Merge pull request #11498 from openshift/revert-11201-wildcard-domain

Revert "Add router support for wildcard domains (*.foo.com)"

Author: smarterclayton

contrib/completions/bash/openshift

@@ -19753,10 +19753,6 @@ _openshift_infra_f5-router()
     flags_with_completion=()
     flags_completion=()
 
-    flags+=("--allow-wildcard-routes")
-    local_nonpersistent_flags+=("--allow-wildcard-routes")
-    flags+=("--allowed-domains=")
-    local_nonpersistent_flags+=("--allowed-domains=")
     flags+=("--as=")
     local_nonpersistent_flags+=("--as=")
     flags+=("--certificate-authority=")
@@ -19779,8 +19775,6 @@ _openshift_infra_f5-router()
     local_nonpersistent_flags+=("--config=")
     flags+=("--context=")
     local_nonpersistent_flags+=("--context=")
-    flags+=("--denied-domains=")
-    local_nonpersistent_flags+=("--denied-domains=")
     flags+=("--f5-host=")
     local_nonpersistent_flags+=("--f5-host=")
     flags+=("--f5-http-vserver=")
@@ -19896,10 +19890,6 @@ _openshift_infra_router()
     flags_with_completion=()
     flags_completion=()
 
-    flags+=("--allow-wildcard-routes")
-    local_nonpersistent_flags+=("--allow-wildcard-routes")
-    flags+=("--allowed-domains=")
-    local_nonpersistent_flags+=("--allowed-domains=")
     flags+=("--as=")
     local_nonpersistent_flags+=("--as=")
     flags+=("--certificate-authority=")
@@ -19928,8 +19918,6 @@ _openshift_infra_router()
     local_nonpersistent_flags+=("--default-certificate-dir=")
     flags+=("--default-certificate-path=")
     local_nonpersistent_flags+=("--default-certificate-path=")
-    flags+=("--denied-domains=")
-    local_nonpersistent_flags+=("--denied-domains=")
     flags+=("--extended-validation")
     local_nonpersistent_flags+=("--extended-validation")
     flags+=("--fields=")

contrib/completions/zsh/openshift

@@ -19914,10 +19914,6 @@ _openshift_infra_f5-router()
     flags_with_completion=()
     flags_completion=()
 
-    flags+=("--allow-wildcard-routes")
-    local_nonpersistent_flags+=("--allow-wildcard-routes")
-    flags+=("--allowed-domains=")
-    local_nonpersistent_flags+=("--allowed-domains=")
     flags+=("--as=")
     local_nonpersistent_flags+=("--as=")
     flags+=("--certificate-authority=")
@@ -19940,8 +19936,6 @@ _openshift_infra_f5-router()
     local_nonpersistent_flags+=("--config=")
     flags+=("--context=")
     local_nonpersistent_flags+=("--context=")
-    flags+=("--denied-domains=")
-    local_nonpersistent_flags+=("--denied-domains=")
     flags+=("--f5-host=")
     local_nonpersistent_flags+=("--f5-host=")
     flags+=("--f5-http-vserver=")
@@ -20057,10 +20051,6 @@ _openshift_infra_router()
     flags_with_completion=()
     flags_completion=()
 
-    flags+=("--allow-wildcard-routes")
-    local_nonpersistent_flags+=("--allow-wildcard-routes")
-    flags+=("--allowed-domains=")
-    local_nonpersistent_flags+=("--allowed-domains=")
     flags+=("--as=")
     local_nonpersistent_flags+=("--as=")
     flags+=("--certificate-authority=")
@@ -20089,8 +20079,6 @@ _openshift_infra_router()
     local_nonpersistent_flags+=("--default-certificate-dir=")
     flags+=("--default-certificate-path=")
     local_nonpersistent_flags+=("--default-certificate-path=")
-    flags+=("--denied-domains=")
-    local_nonpersistent_flags+=("--denied-domains=")
     flags+=("--extended-validation")
     local_nonpersistent_flags+=("--extended-validation")
     flags+=("--fields=")

docs/man/man1/openshift-infra-f5-router.1

@@ -23,14 +23,6 @@ You may restrict the set of routes exposed to a single project (with \-\-namespa
 
