From 67412ab0b4da9534ee2fd6b7bff0982767cf1f58 Mon Sep 17 00:00:00 2001
From: Dominik Froehlich <dominik.froehlich@sap.com>
Date: Mon, 22 Jan 2024 17:13:05 +0100
Subject: [PATCH] feat: Add route_services_internal_server_port property.

---
 jobs/gorouter/spec                    |  3 +++
 jobs/gorouter/templates/pre-start.erb |  1 +
 spec/gorouter_templates_spec.rb       | 16 ++++++++++++----
 src/code.cloudfoundry.org/gorouter    |  2 +-
 4 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 30f535b82..b48951aa4 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -243,6 +243,9 @@ properties:
   router.route_services_internal_lookup_allowlist:
     description: "a list of host names for route services that should be resolved internally. Each entry can be a fully qualified domain name or DNS wildcard (i.e. wildcard on 1 segment of a subdomain). If the list is empty, it is not in effect and internal lookup will be attempted for all host names, which can lead to CVE-2019-3789. Please turn on internal lookup only with an allowlist."
     default: []
+  router.route_services_internal_server_port:
+    description: "Gorouter will use this port for internal route services."
+    default: 7070
   router.route_services_secret_decrypt_only:
     description: "To rotate keys, add your new key here and deploy. Then swap this key with the value of route_services_secret and deploy again."
     default: ""
diff --git a/jobs/gorouter/templates/pre-start.erb b/jobs/gorouter/templates/pre-start.erb
index e2a7ce5cd..601f7aa53 100644
--- a/jobs/gorouter/templates/pre-start.erb
+++ b/jobs/gorouter/templates/pre-start.erb
@@ -32,6 +32,7 @@ tee_output_to_sys_log "${LOG_DIR}" "pre-start" <%= p("router.logging.format.time
     ports.append(p("router.status.port")) # has default. will always exist.
     ports.append(p("router.status.routes.port")) # has default. will always exist.
     ports.append(p("router.tls_port")) # has default. will always exist.
+    ports.append(p("router.route_services_internal_server_port")) # has default. will always exist.
 
     if_p('router.status.tls.port') do |port|
         ports.append(port)
diff --git a/spec/gorouter_templates_spec.rb b/spec/gorouter_templates_spec.rb
index 5ff4f2e3c..51adb71ec 100644
--- a/spec/gorouter_templates_spec.rb
+++ b/spec/gorouter_templates_spec.rb
@@ -1509,7 +1509,7 @@
       { 'router' => {
         'port' => 81,
         'status' => { 'port' => 8081, 'tls' => {'port' => 8443}, },
-        'prometheus' => { 'port' => 7070 },
+        'prometheus' => { 'port' => 7777 },
         'tls_port' => 442,
         'debug_address' => '127.0.0.1:17003'
       } }
@@ -1518,7 +1518,7 @@
     context 'ip_local_reserved_ports' do
       it 'contains reserved ports in order' do
         rendered_template = template.render(properties)
-        ports = '81,442,2822,2825,3457,3458,3459,3460,3461,7070,8081,8082,8443,8853,9100,14726,14727,14821,14822,14823,14824,14829,14830,14922,15821,17003,53035,53080'
+        ports = '81,442,2822,2825,3457,3458,3459,3460,3461,7070,7777,8081,8082,8443,8853,9100,14726,14727,14821,14822,14823,14824,14829,14830,14922,15821,17003,53035,53080'
         expect(rendered_template).to include("\"#{ports}\" > /proc/sys/net/ipv4/ip_local_reserved_ports")
       end
 
@@ -1526,7 +1526,7 @@
         it 'skips that port' do
           properties['router'].delete('prometheus')
           rendered_template = template.render(properties)
-          ports = '81,442,2822,2825,3457,3458,3459,3460,3461,8081,8082,8443,8853,9100,14726,14727,14821,14822,14823,14824,14829,14830,14922,15821,17003,53035,53080'
+          ports = '81,442,2822,2825,3457,3458,3459,3460,3461,7070,8081,8082,8443,8853,9100,14726,14727,14821,14822,14823,14824,14829,14830,14922,15821,17003,53035,53080'
           expect(rendered_template).to include("\"#{ports}\" > /proc/sys/net/ipv4/ip_local_reserved_ports")
         end
       end
@@ -1535,7 +1535,15 @@
         it 'skips that port' do
           properties['router']['debug_address'] = 'meow'
           rendered_template = template.render(properties)
-          ports = '81,442,2822,2825,3457,3458,3459,3460,3461,7070,8081,8082,8443,8853,9100,14726,14727,14821,14822,14823,14824,14829,14830,14922,15821,53035,53080'
+          ports = '81,442,2822,2825,3457,3458,3459,3460,3461,7070,7777,8081,8082,8443,8853,9100,14726,14727,14821,14822,14823,14824,14829,14830,14922,15821,53035,53080'
+          expect(rendered_template).to include("\"#{ports}\" > /proc/sys/net/ipv4/ip_local_reserved_ports")
+        end
+      end
+      context 'when route_services_internal_server_port is set to a non-default value' do
+        it 'uses that port' do
+          properties['router']['route_services_internal_server_port'] = 7272
+          rendered_template = template.render(properties)
+          ports = '81,442,2822,2825,3457,3458,3459,3460,3461,7272,7777,8081,8082,8443,8853,9100,14726,14727,14821,14822,14823,14824,14829,14830,14922,15821,17003,53035,53080'
           expect(rendered_template).to include("\"#{ports}\" > /proc/sys/net/ipv4/ip_local_reserved_ports")
         end
       end
diff --git a/src/code.cloudfoundry.org/gorouter b/src/code.cloudfoundry.org/gorouter
index 5da3cb96b..6e8fddab3 160000
--- a/src/code.cloudfoundry.org/gorouter
+++ b/src/code.cloudfoundry.org/gorouter
@@ -1 +1 @@
-Subproject commit 5da3cb96b7d13cb996b9771c1b2ee8c6a00ed7b7
+Subproject commit 6e8fddab36c982f9b1844786e83d2c18f90574b5