add DNS validation for annotation

networkop · networkop · commit 3c866bb413c7 · 2022-09-07T09:24:19.000+01:00
diff --git a/kubernetes.go b/kubernetes.go
@@ -7,6 +7,7 @@ import (
 	"net/netip"
 	"strings"
 
+	"github.com/miekg/dns"
 	nginx_v1 "github.com/nginxinc/kubernetes-ingress/pkg/apis/configuration/v1"
 	k8s_nginx "github.com/nginxinc/kubernetes-ingress/pkg/client/clientset/versioned"
 	core "k8s.io/api/core/v1"
@@ -335,7 +336,11 @@ func serviceHostnameIndexFunc(obj interface{}) ([]string, error) {
 
 	hostname := service.Name + "." + service.Namespace
 	if annotation, exists := service.Annotations[hostnameAnnotationKey]; exists {
-		hostname = annotation
+		if _, ok := dns.IsDomainName(annotation); ok {
+			hostname = strings.ToLower(annotation)
+		} else {
+			log.Debugf("Invalid domain name in annotation: %s", annotation)
+		}
 	}
 
 	log.Debugf("Adding index %s for service %s", hostname, service.Name)
diff --git a/test/service-annotation.yml b/test/service-annotation.yml
@@ -0,0 +1,38 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: annotation-good
+  namespace: default
+  annotations:
+    "coredns.io/hostname": "good"
+spec:
+  ipFamilyPolicy: RequireDualStack
+  ports:
+  - name: 80-80
+    port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: backend
+  sessionAffinity: None
+  type: LoadBalancer
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: annotation-bad
+  namespace: default
+  annotations:
+    "coredns.io/hostname": "abcd0123456789012345678901234567890123456789012345678901234567890"
+spec:
+  ipFamilyPolicy: RequireDualStack
+  ports:
+  - name: 80-80
+    port: 80
+    protocol: TCP
+    targetPort: 80
+  selector:
+    app: backend
+  sessionAffinity: None
+  type: LoadBalancer