 
 .SH OPTIONS
-.PP
-\fB\-\-allow\-wildcard\-routes\fP=false
-    Allow wildcard host names for routes
-
-.PP
-\fB\-\-allowed\-domains\fP=[]
-    List of comma separated domains to allow in routes. If specified, only the domains in this list will be allowed routes. Note that domains in the denied list take precedence over the ones in the allowed list
-
 .PP
 \fB\-\-api\-version\fP=""
     DEPRECATED: The API version to use when talking to the server
@@ -63,10 +55,6 @@ You may restrict the set of routes exposed to a single project (with \-\-namespa
 \fB\-\-context\fP=""
     The name of the kubeconfig context to use
 
-.PP
-\fB\-\-denied\-domains\fP=[]
-    List of comma separated domains to deny in routes
-
 .PP
 \fB\-\-f5\-host\fP=""
     The host of F5 BIG\-IP's management interface

docs/man/man1/openshift-infra-router.1

@@ -29,14 +29,6 @@ You may restrict the set of routes exposed to a single project (with \-\-namespa
 
 
 .SH OPTIONS
-.PP
-\fB\-\-allow\-wildcard\-routes\fP=false
-    Allow wildcard host names for routes
-
-.PP
-\fB\-\-allowed\-domains\fP=[]
-    List of comma separated domains to allow in routes. If specified, only the domains in this list will be allowed routes. Note that domains in the denied list take precedence over the ones in the allowed list
-
 .PP
 \fB\-\-api\-version\fP=""
     DEPRECATED: The API version to use when talking to the server
@@ -81,10 +73,6 @@ You may restrict the set of routes exposed to a single project (with \-\-namespa
 \fB\-\-default\-certificate\-path\fP=""
     A path to default certificate to use for routes that don't expose a TLS server cert; in PEM format
 
-.PP
-\fB\-\-denied\-domains\fP=[]
-    List of comma separated domains to deny in routes
-
 .PP
 \fB\-\-extended\-validation\fP=true
     If set, then an additional extended validation step is performed on all routes admitted in by this router. Defaults to true and enables the extended validation checks.

images/router/haproxy/Dockerfile

@@ -16,7 +16,7 @@ RUN INSTALL_PKGS="haproxy" && \
     yum clean all && \
     mkdir -p /var/lib/haproxy/router/{certs,cacerts} && \
     mkdir -p /var/lib/haproxy/{conf,run,bin,log} && \
-    touch /var/lib/haproxy/conf/{{os_http_be,os_edge_http_be,os_tcp_be,os_sni_passthrough,os_reencrypt,os_edge_http_expose,os_edge_http_redirect,cert_config,os_wildcard_domain}.map,haproxy.config} && \
+    touch /var/lib/haproxy/conf/{{os_http_be,os_edge_http_be,os_tcp_be,os_sni_passthrough,os_reencrypt,os_edge_http_expose,os_edge_http_redirect,cert_config}.map,haproxy.config} && \
     chmod -R 777 /var && \
     setcap 'cap_net_bind_service=ep' /usr/sbin/haproxy
 

images/router/haproxy/conf/haproxy-config.template

@@ -109,36 +109,15 @@ frontend public
   acl secure_redirect base,map_beg(/var/lib/haproxy/conf/os_edge_http_redirect.map) -m found
   redirect scheme https if secure_redirect
 
-{{ if matchPattern "true|TRUE" (env "ROUTER_ALLOW_WILDCARD_ROUTES" "")}}
-  #  Check for wildcard domains with redirected http routes.
-  acl wildcard_domain hdr(host),map_reg(/var/lib/haproxy/conf/os_wildcard_domain.map) -m found
-
-  acl wildcard_secure_redirect base,map_reg(/var/lib/haproxy/conf/os_edge_http_redirect.map) -m found
-  redirect scheme https if wildcard_domain wildcard_secure_redirect
-
-{{ end }}
-
   # Check if it is an edge route exposed insecurely.
   acl edge_http_expose base,map_beg(/var/lib/haproxy/conf/os_edge_http_expose.map) -m found
   use_backend be_edge_http_%[base,map_beg(/var/lib/haproxy/conf/os_edge_http_expose.map)] if edge_http_expose
 
