ensure cert provided for custom domains

bcgov · Nov 15, 2024 · 545a159 · 545a159
1 parent 268c77f
commit 545a159
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 12 deletions.
diff --git a/microservices/gatewayApi/v2/routes/gateway.py b/microservices/gatewayApi/v2/routes/gateway.py
@@ -499,7 +499,6 @@ def is_host_custom_domain(host):
         '.cluster.local', 
         '.api.gov.bc.ca', 
         '.data.gov.bc.ca', 
-        '.webapps.gov.bc.ca', 
         '.maps.gov.bc.ca', 
         '.openmaps.gov.bc.ca',
         '.apps.gov.bc.ca',

diff --git a/microservices/kubeApi/clients/ocp_routes.py b/microservices/kubeApi/clients/ocp_routes.py
@@ -184,16 +184,20 @@ def prepare_apply_routes(ns, select_tag, hosts, root_path, data_plane, ns_templa
             ssl_ref = "tls"
             custom_cert_found = False
 
-            if certificates:
-                # Look for a matching certificate by SNI
-                for cert in certificates:
-                    if host in cert['snis']:
-                        ssl_key = format_pem_data(cert['key'])
-                        ssl_crt = format_pem_data(cert['cert'])
-                        logger.debug("[%s] Route A %03d using custom cert with SNI match for %s" % (select_tag, index, host))
-                        custom_cert_found = True
-                        break
-
+            if is_host_custom_domain(host):
+                logger.debug("[%s] Route A %03d Searching for custom cert for %s" % (select_tag, index, host))
+                if certificates:
+                    # Look for a matching certificate by SNI
+                    for cert in certificates:
+                        if host in cert['snis']:
+                            ssl_key = format_pem_data(cert['key'])
+                            ssl_crt = format_pem_data(cert['cert'])
+                            logger.debug("[%s] Route A %03d Found custom cert with SNI match for %s" % (select_tag, index, host))
+                            custom_cert_found = True
+                            break
+                    if not custom_cert_found:
+                        raise Exception("Custom certificate not found for host %s" % host)
+
             if not custom_cert_found and not settings.host_transformation['enabled']:
                 # Fall back to existing cert mapping logic
                 for host_match, ssl_file_prefix in host_cert_mapping.items():
@@ -239,4 +243,22 @@ def get_gwa_ocp_routes(extralabels=""):
     return json.loads(out)['items']
 
 def time_secs():
-    return int(time.time())
+    return int(time.time())
+
+def is_host_custom_domain(host):
+    non_custom_suffixes = [
+        '.cluster.local', 
+        '.api.gov.bc.ca', 
+        '.data.gov.bc.ca', 
+        '.maps.gov.bc.ca', 
+        '.openmaps.gov.bc.ca',
+        '.apps.gov.bc.ca',
+        '.apis.gov.bc.ca'
+    ]
+
+    # Check if the host is one of the standard cert domains or a subdomain of them
+    for suffix in non_custom_suffixes:
+        if host == suffix[1:] or host.endswith(suffix):
+            return False
+
+    return True