jcmoraisjr · jcmoraisjr · Jul 8, 2021 · Jul 7, 2021
diff --git a/docs/content/en/docs/configuration/command-line.md b/docs/content/en/docs/configuration/command-line.md
@@ -26,6 +26,7 @@ The following command-line options are supported:
 | [`--default-backend-service`](#default-backend-service) | namespace/servicename      | haproxy's 404 page      |       |
 | [`--default-ssl-certificate`](#default-ssl-certificate) | namespace/secretname       | fake, auto generated    |       |
 | [`--disable-api-warnings`](#disable-api-warnings)       | [true\|false]              | `false`                 | v0.12 |
+| [`--disable-external-name`](#disable-external-name)     | [true\|false]              | `false`                 | v0.10 |
 | [`--disable-pod-list`](#disable-pod-list)               | [true\|false]              | `false`                 | v0.11 |
 | [`--healthz-port`](#stats)                              | port number                | `10254`                 |       |
 | [`--ingress-class`](#ingress-class)                     | name                       | `haproxy`               |       |
@@ -144,6 +145,14 @@ deprecation. The default behavior is to log all API server warnings.
 
 ---
 
+## --disable-external-name
+
+Since v0.10.9
+
+Services of type ExternalName uses DNS lookup to define the target server IP list. Declare `--disable-external-name` to disable a DNS based target IP list, refusing services of type ExternalName.
+
+---
+
 ## --disable-pod-list
 
 Since v0.11

diff --git a/pkg/common/ingress/controller/controller.go b/pkg/common/ingress/controller/controller.go
@@ -74,6 +74,7 @@ type Configuration struct {
 	AllowCrossNamespace     bool
 	DisableNodeList         bool
 	DisablePodList          bool
+	DisableExternalName     bool
 	AnnPrefix               []string
 
 	AcmeServer              bool

diff --git a/pkg/common/ingress/controller/launch.go b/pkg/common/ingress/controller/launch.go
@@ -177,6 +177,9 @@ func NewIngressController(backend ingress.Controller) *GenericController {
 			`Defines if HAProxy Ingress should disable pod watch and in memory list. Pod list is
 		mandatory for drain-support (should not be disabled) and optional for blue/green.`)
 
+		disableExternalName = flags.Bool("disable-external-name", false,
+			`Disables services of type ExternalName`)
+
 		updateStatusOnShutdown = flags.Bool("update-status-on-shutdown", true, `Indicates if the
 		ingress controller should update the Ingress status IP/hostname when the controller
 		is being stopped. Default is true`)
@@ -415,6 +418,7 @@ func NewIngressController(backend ingress.Controller) *GenericController {
 		AllowCrossNamespace:      *allowCrossNamespace,
 		DisableNodeList:          *disableNodeList,
 		DisablePodList:           *disablePodList,
+		DisableExternalName:      *disableExternalName,
 		UpdateStatusOnShutdown:   *updateStatusOnShutdown,
 		BackendShards:            *backendShards,
 		SortEndpointsBy:          sortEndpoints,

diff --git a/pkg/controller/cache.go b/pkg/controller/cache.go
@@ -25,6 +25,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"io/ioutil"
+	"net"
 	"os"
 	"reflect"
 	"regexp"
@@ -150,6 +151,13 @@ func (c *k8scache) RunAsync(stopCh <-chan struct{}) {
 	c.listers.RunAsync(stopCh)
 }
 
+func (c *k8scache) ExternalNameLookup(externalName string) ([]net.IP, error) {
+	if c.cfg.DisableExternalName {
+		return nil, fmt.Errorf("external name lookup is disabled")
+	}
+	return net.LookupIP(externalName)
+}
+
 func (c *k8scache) GetIngressPodName() (namespace, podname string, err error) {
 	namespace = os.Getenv("POD_NAMESPACE")
 	podname = os.Getenv("POD_NAME")

diff --git a/pkg/converters/helper_test/cachemock.go b/pkg/converters/helper_test/cachemock.go
@@ -19,6 +19,7 @@ package helper_test
 import (
 	"crypto/sha1"
 	"fmt"
+	"net"
 	"strings"
 	"time"
 
