Fix: Check defaultBackend in allowRelaxedServiceNameValidation

The allowRelaxedServiceNameValidation() function currently only checks
service names in spec.rules, but it should also check the service name
in spec.defaultBackend.

When an Ingress has a defaultBackend with a service name that is valid
per RFC 1123 but invalid per RFC 1035 (e.g., starting with a digit like
"1-default-service"), the function incorrectly returns false. This
prevents users from updating such Ingresses even though they were
validly created in the past.

This commit adds validation for spec.defaultBackend.service.name to
maintain backward compatibility for existing Ingresses.

diff --git a/pkg/apis/networking/validation/validation.go b/pkg/apis/networking/validation/validation.go
index 511adaf5d69772f86acfc85c9c6a89ae814274e5..31e5b29a2f59be5139675e0f2631960b736622c2 100644 (file)
--- a/pkg/apis/networking/validation/validation.go
+++ b/pkg/apis/networking/validation/validation.go
@@ -707,7 +707,20 @@ func allowRelaxedServiceNameValidation(oldIngress *networking.Ingress) bool {
        if oldIngress == nil {
                return false
        }
-       // If feature gate is disabled, check if any service names in the old Ingresss
+
+       // Check if default backend service names in the old Ingress
+       if oldIngress.Spec.DefaultBackend != nil && oldIngress.Spec.DefaultBackend.Service != nil {
+               serviceName := oldIngress.Spec.DefaultBackend.Service.Name
+               // If a name doesn't validate with apimachineryvalidation.NameIsDNS1035Label, but does validate with apimachineryvalidation.NameIsDNSLabel,
+               // then we allow it to be used as a Service name in an Ingress.
+               dnsLabelValidationErrors := apimachineryvalidation.NameIsDNSLabel(serviceName, false)
+               dns1035LabelValidationErrors := apimachineryvalidation.NameIsDNS1035Label(serviceName, false)
+               if len(dnsLabelValidationErrors) == 0 && len(dns1035LabelValidationErrors) > 0 {
+                       return true
+               }
+       }
+
+       // If feature gate is disabled, check if any service names in the old Ingress
        for _, rule := range oldIngress.Spec.Rules {
                if rule.HTTP == nil {
                        continue

diff --git a/pkg/apis/networking/validation/validation_test.go b/pkg/apis/networking/validation/validation_test.go
index 4df983bc6b25fdda6603db055dadf8e8eaaf060c..0599dc299f6a5ed6ab295e5d3870f4f36785ab82 100644 (file)
--- a/pkg/apis/networking/validation/validation_test.go
+++ b/pkg/apis/networking/validation/validation_test.go
@@ -2896,6 +2896,19 @@ func TestAllowRelaxedServiceNameValidation(t *testing.T) {
                return &networking.Ingress{Spec: networking.IngressSpec{Rules: rules}}
        }
 
+       ingressWithDefaultBackend := func(defaultBackendName string, ruleServiceNames ...string) *networking.Ingress {
+               ing := basicIngress(ruleServiceNames...)
+               if defaultBackendName != "" {
+                       ing.Spec.DefaultBackend = &networking.IngressBackend{
+                               Service: &networking.IngressServiceBackend{
+                                       Name: defaultBackendName,
+                                       Port: networking.ServiceBackendPort{Number: 80},
+                               },
+                       }
+               }
+               return ing
+       }
+
        tests := []struct {
                name    string
                ingress *networking.Ingress
@@ -2926,6 +2939,26 @@ func TestAllowRelaxedServiceNameValidation(t *testing.T) {
                        ingress: basicIngress("validname", "1abc-def"),
                        expect:  true,
                },
+               {
+                       name:    "defaultBackend with valid DNS1035 name",
+                       ingress: ingressWithDefaultBackend("validname"),
+                       expect:  false,
+               },
+               {
+                       name:    "defaultBackend with DNS1123 valid but DNS1035 invalid name (starts with digit)",
+                       ingress: ingressWithDefaultBackend("1-default-service"),
+                       expect:  true,
+               },
+               {
+                       name:    "defaultBackend relaxed name with valid rules",
+                       ingress: ingressWithDefaultBackend("1-default", "valid-rule-service"),
+                       expect:  true,
+               },
+               {
+                       name:    "only rules have relaxed name, defaultBackend is valid",
+                       ingress: ingressWithDefaultBackend("valid-default", "1-rule-service"),
+                       expect:  true,
+               },
        }
 
        for _, tc := range tests {