Aws-load-balancer-controller: Wildcard in host

Created on 6 Aug 2019  路  7Comments  路  Source: kubernetes-sigs/aws-load-balancer-controller

Hi all!
My issue is related on https://github.com/kubernetes-sigs/aws-alb-ingress-controller/issues/960

I've tried to use wildcard for setting the host:

  - host: 'api-*.*'
    http:
      paths:
      - path: /*
        backend:
          serviceName: api
          servicePort: 443

That regexp works in AWS (using aws console) but when I make 

kubectl apply -f ...

I get the issue

The Ingress "c" is invalid: spec.rules[1].host: Invalid value: "api-*.*": a wildcard DNS-1123 subdomain must start with '*.', followed by a valid DNS subdomain, which must consist of lower case alphanumeric characters, '-' or '.' and end with an alphanumeric character (e.g. '*.example.com', regex used for validation is '\*\.[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')
picture s2504s
👍2

Most helpful comment

Interested in this as well.
Potentially allowing to specify listener rules in annotations instead of host. We're in the process of migrating legacy workloads to EKS, and use weighted r53 DNS records to achieve no downtime traffic shifting of public facing endpoints.

The issue is that having component*.example.com complains in k8s about the DNS name not conforming to RFC spec.
As the AWS api & ALB's support this format for listener rules for host header checks, there should really be an option to define listener rules via annotations to avoid clashing with Kubernetes APIs.

As it stands, we've to either allow too broad a hostname range, or manage DNS manually which is far from ideal.
As AWS advertise alb-ingress-controller as their method of achieving ALB provisioning from k8s, their feedback / contribution would be appreciated.

picture omgapuppy on 16 Aug 2019
👍4

All 7 comments

Interested in this as well.
Potentially allowing to specify listener rules in annotations instead of host. We're in the process of migrating legacy workloads to EKS, and use weighted r53 DNS records to achieve no downtime traffic shifting of public facing endpoints.

The issue is that having component*.example.com complains in k8s about the DNS name not conforming to RFC spec.
As the AWS api & ALB's support this format for listener rules for host header checks, there should really be an option to define listener rules via annotations to avoid clashing with Kubernetes APIs.

As it stands, we've to either allow too broad a hostname range, or manage DNS manually which is far from ideal.
As AWS advertise alb-ingress-controller as their method of achieving ALB provisioning from k8s, their feedback / contribution would be appreciated.

omgapuppy picture omgapuppy on 16 Aug 2019
👍4

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot picture fejta-bot on 14 Nov 2019

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

fejta-bot picture fejta-bot on 14 Dec 2019

/remove-lifecycle rotten

s2504s picture s2504s on 15 Dec 2019

This would greatly simplify configurations...

jmcdonagh picture jmcdonagh on 21 Feb 2020

@jmcdonagh @s2504s
It's forbidden by Ingress's spec. With https://github.com/kubernetes-sigs/aws-alb-ingress-controller/pull/1088 (it's in v1.1.5), we are supporting this (Note: it's not standard Ingress usage, but there is no standard Ingress nowadays..... :D)

M00nF1sh picture M00nF1sh on 21 Feb 2020

variant A: use a real service. (conditions is matched against service name)

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: "2048-ingress"
  namespace: "2048-game"
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/conditions.service-2048: >
      [{"Field":"host-header","HostHeaderConfig":{"Values":["api-*.*"]}}]
  labels:
    app: 2048-ingress
spec:
  rules:
    - http:
        paths:
          - path: /*
            backend:
              serviceName: "service-2048"
              servicePort: 80

variant B: use a fake Service.(conditions is matched against service name), so the only the first path got the extra host condition(while both of them are routed to same target group for service-2048). Disclaimer: I really don't like this hack personally, but it works for now

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: "2048-ingress"
  namespace: "2048-game"
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/conditions.fake-service-2048: >
      [{"Field":"host-header","HostHeaderConfig":{"Values":["api-*.*"]}}]
    alb.ingress.kubernetes.io/actions.fake-service-2048: >
      {"Type":"forward","ForwardConfig":{"TargetGroups":[{"ServiceName":"service-2048","ServicePort":"80"}]}}
  labels:
    app: 2048-ingress
spec:
  rules:
    - http:
        paths:
          - path: /path1
            backend:
              serviceName: "fake-service-2048"
              servicePort: use-annotation
          - path: /path2
            backend:
              serviceName: service-2048
              servicePort: 80
M00nF1sh picture M00nF1sh on 21 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ishaannarang picture ishaannarang  路  5Comments
JakubJecminek picture JakubJecminek  路  5Comments
gigi-at-zymergen picture gigi-at-zymergen  路  5Comments
brylex418 picture brylex418  路  4Comments
rdubya16 picture rdubya16  路  4Comments