Add wildcard hostname support

Until now, users were only able to use hostnames without wildcards, limiting their options.

We now support wildcard hostnames for HTTPRoutes and Gateway listeners.

Author: sjberman

docs/gateway-api-compatibility.md

@@ -57,7 +57,7 @@ Fields:
     * `gatewayClassName` - supported.
     * `listeners`
         * `name` - supported.
-        * `hostname` - partially supported. Wildcard hostnames like `*.example.com` are not yet supported.
+        * `hostname` - supported.
         * `port` - supported. 
         * `protocol` - partially supported. Allowed values: `HTTP`, `HTTPS`.
         * `tls`
@@ -101,7 +101,7 @@ Fields:
 Fields:
 * `spec`
   * `parentRefs` - partially supported. Port not supported.
-  * `hostnames` - partially supported. Wildcard binding is not supported: a hostname like `example.com` will not bind to a listener with the hostname `*.example.com`. However, `example.com` will bind to a listener with the empty hostname.
+  * `hostnames` - supported.
   * `rules`
     * `matches`
       * `path` - partially supported. Only `PathPrefix` and `Exact` types.

examples/cafe-example/README.md

@@ -70,3 +70,26 @@ curl --resolve cafe.example.com:$GW_PORT:$GW_IP http://cafe.example.com:$GW_PORT
 Server address: 10.12.0.19:80
 Server name: tea-7cd44fcb4d-xfw2x
 ```
+
+## 5. Using different hostnames
+
+Traffic is allowed to `cafe.example.com` because the Gateway listener's hostname allows `*.example.com`. You can
+change an HTTPRoute's hostname to something that matches this wildcard and still pass traffic.
+
+For example, run the following command to open your editor and change the HTTPRoute's hostname to `foo.example.com`.
+
+```
+kubectl -n default edit httproute tea
+```
+
+Once changed, update the `curl` command above for the `tea` service to use the new hostname. Traffic should still pass successfully.
+
+Likewise, if you change the Gateway listener's hostname to something else, you can prevent the HTTPRoute's traffic from passing successfully.
+
+For example, run the following to open your editor and change the Gateway listener's hostname to `bar.example.com`:
+
+```
+kubectl -n default edit gateway gateway
+```
+
+Once changed, try running the same `curl` requests as above. They should be denied with a `404 Not Found`.

examples/cafe-example/gateway.yaml

@@ -10,3 +10,4 @@ spec:
   - name: http
     port: 80
     protocol: HTTP
+    hostname: "*.example.com"

internal/state/dataplane/configuration.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"sort"
+	"strings"
 
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/gateway-api/apis/v1beta1"
@@ -567,20 +568,9 @@ func convertPathType(pathType v1beta1.PathMatchType) PathType {
 	}
 }
 
-// listenerHostnameMoreSpecific returns true if host1 is more specific than host2 (using length).
+// listenerHostnameMoreSpecific returns true if host1 is more specific than host2.
 //
-// Since the only caller of this function specifies listener hostnames that are both
-// bound to the same route hostname, this function assumes that host1 and host2 match, either
-// exactly or as a substring.
-//
-// For example:
-// - foo.example.com and "" (host1 wins)
-// Non-example:
-// - foo.example.com and bar.example.com (should not be given to this function)
-//
-// As we add regex support, we should put in the proper
-// validation and error handling for this function to ensure that the hostnames are actually matching,
-// to avoid the unintended inputs above for the invalid case.
+// This function assumes that host1 and host2 match, either exactly or as a substring.
 func listenerHostnameMoreSpecific(host1, host2 *v1beta1.Hostname) bool {
 	var host1Str, host2Str string
 	if host1 != nil {
@@ -591,5 +581,15 @@ func listenerHostnameMoreSpecific(host1, host2 *v1beta1.Hostname) bool {
 		host2Str = string(*host2)
 	}
 
+	host1Segments := len(strings.Split(host1Str, "."))
+	host2Segments := len(strings.Split(host2Str, "."))
+	if host1Segments > host2Segments {
+		return true
+	}
+
+	if host2Segments > host1Segments {
+		return false
+	}
+
 	return len(host1Str) >= len(host2Str)
 }

internal/state/dataplane/configuration_test.go

@@ -2029,15 +2029,29 @@ func TestHostnameMoreSpecific(t *testing.T) {
 			msg:       "host1 has value; host2 empty",
 		},
 		{
-			host1:     helpers.GetPointer(v1beta1.Hostname("example.com")),
+			host1:     helpers.GetPointer(v1beta1.Hostname("foo.bar.example.com")),
 			host2:     helpers.GetPointer(v1beta1.Hostname("foo.example.com")),
