-
Notifications
You must be signed in to change notification settings - Fork 798
feat(controller): add wildcard subdomain support #4762
Conversation
labels.pop(0) | ||
if labels == settings.DEIS_DOMAIN.split('.'): | ||
raise serializers.ValidationError( | ||
"The wildcard domain {} would override the deis controller.".format(labels)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
b1dbbae
to
fc8b3fb
Compare
The main blocker why wildcard domain support was not added was due to logic like how Heroku handles wildcard domains:
Would you mind writing some logic to check that against others? This should be easy to do in serializers.py. |
Does that bit of the heroku validation make sense in deis? Heroku is obviously a multi-tenant platform, so it makes sense for them to block a user from piggy-backing on another users domain, but deis is explicitly not suitable for multi-tenant hosting, so I'm not sure if the same restrictions should apply? Adding checks like this could presumably make it impossible to add a wildcard domain in certain situations as well? Unless I'm misunderstanding, if a cluster had 2 apps with Nginx is always going to prefer a specific URL over a wildcard domain, so it's not like I could clobber an existing specific app domain used by another user... I'm wondering if clashes around this should be managed by an administrator rather than explicitly disallowed (which I think was suggested in #1608). What do you think? |
@obmarg it is applicable to deis. Deis apps all have an owner and optionally a list of privileged collaborators. If you are not on that list for a given app, you can not deploy, view or edit configuration, releases, etc., etc. Real life scenario: in a large org, a central devops team maintains a large deis cluster used for development by multiple depts. / lines of business. One area has created |
From the nginx docs:
So the exact scenario you described shouldn't be able to take place. I am sure there are similar situations that could take place with wildcard domains like |
Though actually, I guess that matching order means that I need to check for people adding |
The issue is that regex is the last thing to be matched and here is what an existing server / vhost definition looks like in the router:
|
Ah, I see - so I need to validate that wildcard domains couldn't match against the name of any apps not owned by the current user, as well as ensuring they're not going to clash with any custom domains not owned by the current user? |
You got it. |
Although having said that my code already disallows |
I think custom domain names are not matched using a regex (I'd have to double-check that, but I see no reason they would be), so if you're disallowing this for the platform domain, ya... I can see where maybe there isn't an issue after all. @bacongobbler ? |
Yes I don't think that's a problem. Here's the situation:
Some example requests:
With that in mind, I still think that in order for this PR to be 🚢'd we need to ensure all wildcard domains added do not clash with any domains not owned by the current user as @obmarg mentioned in #4762 (comment). To justify why this check is necessary, Deis is not a multi-tenant workflow yet (heck, we say that explicitly in the docs). However, I do believe that one of the main goals of Deis is to literally become an "open source Heroku" at some point, which would include ensuring that Deis can be run as a public SaaS. In those cases, having something like the rules which Heroku follows for domain ownership is crucial. To show a real-world example where this shows off why it's necessary for this check:
User 1: GET bar.car.com --> foo. "Yay! My app!" User 2 expected to be routed to their app named hello, but instead got sent to another user's app. This is not multi-tenant and which is why this check is necessary to accommodate that. |
This alters the check for wildcard subdomains in the controller to not explicitly disallow wildcard subdomains. It adds some basic checks to make sure the wildcard is at the start, and to make sure that there is no clash with any apps that are not being worked on by the current user. It also ensures that the wildcard domain can not obstruct the deis platform domain, as nginx always prefers wildcard domains over regex domains (which the controller and all apps use by default). I've been running wildcard domains in deis for some time by manually adding them into etcd, so I'm reasonably confident that the controller validation is the only thing preventing this from working. This fixes deis#1608.
fc8b3fb
to
d6dc96e
Compare
Ok, so I've updated this with a relatively simple bit of validation to avoid clashes with wildcard subdomains. It goes through each of the existing domains to check if any other domains share the same prefix, and rejects if they do (and the user does not have permissions to the clashing app). I did remove support for trailing wildcards as part of this, as they would have complicated the logic a fair bit, and I wasn't confident in getting things right if I kept them in. |
Any update on this? |
Working on it currently for v2 |
I think we should consider this for inclusion in the LTS release as well. /cc @mboersma |
@carmstrong if you need any testing of this feature or any help let me know and I could probably allocate some time to help. Currently we use a script to query our DNS records to set all of the |
looks good enough for a first pass. |
Code LGTM, but I'd like someone on the LTS team to manually test this. |
attn: @helgi. If this gets into LTS, and it looks like it will, we will have to port this forward to v2. Just an fyi. I think you've already been thinking about this. |
I don't think this handles one specific case. You are checking that the addition of a wildcard domain isn't going to obstruct access to an existing application unless they have the same owner, but I believe the inverse needs to be checked as well. Supposed Can anyone else (@bacongobbler?) verify that I'm reading that right? |
@krancour yes you are reading that correct. From one of my previous comments, that problem has yet to be resolved. Only owners of the wildcard domain are allowed to add specific subdomains to their applications. I think we'll need to do that validation logic before merging this in. |
Removing the awaiting review label since we've established that there are edge cases that need to be handled before we could consider merging this. |
@bacongobbler I'm not going to be spending any more time on this. Close away |
This alters the check for wildcard subdomains in the controller to not
explicitly disallow wildcard subdomains. It adds some basic checks to
make sure the wildcard is at the start or end, as nginx doesn't support
wildcards anywhere else. It also ensures that the wildcard domain can
not obstruct the deis controller domain, as nginx always prefers
wildcard domains over regex domains (which the controller uses).
I've been running wildcard domains in deis for some time by manually
adding them into etcd, so I'm reasonably confident that the controller
validation is the only thing preventing this from working.
This fixes #1608.
EDIT (@bacongobbler): also closes #4685