wc support (F5Networks#2124)

pmaddev · Dec 1, 2021 · 75cc2cb · 75cc2cb
1 parent bf71684
commit 75cc2cb
Show file tree

Hide file tree

Showing 12 changed files with 117 additions and 10 deletions.
diff --git a/docs/RELEASE-NOTES.rst b/docs/RELEASE-NOTES.rst
@@ -15,6 +15,7 @@ Bug Fixes
 * :issues:`1918` ExternalDNS adds both VSs to a Wide IP pool.
 * :issues:`1873` Enable /metrics endpoint with crd mode.
 * :issues:`1659` Report "status" of TransportServer CRD
+* :issues:`2006` Add support for Wildcard domain name with TLSProfile and VirtualServer
 
 2.6.1
 -------------

diff --git a/...ig_examples/customResource/VirtualServer/virtual-with-wildcard-domain/README.md b/...ig_examples/customResource/VirtualServer/virtual-with-wildcard-domain/README.md
@@ -0,0 +1,10 @@
+# Virtual Server with Wildcard Domain
+
+This section demonstrates the option to configure virtual server using Wildcard Host .
+
+## tls-with-wildcardhost.yaml
+By deploying this yaml file in your cluster, CIS will create a TLSProfile with wildcrad domain name.
+
+## virtual-with-wildcardhost.yaml
+
+By deploying this yaml file in your cluster, CIS will create a Virtual Server on BIG-IP with wildcard domain name.
diff --git a/...ples/customResource/VirtualServer/virtual-with-wildcard-domain/tls-with-wildcardhost.yaml b/...ples/customResource/VirtualServer/virtual-with-wildcard-domain/tls-with-wildcardhost.yaml
@@ -0,0 +1,14 @@
+apiVersion: cis.f5.com/v1
+kind: TLSProfile
+metadata:
+  labels:
+    f5cr: "true"
+  name: cr-tls-foo-svc-1
+  namespace: default
+spec:
+  hosts:
+    - '*.foo.com'
+  tls:
+    clientSSL: foo-secret
+    reference: secret
+    termination: edge
diff --git a/.../customResource/VirtualServer/virtual-with-wildcard-domain/virtual-with-wildcardhost.yaml b/.../customResource/VirtualServer/virtual-with-wildcard-domain/virtual-with-wildcardhost.yaml
@@ -0,0 +1,25 @@
+apiVersion: cis.f5.com/v1
+kind: VirtualServer
+metadata:
+  labels:
+    f5cr: "true"
+  name: cr-vs-foo-svc-1
+  namespace: default
+spec:
+  allowVlans: []
+  host: '*.foo.com'
+  httpTraffic: none
+  iRules: []
+  pools:
+    - monitor:
+        interval: 20
+        recv: ""
+        send: /
+        timeout: 10
+        type: http
+      path: /foo
+      service: svc-1
+      servicePort: 80
+  snat: auto
+  tlsProfileName: cr-tls-foo-svc-1
+  virtualServerAddress: 10.8.0.252
diff --git a/docs/config_examples/customResourceDefinations/customresourcedefinitions.yml b/docs/config_examples/customResourceDefinations/customresourcedefinitions.yml
@@ -25,7 +25,7 @@ spec:
               properties:
                 host:
                   type: string
-                  pattern: '^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$'
+                  pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$'
                 hostGroup:
                   type: string
                   pattern: '^([A-z0-9-_+])*([A-z0-9])$'
@@ -201,7 +201,7 @@ spec:
                   type: array
                   items:
                     type: string
-                    pattern: '^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$'
+                    pattern: '^(([a-zA-Z0-9\*]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$'
                 tls:
                   type: object
                   properties:

diff --git a/pkg/crmanager/backend.go b/pkg/crmanager/backend.go
@@ -631,6 +631,9 @@ func createRuleCondition(rl *Rule, rulesData *as3Rule, port int) {
 			if c.Equals {
 				condition.All.Operand = "equals"
 			}
+			if c.EndsWith {
+				condition.All.Operand = "ends-with"
+			}
 		} else if c.PathSegment {
 			condition.PathSegment = &as3PolicyCompareString{
 				Values: c.Values,

diff --git a/pkg/crmanager/postManager.go b/pkg/crmanager/postManager.go
@@ -156,7 +156,7 @@ func (postMgr *PostManager) configWorker() {
 
 		select {
 		case postMgr.respChan <- respCfg.id:
-		case <- postMgr.respChan:
+		case <-postMgr.respChan:
 			postMgr.respChan <- respCfg.id
 		}
 