-  # map to http backend
-  # Search from most specific to general path (host case).
-  acl http_backend base,map_beg(/var/lib/haproxy/conf/os_http_be.map) -m found
-  use_backend be_http_%[base,map_beg(/var/lib/haproxy/conf/os_http_be.map)] if http_backend
-
-{{ if matchPattern "true|TRUE" (env "ROUTER_ALLOW_WILDCARD_ROUTES" "")}}
-  #  Check for wildcard domains with exposed http routes.
-  acl wildcard_edge_http_expose base,map_reg(/var/lib/haproxy/conf/os_edge_http_expose.map) -m found
-  use_backend be_edge_http_%[base,map_beg(/var/lib/haproxy/conf/os_edge_http_expose.map)] if wildcard_domain wildcard_edge_http_expose
-
   # map to http backend
   # Search from most specific to general path (host case).
   # Note: If no match, haproxy uses the default_backend, no other
   #       use_backend directives below this will be processed.
-  use_backend be_http_%[base,map_reg(/var/lib/haproxy/conf/os_http_be.map)] if wildcard_domain
-
-{{ end }}
+  use_backend be_http_%[base,map_beg(/var/lib/haproxy/conf/os_http_be.map)]
 
   default_backend openshift_default
 
@@ -155,15 +134,6 @@ frontend public_ssl
   acl sni_passthrough req.ssl_sni,map(/var/lib/haproxy/conf/os_sni_passthrough.map) -m found
   use_backend be_tcp_%[req.ssl_sni,map(/var/lib/haproxy/conf/os_tcp_be.map)] if sni sni_passthrough
 
-{{ if matchPattern "true|TRUE" (env "ROUTER_ALLOW_WILDCARD_ROUTES" "")}}
-  #  Check for wildcard domains with passthrough.
-  acl sni_wildcard_domain req.ssl_sni,map_reg(/var/lib/haproxy/conf/os_wildcard_domain.map) -m found
-
-  acl sni_wildcard_passthrough req.ssl_sni,map_reg(/var/lib/haproxy/conf/os_sni_passthrough.map) -m found
-  use_backend be_tcp_%[req.ssl_sni,map_reg(/var/lib/haproxy/conf/os_tcp_be.map)] if sni sni_wildcard_domain sni_wildcard_passthrough
-
-{{ end }}
-
   # if the route is SNI and NOT passthrough enter the termination flow
   use_backend be_sni if sni
 
@@ -199,25 +169,11 @@ frontend fe_sni
   # Search from most specific to general path (host case).
   use_backend be_secure_%[base,map_beg(/var/lib/haproxy/conf/os_reencrypt.map)] if reencrypt
 
-  # map to http backend
-  # Search from most specific to general path (host case).
-  acl http_backend base,map_beg(/var/lib/haproxy/conf/os_edge_http_be.map) -m found
-  use_backend be_edge_http_%[base,map_beg(/var/lib/haproxy/conf/os_edge_http_be.map)] if http_backend
-
-{{ if matchPattern "true|TRUE" (env "ROUTER_ALLOW_WILDCARD_ROUTES" "")}}
-  #  Check for wildcard domains with redirected or exposed http routes.
-  acl sni_wildcard_domain hdr(host),map_reg(/var/lib/haproxy/conf/os_wildcard_domain.map) -m found
-
-  acl wildcard_reencrypt base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map) -m found
-  use_backend be_secure_%[base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map)] if sni_wildcard_domain wildcard_reencrypt
-
   # map to http backend
   # Search from most specific to general path (host case).
   # Note: If no match, haproxy uses the default_backend, no other
   #       use_backend directives below this will be processed.
-  use_backend be_edge_http_%[base,map_reg(/var/lib/haproxy/conf/os_edge_http_be.map)] if sni_wildcard_domain
-
-{{ end }}
+  use_backend be_edge_http_%[base,map_beg(/var/lib/haproxy/conf/os_edge_http_be.map)]
 
   default_backend openshift_default
 
@@ -250,24 +206,11 @@ frontend fe_no_sni
   # Search from most specific to general path (host case).
   use_backend be_secure_%[base,map_beg(/var/lib/haproxy/conf/os_reencrypt.map)] if reencrypt
 
