k8s/ingress/ingress-tls-rule-domain-match.yaml

apiVersion: kubevious.io/v1alpha1
kind: ClusterRule
metadata:
  name: ingress-tls-rule-domain-match
spec:
  summary: |
    Validate Ingress TLS and rule domain match.
  categories:
    - k8s
    - ingress
    - ingress-extension
    - tls
    - domain
  target: |
    Union(
      Api('networking.k8s.io')
        .Kind('Ingress'),
      Api('extensions')
        .Kind('Ingress')
    )
  rule: |
    if (!config.spec?.tls) {
      return;
    }

    let hasNoHostRule = false;
    let ruleHostDict = {};
    let ruleDomains = [];
    for(const rule of config.spec?.rules ?? [])
    {
      const ruleHost = rule.host;
      if (!ruleHost) {
        hasNoHostRule = true;
      } else {
        registerRuleDomain(ruleHost);
      }
    }

    if (item.annotations["nginx.ingress.kubernetes.io/from-to-www-redirect"] == "true")
    {
      for(const ruleDomain of ruleDomains)
      {
        if (ruleDomain.subDomain == "www")
        {
          registerRuleDomain(ruleDomain.domainBase);
        }
      }
    }

    for(const tls of config.spec?.tls ?? [])
    {
      for(const tlsHost of tls.hosts ?? [])
      {
        if (!matchesHost(tlsHost)) {
          error(`Could not match TLS host ${tlsHost} to any of the rules.`);
        }
      }
    }

    // ** UTILS **
    function registerRuleDomain(domain)
    {
      if (!ruleHostDict[domain])
      {
        ruleHostDict[domain] = true;
        ruleDomains.push(parseDomain(domain));
      }
    }

    function parseDomain(domain)
    {
      let parts = domain.split('.');
      const sub = _.head(parts);
      parts = _.drop(parts);
      return {
        domain: domain,
        isWildcard: (sub == '*'),
        subDomain: sub,
        domainBase: parts.join('.')
      }
    }

    function matchesHost(domain)
    {
      if (hasNoHostRule) {
        return true;
      }

      if (ruleHostDict[domain]) {
        return true;
      }

      let tlsDomain = parseDomain(domain);
      if (tlsDomain.isWildcard)
      {
        for(const ruleDomain of ruleDomains)
        {
          if (ruleDomain.domainBase == tlsDomain.domainBase)
          {
            return true;
          }
        }
      }
      else
      {
        for(const ruleDomain of ruleDomains)
        {
          if (ruleDomain.isWildcard && (ruleDomain.domainBase == tlsDomain.domainBase))
          {
            return true;
          }
        }
      }
      
      return false;
    }