostname:
  match: Wildcard
  name: *.example.com
@jpeach jpeach added the kind/feature Categorizes issue or PR as related to a new feature. label Jun 4, 2020
@jpeach jpeach mentioned this issue Jun 4, 2020
Merged
@bowei
Copy link
Contributor

bowei commented Jun 8, 2020

Couple things to clarify:

  • Does domain match suffix or only a single level (a la TLS SAN)?
  • Do people care about the more esoteric wildcard expressions e.g. a*z.example.com. Are there compelling enough users to support this?

I do like the simplicity of Domain to describe and understand.

@jpeach
Copy link
Contributor Author

jpeach commented Jun 8, 2020

Couple things to clarify:

  • Does domain match suffix or only a single level (a la TLS SAN)?

A single level.

  • Do people care about the more esoteric wildcard expressions e.g. a*z.example.com. Are there compelling enough users to support this?

We could also introduce these sorts of matches with separate Wildcard or Regex match types (might be proxy-dependent implementations).

@hbagdi
Copy link
Contributor

hbagdi commented Jun 9, 2020

A single level.

James, in our conversation, I think you mentioned this to support subdomains as well. This is certainly a feature that users want.

Do people care about the more esoteric wildcard expressions

I've seen people do this with headers and paths but (I daresay) never with host.

@jpeach
Copy link
Contributor Author

jpeach commented Jun 9, 2020

A single level.

James, in our conversation, I think you mentioned this to support subdomains as well. This is certainly a feature that users want.

If you have more than 1 level of wildcard, how do you select the right server certificate (since that is only allowed to match a single level)?

@hbagdi
Copy link
Contributor

hbagdi commented Jun 9, 2020
edited
Loading

If you have more than 1 level of wildcard, how do you select the right server certificate (since that is only allowed to match a single level)?

I think our minds are on different tracks because of bad naming.
What I meant was (and maybe @bowei too) was that is it possible to do *.subdomain.example.com or not?

@jpeach
Copy link
Contributor Author

jpeach commented Jun 9, 2020 via email

@szuecs
Copy link

szuecs commented Sep 2, 2020

A while ago I implemented a best match certificate function in our Kube-ingress-aws-controller and so I would like to ask how you would resolve multiple cert matches.
Q1)
Assume you have foo.example.org in the request and you have 2 certificates one for foo.example.org and the other with *.example.org.

Q2)
Assume you have foo.example.org in the request and you have 2 certificates one for foo.example.org and the other foo.example.org, but validity is different. For example the first is valid for the next 20d started from 90d-20d and the other for 90d which was just issued.

Do you think these questions would have a defined answer and if so what would be the answers?

My answers would be for
Q1: as Long certificate with foo.example.org is valid serve this, if not fallback to wildcard.

Q2: newest wins, because of certificate rotation

@jpeach
Copy link
Contributor Author

jpeach commented Sep 4, 2020

A while ago I implemented a best match certificate function in our Kube-ingress-aws-controller and so I would like to ask how you would resolve multiple cert matches.
Q1)
Assume you have foo.example.org in the request and you have 2 certificates one for foo.example.org and the other with *.example.org.

The Listener docs specify that these should be matched from most to least specific. foo.example.org is more specific than a wildcard, so it matches first.

https://github.com/kubernetes-sigs/service-apis/blob/master/apis/v1alpha1/gateway_types.go#L74-L80

Q2)
Assume you have foo.example.org in the request and you have 2 certificates one for foo.example.org and the other foo.example.org, but validity is different. For example the first is valid for the next 20d started from 90d-20d and the other for 90d which was just issued.

AFAIK this isn't addressed anywhere in the API, so it's implementation-specific.

@szuecs
Copy link

szuecs commented Sep 4, 2020

Thanks for the answers!

@robscott robscott added the priority/backlog Higher priority than priority/awaiting-more-evidence. label Sep 24, 2020
@hbagdi hbagdi mentioned this issue Oct 29, 2020
Merged
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 23, 2020
@hbagdi
Copy link
Contributor

hbagdi commented Jan 12, 2021

Fixed with #416
/close

@k8s-ci-robot
Copy link
Contributor

@hbagdi: Closing this issue.

In response to this:

Fixed with #416
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bowei bowei

Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. priority/backlog Higher priority than priority/awaiting-more-evidence.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@jpeach @szuecs @robscott @bowei @hbagdi @k8s-ci-robot @fejta-bot