-  # map to http backend
-  # Search from most specific to general path (host case).
-  acl edge_http_backend base,map_beg(/var/lib/haproxy/conf/os_edge_http_be.map) -m found
-  use_backend be_edge_http_%[base,map_beg(/var/lib/haproxy/conf/os_edge_http_be.map)] if edge_http_backend
-
-{{ if matchPattern "true|TRUE" (env "ROUTER_ALLOW_WILDCARD_ROUTES" "")}}
-  acl host_wildcard_domain req.ssl_sni,map_reg(/var/lib/haproxy/conf/os_wildcard_domain.map) -m found
-
-  acl host_reencrypt base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map) -m found
-  use_backend be_secure_%[base,map_reg(/var/lib/haproxy/conf/os_reencrypt.map)] if host_wildcard_domain host_reencrypt
-
   # map to http backend
   # Search from most specific to general path (host case).
   # Note: If no match, haproxy uses the default_backend, no other
   #       use_backend directives below this will be processed.
-  use_backend be_edge_http_%[base,map_reg(/var/lib/haproxy/conf/os_edge_http_be.map)] if host_wildcard_domain
-
-{{ end }}
+  use_backend be_edge_http_%[base,map_beg(/var/lib/haproxy/conf/os_edge_http_be.map)]
 
   default_backend openshift_default
 
@@ -387,8 +330,8 @@ backend be_edge_http_{{$cfgIdx}}
     {{ end }}{{/* end iterate over services */}}
   {{ end }}{{/* end if tls==edge/none */}}
 
-  {{ if eq $cfg.TLSTermination "passthrough" }}
 # Secure backend, pass through
+  {{ if eq $cfg.TLSTermination "passthrough" }}
 backend be_tcp_{{$cfgIdx}}
 {{ if ne (env "ROUTER_SYSLOG_ADDRESS" "") ""}}
   option tcplog
@@ -451,8 +394,8 @@ backend be_tcp_{{$cfgIdx}}
     {{ end }}{{/* end iterate over services*/}}
   {{ end }}{{/*end tls==passthrough*/}}
 
-  {{ if eq $cfg.TLSTermination "reencrypt" }}
 # Secure backend which requires re-encryption
+  {{ if eq $cfg.TLSTermination "reencrypt" }}
 backend be_secure_{{$cfgIdx}}
   mode http
   option redispatch
@@ -528,35 +471,14 @@ backend be_secure_{{$cfgIdx}}
 {{ end }}{{/* end haproxy config template */}}
 