+			host1Wins: true,
+			msg:       "host1 has more segments than host2",
+		},
+		{
+			host1:     helpers.GetPointer(v1beta1.Hostname("somelongname.example.com")),
+			host2:     helpers.GetPointer(v1beta1.Hostname("foo.bar.example.com")),
+			host1Wins: false,
+			msg:       "host2 has more segments than host1",
+		},
+		{
+			host1:     helpers.GetPointer(v1beta1.Hostname("example.com")),
+			host2:     helpers.GetPointer(v1beta1.Hostname("longerexample.com")),
 			host1Wins: false,
 			msg:       "host2 longer than host1",
 		},
 	}
 
 	for _, tc := range tests {
-		g.Expect(listenerHostnameMoreSpecific(tc.host1, tc.host2)).To(Equal(tc.host1Wins), tc.msg)
+		t.Run(tc.msg, func(t *testing.T) {
+			g.Expect(listenerHostnameMoreSpecific(tc.host1, tc.host2)).To(Equal(tc.host1Wins))
+		})
 	}
 }
 

internal/state/graph/gateway_listener_test.go

@@ -222,7 +222,7 @@ func TestValidateListenerHostname(t *testing.T) {
 		},
 		{
 			hostname:  (*v1beta1.Hostname)(helpers.GetStringPointer("*.example.com")),
-			expectErr: true,
+			expectErr: false,
 			name:      "wildcard hostname",
 		},
 		{

internal/state/graph/httproute.go

@@ -3,6 +3,7 @@ package graph
 import (
 	"errors"
 	"fmt"
+	"strings"
 
 	apiv1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -405,20 +406,31 @@ func findAcceptedHostnames(listenerHostname *v1beta1.Hostname, routeHostnames []
 		if hostname == "" {
 			return true
 		}
-		return string(h) == hostname
+
+		routeHost := string(h)
+		return routeHost == hostname || wildcardMatch(hostname, routeHost) || wildcardMatch(routeHost, hostname)
 	}
 
 	var result []string
 
 	for _, h := range routeHostnames {
 		if match(h) {
-			result = append(result, string(h))
+			if len(hostname) > len(h) {
+				result = append(result, hostname)
+			} else {
+				result = append(result, string(h))
+			}
 		}
 	}
 
 	return result
 }
 
+// wildcardMatch checks if host1 is a wildcard host, and if so, checks if host2 is a match for that wildcard.
+func wildcardMatch(host1, host2 string) bool {
+	return strings.HasPrefix(host1, "*.") && strings.HasSuffix(host2, strings.TrimPrefix(host1, "*"))
+}
+
 func routeAllowedByListener(
 	listener *Listener,
 	routeNS,

internal/state/graph/httproute_test.go

@@ -1217,6 +1217,7 @@ func TestBindRouteToListeners(t *testing.T) {
 func TestFindAcceptedHostnames(t *testing.T) {
 	var listenerHostnameFoo v1beta1.Hostname = "foo.example.com"
 	var listenerHostnameCafe v1beta1.Hostname = "cafe.example.com"
+	var listenerHostnameWildcard v1beta1.Hostname = "*.example.com"
 	routeHostnames := []v1beta1.Hostname{"foo.example.com", "bar.example.com"}
 
 	tests := []struct {
@@ -1255,6 +1256,30 @@ func TestFindAcceptedHostnames(t *testing.T) {
 			expected:         []string{wildcardHostname},
 			msg:              "both listener and route have empty hostnames",
 		},
+		{
+			listenerHostname: &listenerHostnameWildcard,
+			routeHostnames:   routeHostnames,
+			expected:         []string{"foo.example.com", "bar.example.com"},
+			msg:              "listener wildcard hostname",
+		},
+		{
+			listenerHostname: &listenerHostnameFoo,
+			routeHostnames:   []v1beta1.Hostname{"*.example.com"},
+			expected:         []string{"foo.example.com"},
+			msg:              "route wildcard hostname; specific listener hostname",
+		},
+		{
+			listenerHostname: &listenerHostnameWildcard,
+			routeHostnames:   nil,
+			expected:         []string{"*.example.com"},
+			msg:              "listener wildcard hostname; nil route hostname",
+		},
+		{
+			listenerHostname: nil,
+			routeHostnames:   []v1beta1.Hostname{"*.example.com"},
+			expected:         []string{"*.example.com"},
+			msg:              "route wildcard hostname; nil listener hostname",
+		},
 	}
 
 	for _, test := range tests {

internal/state/graph/validation.go

@@ -13,8 +13,13 @@ func validateHostname(hostname string) error {
 		return errors.New("cannot be empty string")
 	}
 
-	if strings.Contains(hostname, "*") {
-		return errors.New("wildcards are not supported")
+	if strings.HasPrefix(hostname, "*.") {
+		msgs := validation.IsWildcardDNS1123Subdomain(hostname)
+		if len(msgs) > 0 {
+			combined := strings.Join(msgs, ",")
+			return errors.New(combined)
+		}
+		return nil
 	}
 
 	msgs := validation.IsDNS1123Subdomain(hostname)

internal/state/graph/validation_test.go

@@ -24,7 +24,7 @@ func TestValidateHostname(t *testing.T) {
 		},
 		{
 			hostname:  "*.example.com",
-			expectErr: true,
+			expectErr: false,
 			name:      "wildcard hostname",
 		},
 		{