allow exact match upstream host validation

bcgov · Feb 7, 2025 · a1fc044 · a1fc044
1 parent eed2c51
commit a1fc044
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/microservices/gatewayApi/utils/validators.py b/microservices/gatewayApi/utils/validators.py
@@ -52,7 +52,7 @@ def validate_upstream_host(_host, errors, allow_protected_ns, protected_kube_nam
 
     if host in restricted:
         errors.append("service upstream is invalid (e1)")
-    elif host.endswith('svc'):
+    elif host.endswith('.svc'):
         partials = host.split('.')
         # get the namespace, and make sure it is not in the protected_kube_namespaces list
         if len(partials) != 3:
@@ -61,7 +61,7 @@ def validate_upstream_host(_host, errors, allow_protected_ns, protected_kube_nam
             errors.append("service upstream is invalid (e3)")
         elif do_validate_upstreams and (partials[1] in perm_upstreams) is False:
             errors.append("service upstream is invalid (e6)")
-    elif host.endswith('svc.cluster.local'):
+    elif host.endswith('.svc.cluster.local'):
         partials = host.split('.')
         # get the namespace, and make sure it is not in the protected_kube_namespaces list
         if len(partials) != 5:
@@ -71,4 +71,6 @@ def validate_upstream_host(_host, errors, allow_protected_ns, protected_kube_nam
         elif do_validate_upstreams and (partials[1] in perm_upstreams) is False:
             errors.append("service upstream is invalid (e6)")
     elif do_validate_upstreams:
-        errors.append("service upstream is invalid (e6)")
+        # allow exact matches for upstreams that are outside of cluster
+        if host not in perm_upstreams:
+            errors.append("service upstream is invalid (e6)")