 {{/*--------------------------------- END OF HAPROXY CONFIG, BELOW ARE MAPPING FILES ------------------------*/}}
-{{/*
-    os_wildcard_domain.map: contains a mapping of wildcard hosts for a
-			[sub]domain regexps. This map is used to check if
-			a host matches a [sub]domain with has wildcard support.
-*/}}
-{{ define "/var/lib/haproxy/conf/os_wildcard_domain.map" }}
-{{     if matchPattern "true|TRUE" (env "ROUTER_ALLOW_WILDCARD_ROUTES" "")}}
-{{       range $idx, $cfg := .State }}
-{{         if ne $cfg.Host ""}}
-{{           if $cfg.IsWildcard }}
-{{genDomainWildcardRegexp $cfg.Host "" true}} 1
-{{           end }}
-{{         end }}
-{{       end }}
-{{     end }}{{/* end if router allows wildcard routes */}}
-{{ end }}{{/* end wildcard domain map template */}}
-
 {{/*
     os_http_be.map: contains a mapping of www.example.com -> <service name>.  This map is used to discover the correct backend
                         by attaching a prefix (be_http_) by use_backend statements if acls are matched.
 */}}
 {{ define "/var/lib/haproxy/conf/os_http_be.map" }}
 {{     range $idx, $cfg := .State }}
 {{       if and (ne $cfg.Host "") (eq $cfg.TLSTermination "")}}
-{{         if $cfg.IsWildcard }}
-{{genDomainWildcardRegexp $cfg.Host $cfg.Path false}} {{$idx}}
-{{         else }}
 {{$cfg.Host}}{{$cfg.Path}} {{$idx}}
-{{         end }}
 {{       end }}
 {{     end }}
 {{ end }}{{/* end http host map template */}}
@@ -568,11 +490,7 @@ backend be_secure_{{$cfgIdx}}
 {{ define "/var/lib/haproxy/conf/os_edge_http_be.map" }}
 {{     range $idx, $cfg := .State }}
 {{       if and (ne $cfg.Host "") (eq $cfg.TLSTermination "edge")}}
-{{         if $cfg.IsWildcard }}
-{{genDomainWildcardRegexp $cfg.Host $cfg.Path false}} {{$idx}}
-{{         else }}
 {{$cfg.Host}}{{$cfg.Path}} {{$idx}}
-{{         end }}
 {{       end }}
 {{     end }}
 {{ end }}{{/* end edge http host map template */}}
@@ -585,11 +503,7 @@ backend be_secure_{{$cfgIdx}}
 {{ define "/var/lib/haproxy/conf/os_edge_http_expose.map" }}
 {{     range $idx, $cfg := .State }}
 {{       if and (ne $cfg.Host "") (and (eq $cfg.TLSTermination "edge") (eq $cfg.InsecureEdgeTerminationPolicy "Allow"))}}
-{{         if $cfg.IsWildcard }}
-{{genDomainWildcardRegexp $cfg.Host $cfg.Path false}} {{$idx}}
-{{         else }}
 {{$cfg.Host}}{{$cfg.Path}} {{$idx}}
-{{         end }}
 {{       end }}
 {{     end }}
 {{ end }}{{/* end edge insecure expose http host map template */}}
@@ -602,11 +516,7 @@ backend be_secure_{{$cfgIdx}}
 {{ define "/var/lib/haproxy/conf/os_edge_http_redirect.map" }}
 {{     range $idx, $cfg := .State }}
 {{       if and (ne $cfg.Host "") (and (eq $cfg.TLSTermination "edge") (eq $cfg.InsecureEdgeTerminationPolicy "Redirect"))}}
-{{         if $cfg.IsWildcard }}
-{{genDomainWildcardRegexp $cfg.Host $cfg.Path false}} {{$idx}}
-{{         else }}
 {{$cfg.Host}}{{$cfg.Path}} {{$idx}}
-{{         end }}
 {{       end }}
 {{     end }}
 {{ end }}{{/* end edge insecure redirect http host map template */}}
@@ -619,11 +529,7 @@ backend be_secure_{{$cfgIdx}}
 {{ define "/var/lib/haproxy/conf/os_tcp_be.map" }}
 {{     range $idx, $cfg := .State }}
 {{       if and (eq $cfg.Path "") (and (ne $cfg.Host "") (or (eq $cfg.TLSTermination "passthrough") (eq $cfg.TLSTermination "reencrypt"))) }}
-{{         if $cfg.IsWildcard }}
-{{genDomainWildcardRegexp $cfg.Host "" true}} {{$idx}}
-{{         else }}
 {{$cfg.Host}} {{$idx}}
-{{         end }}
 {{       end }}
 {{     end }}
 {{ end }}{{/* end tcp host map template */}}
@@ -635,11 +541,7 @@ backend be_secure_{{$cfgIdx}}
 {{ define "/var/lib/haproxy/conf/os_sni_passthrough.map" }}
 {{     range $idx, $cfg := .State }}
 {{       if and (eq $cfg.Path "") (eq $cfg.TLSTermination "passthrough") }}
-{{         if $cfg.IsWildcard }}
-{{genDomainWildcardRegexp $cfg.Host "" true}} {{$idx}}
-{{         else }}
 {{$cfg.Host}} 1
-{{         end }}
 {{       end }}
 {{     end }}
 {{ end }}{{/* end sni passthrough map template */}}
@@ -652,11 +554,7 @@ backend be_secure_{{$cfgIdx}}
 {{ define "/var/lib/haproxy/conf/os_reencrypt.map" }}
 {{     range $idx, $cfg := .State }}
 {{       if and (ne $cfg.Host "") (eq $cfg.TLSTermination "reencrypt") }}
-{{         if $cfg.IsWildcard }}
-{{genDomainWildcardRegexp $cfg.Host $cfg.Path false}} {{$idx}}
-{{         else }}
 {{$cfg.Host}}{{$cfg.Path}} {{$idx}}
-{{         end }}
 {{       end }}
 {{     end }}
 {{ end }}{{/* end reencrypt map template */}}