-
Notifications
You must be signed in to change notification settings - Fork 266
Checks for Host header when issuing selftest #168
base: master
Are you sure you want to change the base?
Conversation
1. Upon request to verifyDomain(), we record the domain that we would like to test for reacheability 2. The selftest handler does a check on the Host header value against this domain name. it returns 200 if the domain is present, and 404 otherwise 3. Once the verifyDomain() test is done, this record is erased, ensuring that future requests to the selftest endpoing returns 404
Why only make the |
If the project owners give me the "Go!" signal, I certainly would go ahead and change this. |
I can see a reason for both versions. I was just curious what your thought process was. Thanks for submitting a PR for this so quickly. I wish I had a little GO experience. |
Thanks @lestrrat for your PR. I think the best solution would be to always return something. Maybe we just return a hash of ("$id:$host_header"). That would allow us to check @znorris use case with the host header and we would also make sure we are talking to the same kube-lego instance. Can you take a look at the implementation @lestrrat? |
@simonswine Hmm, I don't follow. I thought the original purpose was to make the error (of not setting the proper Host header) more explicit? So if the upstream sent us a bogus Host, we would catch it. if my above understanding is correct, my idea is to create a new PR where we change |
If the upstream sends a host header and that host is not in our ingress controller, we should not reply back with a 200 OK. In my opinion, in the event a unknown host header is received we should either still respond, just not with a 200. I haven't dug into the code so it's hard for me to be more specific than that. |
I think the check is only important for Nginx's self test. I think it's not a good idea to maintain a valid host-headers slice in kube-lego. @znorris Right now kube-lego returns on a call to the
In the future kube-lego should return on a call to the
This allows us to verify that the host header is forwarded to kube-lego during the self test. Hope that makes it clearer @lestrrat |
@simonswine K, one last thing: whose instance ID are we talking about? kube-lego.Deployment.uid ? kube-lego.Pod.uid? or something else? |
we would like to test for reacheability
against this domain name. it returns 200 if the domain is present,
and 404 otherwise
ensuring that future requests to the selftest endpoing returns 404
fixes #163