@@ -175,7 +175,6 @@ func (postMgr *PostManager) postOnEventOrTimeout(timeout time.Duration, cfg *age
 
 func (postMgr *PostManager) postConfig(cfg *agentConfig) (*agentConfig, bool) {
 	httpReqBody := bytes.NewBuffer([]byte(cfg.data))
-
 	req, err := http.NewRequest("POST", cfg.as3APIURL, httpReqBody)
 	if err != nil {
 		log.Errorf("[AS3] Creating new HTTP request error: %v ", err)

diff --git a/pkg/crmanager/postManager_test.go b/pkg/crmanager/postManager_test.go
@@ -19,7 +19,7 @@ var _ = Describe("PostManager Tests", func() {
 	It("Write Config", func() {
 		mockPM.BIGIPURL = "bigip.com"
 		agentCfg := agentConfig{
-			data: "",
+			data:      "",
 			as3APIURL: mockPM.getAS3APIURL([]string{"test"}),
 			id:        0,
 		}
@@ -35,7 +35,7 @@ var _ = Describe("PostManager Tests", func() {
 			mockPM.BIGIPUsername = "user"
 			mockPM.BIGIPPassword = "pswd"
 			agentCfg := agentConfig{
-				data: "{}",
+				data:      "{}",
 				as3APIURL: mockPM.getAS3APIURL([]string{"test"}),
 				id:        0,
 			}

diff --git a/pkg/crmanager/resourceConfig.go b/pkg/crmanager/resourceConfig.go
@@ -327,6 +327,9 @@ func formatPolicyName(hostname, hostGroup, name string) string {
 	if hostGroup != "" {
 		host = hostGroup
 	}
+	if strings.HasPrefix(host, "*") {
+		host = strings.Replace(host, "*", "wildcard", 1)
+	}
 	policyName := fmt.Sprintf("%s_%s_%s", name, host, "policy")
 	return AS3NameFormatter(policyName)
 }

diff --git a/pkg/crmanager/responseHandler.go b/pkg/crmanager/responseHandler.go
@@ -42,7 +42,7 @@ func (crMgr *CRManager) enqueueReq(config ResourceConfigWrapper) {
 }
 
 func (crMgr *CRManager) responseHandler(respChan chan int) {
-	crMgr.requestQueue = &requestQueueData{sync.Mutex{},list.New()}
+	crMgr.requestQueue = &requestQueueData{sync.Mutex{}, list.New()}
 
