Hairpinning allowlist

[Mrizwanshaik]

• A short explanation of the proposed change:

Gorouter route service hairpinning / internal resolution had caused CVE-2019-3789. The main issue was that external domains can be hijacked by declaring an external domain as 'private domain' and mapping it to a route service, which would mask the request to the external resource.

In #281, we proposed do add an allowlist for route service host names that are allowed to be resolved internally via Gorouter's route registry.

This PR implements the new property and handling of allowlists.

• An explanation of the use cases your change solves

This PR allows enabling Gorouter internal route serice resolution / hairpinning for a subset of safe domains. This subset is defined in the allowlist and is under the operator's control.

• Instructions to functionally test the behavior change using operator interfaces (BOSH manifest, logs, curl, and metrics)

The functionality is covered via unit tests.

Otherwise, a route service can be declared and the route's host added to the hairpinning allowlist. An app configured with the route service will result in a call to the route service resolved internally instead of externally. This should be visible, e.g. in the LB logs: i.e. the request issued by gorouter will not be shown on the LB.

• Expected result after the change

When hairpinning is disabled, the behaviour remains the same as before, i.e. route service requests are carried out via external request. This is the default.

When hairpinning is enabled and an allowlist is set, only route service URLs, whose host name matches one of the entries on the allowlist will be resolved internally. Other requests will be requested externally in order to avoid CVE-2019-3789.

When hairpinning is enabled and no allowlist is set, the allowlist is ignored and all route service requests that can be resolved internally via the route registrar are resolved internally. The Gorouter is subject to CVE-2019-3789.

• Current result before the change

When hairpinning is disabled, all route service requests lead to external requests. This incurs another hop on the ingress and potential added delay of the overall request.

When hairpinning is enabled, all route service requests that can be resolved internally via the route registrar are resolved internally. The Gorouter is subject to CVE-2019-3789.

• Links to any other associated PRs

• I have viewed signed and have submitted the Contributor License Agreement

• I have made this pull request to the main branch

• I have run all the unit tests using scripts/run-unit-tests-in-docker from routing-release.

• (Optional) I have run Routing Acceptance Tests and Routing Smoke Tests on bosh lite

• (Optional) I have run CF Acceptance Tests on bosh lite

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: Mrizwanshaik (23c3317, e15b708, 78b9440, ee3dd25, 19415d9)
• ✅ login: peanball / name: Alexander Lais (b59864f)