@@ -42,6 +43,7 @@ type CacheMock struct {
 	GwList        []*gateway.Gateway
 	GwClassList   []*gateway.GatewayClass
 	HTTPRouteList []*gateway.HTTPRoute
+	LookupList    map[string][]net.IP
 	EpList        map[string]*api.Endpoints
 	ConfigMapList map[string]*api.ConfigMap
 	TermPodList   map[string][]*api.Pod
@@ -59,6 +61,7 @@ func NewCacheMock(tracker convtypes.Tracker) *CacheMock {
 		tracker:     tracker,
 		Changed:     &convtypes.ChangedObjects{},
 		SvcList:     []*api.Service{},
+		LookupList:  map[string][]net.IP{},
 		EpList:      map[string]*api.Endpoints{},
 		TermPodList: map[string][]*api.Pod{},
 		SecretTLSPath: map[string]string{
@@ -74,6 +77,14 @@ func (c *CacheMock) buildResourceName(defaultNamespace, resourceName string) str
 	return defaultNamespace + "/" + resourceName
 }
 
+// ExternalNameLookup ...
+func (c *CacheMock) ExternalNameLookup(externalName string) ([]net.IP, error) {
+	if ip, found := c.LookupList[externalName]; found {
+		return ip, nil
+	}
+	return nil, fmt.Errorf("hostname not found")
+}
+
 // GetIngress ...
 func (c *CacheMock) GetIngress(ingressName string) (*networking.Ingress, error) {
 	for _, ing := range c.IngList {

diff --git a/pkg/converters/types/interfaces.go b/pkg/converters/types/interfaces.go
@@ -17,6 +17,7 @@ limitations under the License.
 package types
 
 import (
+	"net"
 	"time"
 
 	api "k8s.io/api/core/v1"
@@ -28,6 +29,7 @@ import (
 
 // Cache ...
 type Cache interface {
+	ExternalNameLookup(externalName string) ([]net.IP, error)
 	GetIngress(ingressName string) (*networking.Ingress, error)
 	GetIngressList() ([]*networking.Ingress, error)
 	GetIngressClass(className string) (*networking.IngressClass, error)

diff --git a/pkg/converters/utils/services.go b/pkg/converters/utils/services.go
@@ -18,7 +18,6 @@ package utils
 
 import (
 	"fmt"
-	"net"
 	"strconv"
 
 	api "k8s.io/api/core/v1"
@@ -76,7 +75,7 @@ type Endpoint struct {
 // CreateEndpoints ...
 func CreateEndpoints(cache types.Cache, svc *api.Service, svcPort *api.ServicePort) (ready, notReady []*Endpoint, err error) {
 	if svc.Spec.Type == api.ServiceTypeExternalName {
-		ready, err := createEndpointsExternalName(svc, svcPort)
+		ready, err := createEndpointsExternalName(cache, svc, svcPort)
 		return ready, nil, err
 	}
 	endpoints, err := cache.GetEndpoints(svc)
@@ -115,15 +114,13 @@ func CreateSvcEndpoint(svc *api.Service, svcPort *api.ServicePort) (endpoint *En
 	return newEndpointIP(svc.Spec.ClusterIP, int(port)), nil
 }
 
-var lookup = net.LookupIP
-
-func createEndpointsExternalName(svc *api.Service, svcPort *api.ServicePort) (endpoints []*Endpoint, err error) {
+func createEndpointsExternalName(cache types.Cache, svc *api.Service, svcPort *api.ServicePort) (endpoints []*Endpoint, err error) {
 	// TODO add support to undeclared ServicePort
 	port := int(svcPort.Port)
 	if port <= 0 {
 		return nil, fmt.Errorf("invalid port number: %d", port)
 	}
-	addr, err := lookup(svc.Spec.ExternalName)
+	addr, err := cache.ExternalNameLookup(svc.Spec.ExternalName)
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/converters/utils/services_test.go b/pkg/converters/utils/services_test.go
@@ -17,7 +17,6 @@ limitations under the License.
 package utils
 
 import (
-	"fmt"
 	"net"
 	"reflect"
 	"testing"
@@ -34,15 +33,10 @@ func TestCreateEndpointsExternalName(t *testing.T) {
 	svc, _ := helper_test.CreateService("default/echo", "8080", "")
 	svc.Spec.Type = api.ServiceTypeExternalName
 	svc.Spec.ExternalName = "domain.local"
-	lookup = func(host string) ([]net.IP, error) {
-		if host == "domain.local" {
-			return []net.IP{net.ParseIP("10.0.1.10"), net.ParseIP("10.0.1.11")}, nil
-		}
-		return nil, fmt.Errorf("hostname not found")
-	}
-
+	cache := helper_test.NewCacheMock(nil)
+	cache.LookupList["domain.local"] = []net.IP{net.ParseIP("10.0.1.10"), net.ParseIP("10.0.1.11")}
 	svcPort := FindServicePort(svc, "8080")
-	ready, notReady, err := CreateEndpoints(nil, svc, svcPort)
+	ready, notReady, err := CreateEndpoints(cache, svc, svcPort)
 	expected := []*Endpoint{
 		{
 			IP:   "10.0.1.10",