 	for id := range respChan {
 		var rm requestMeta
@@ -99,4 +99,3 @@ func (crMgr *CRManager) responseHandler(respChan chan int) {
 		}
 	}
 }
-
diff --git a/pkg/crmanager/routing.go b/pkg/crmanager/routing.go
@@ -166,6 +166,10 @@ func (crMgr *CRManager) prepareVirtualServerRules(
 func formatVirtualServerRuleName(hostname, hostGroup, path, pool string) string {
 	var rule string
 	host := hostname
+	//if wildcard vs
+	if strings.HasPrefix(host, "*") {
+		host = strings.Replace(host, "*", "wildcard", 1)
+	}
 	if hostGroup != "" {
 		host = hostGroup
 	}
@@ -495,11 +499,24 @@ func httpRedirectIRule(port int32, rsVSName string, partition string) string {
 			# Compares the hostpath with the entries in https_redirect_dg
 			for {set i $rc} {$i >= 0} {incr i -1} {
 				set paths [class match -value $host equals %[1]s]
+                # Check if host has wildcard match to https_redirect_dg
+                if {$paths == ""} {
+                    if { [class match $host ends_with %[1]s] } {
+                        set paths [class match -value $host ends_with %[1]s]
+                    }
+                }
 				# Check if host with combination of "/" matches https_redirect_dg
 				if {$paths == ""} {
 					set hosts ""
 					append hosts $host "/"
 					set paths [class match -value $hosts equals %[1]s]
+                    if {$paths == ""} {
+                        # Check if host with combination of "/" has wildcard
+                        # match with https_redirect_dg
+                        if { [class match $hosts ends_with %[1]s] } {
+                            set paths [class match -value $hosts ends_with %[1]s]
+                        }
+                    }
 				}
 				# Trim the uri to last slash
 				if {$paths == ""} {
@@ -697,13 +714,25 @@ func (crMgr *CRManager) getTLSIRule(rsVSName string) string {
 					for {set i $rc} {$i >= 0} {incr i -1} {
 						if { [class exists $reencrypt_class] } {
 							set reen_pool [class match -value $routepath equals $reencrypt_class]
+                            # Check for wildcard domain
+                            if { $reen_pool equals "" } {
+							    if { [class match $routepath ends_with $reencrypt_class] } {
+							        set reen_pool [class match -value $routepath ends_with $reencrypt_class]
+                                }
+                            }
 							if { not ($reen_pool equals "") } {
 								set dflt_pool $reen_pool
 								SSL::enable serverside
 							}
 						}
 						if { [class exists $edge_class] } {
 							set edge_pool [class match -value $routepath equals $edge_class]
+                            # Check for wildcard domain
+                            if { $edge_pool equals "" } {
+							    if { [class match $routepath ends_with $edge_class] } {
+							        set edge_pool [class match -value $routepath ends_with $edge_class]
+							    }
+                            }
 							if { not ($edge_pool equals "") } {
 							    set dflt_pool $edge_pool
 							}
@@ -751,12 +780,24 @@ func (crMgr *CRManager) getTLSIRule(rsVSName string) string {
 				for {set i $rc} {$i >= 0} {incr i -1} {
 					if { [class exists $reencryptssl_class] } {
 						set reen [class match -value $sslpath equals $reencryptssl_class]
+                        # check for wildcard domain match
+                        if { $reen equals "" } {
+						    if { [class match $sslpath ends_with $reencryptssl_class] } {
+						        set reen [class match -value $sslpath ends_with $reencryptssl_class]
+						    }
+                        }
 						if { not ($reen equals "") } {
 							    set sslprofile $reen
 						}
 					}
 					if { [class exists $edgessl_class] } {
 						set edge [class match -value $sslpath equals $edgessl_class]
+                        # check for wildcard domain match
+                        if { $edge equals "" } {
+						    if { [class match $sslpath ends_with $edgessl_class] } {
+						        set edge [class match -value $sslpath ends_with $edgessl_class]
+						    }
+                        }
 						if { not ($edge equals "") } {
 							    set sslprofile $edge
 						}
@@ -870,6 +911,10 @@ func updateDataGroup(
 	key string,
 	value string,
 ) {
+	//for wildcard host
+	if strings.HasPrefix(key, "*") {
+		key = strings.TrimPrefix(key, "*")
+	}
 	mapKey := NameRef{
 		Name:      name,
 		Partition: partition,

diff --git a/pkg/crmanager/worker.go b/pkg/crmanager/worker.go
@@ -656,6 +656,14 @@ func (crMgr *CRManager) getTLSProfileForVirtualServer(
 			// TLSProfile Object
 			return tlsProfile
 		}
+		// check for wildcard match
+		if strings.HasPrefix(host, "*") {
+			host = strings.TrimPrefix(host, "*")
+			if strings.HasSuffix(vs.Spec.Host, host) {
+				// TLSProfile Object
+				return tlsProfile
+			}
+		}
 	}
 	log.Errorf("TLSProfile %s with host %s does not match with virtual server %s host.", tlsName, vs.Spec.Host, vs.ObjectMeta.Name)
 	return nil
@@ -2458,8 +2466,8 @@ func (crMgr *CRManager) updateVirtualServerStatus(vs *cisapiv1.VirtualServer, ip
 //Update Transport server status with virtual server address
 func (crMgr *CRManager) updateTransportServerStatus(ts *cisapiv1.TransportServer, ip string, statusOk string) {
 	// Set the vs status to include the virtual IP address
-	tsStatus := cisapiv1.TransportServerStatus{VSAddress: ip,StatusOk: statusOk}
-	log.Debugf("Updating TransportServerStatus with %v", tsStatus )
+	tsStatus := cisapiv1.TransportServerStatus{VSAddress: ip, StatusOk: statusOk}
+	log.Debugf("Updating TransportServerStatus with %v", tsStatus)
 	ts.Status = tsStatus
 	ts.Status.VSAddress = ip
 	ts.Status.StatusOk = statusOk