kubernetes
diff --git a/‎api/openapi-spec/swagger.json
Lines changed: 2 additions & 2 deletions b/‎api/openapi-spec/swagger.json
Lines changed: 2 additions & 2 deletions
diff --git a/‎pkg/apis/networking/types.go
Lines changed: 18 additions & 8 deletions b/‎pkg/apis/networking/types.go
Lines changed: 18 additions & 8 deletions
diff --git a/‎pkg/apis/networking/validation/validation_test.go
Lines changed: 40 additions & 0 deletions b/‎pkg/apis/networking/validation/validation_test.go
Lines changed: 40 additions & 0 deletions
diff --git a/‎staging/src/k8s.io/api/extensions/v1beta1/generated.proto
Lines changed: 18 additions & 8 deletions b/‎staging/src/k8s.io/api/extensions/v1beta1/generated.proto
Lines changed: 18 additions & 8 deletions
diff --git a/‎staging/src/k8s.io/api/extensions/v1beta1/types.go
Lines changed: 18 additions & 8 deletions b/‎staging/src/k8s.io/api/extensions/v1beta1/types.go
Lines changed: 18 additions & 8 deletions
diff --git a/‎staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go
Lines changed: 1 addition & 1 deletion b/‎staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎staging/src/k8s.io/api/networking/v1beta1/generated.proto
Lines changed: 18 additions & 8 deletions b/‎staging/src/k8s.io/api/networking/v1beta1/generated.proto
Lines changed: 18 additions & 8 deletions
@@ -349,18 +349,28 @@ type IngressStatus struct {
 // host match, then routed to the backend associated with the matching
 // IngressRuleValue.
 type IngressRule struct {
-	// Host is the fully qualified domain name of a network host, as defined
-	// by RFC 3986. Note the following deviations from the "host" part of the
-	// URI as defined in the RFC:
-	// 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the
-	//	  IP in the Spec of the parent Ingress.
+	// Host is the fully qualified domain name of a network host, as defined by RFC 3986.
+	// Note the following deviations from the "host" part of the
+	// URI as defined in RFC 3986:
+	// 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
+	//    the IP in the Spec of the parent Ingress.
 	// 2. The `:` delimiter is not respected because ports are not allowed.
 	//	  Currently the port of an Ingress is implicitly :80 for http and
 	//	  :443 for https.
 	// Both these may change in the future.
-	// Incoming requests are matched against the host before the IngressRuleValue.
-	// If the host is unspecified, the Ingress routes all traffic based on the
-	// specified IngressRuleValue.
+	// Incoming requests are matched against the host before the
+	// IngressRuleValue. If the host is unspecified, the Ingress routes all
+	// traffic based on the specified IngressRuleValue.
+	//
+	// Host can be "precise" which is a domain name without the terminating dot of
+	// a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name
+	// prefixed with a single wildcard label (e.g. "*.foo.com").
+	// The wildcard character '*' must appear by itself as the first DNS label and
+	// matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*").
+	// Requests will be matched against the Host field in the following way:
+	// 1. If Host is precise, the request matches this rule if the http host header is equal to Host.
+	// 2. If Host is a wildcard, then the request matches this rule if the http host header
+	// is to equal to the suffix (removing the first label) of the wildcard rule.
 	// +optional
 	Host string
 	// IngressRuleValue represents a rule to route requests for this
 
@@ -1008,6 +1008,28 @@ func TestValidateIngress(t *testing.T) {
 				"spec.rules[0].host",
 			},
 		},
+		"valid wildcard host": {
+			tweakIngress: func(ing *networking.Ingress) {
+				ing.Spec.Rules[0].Host = "*.bar.com"
+			},
+			expectErrsOnFields: []string{},
+		},
+		"invalid wildcard host (foo.*.bar.com)": {
+			tweakIngress: func(ing *networking.Ingress) {
+				ing.Spec.Rules[0].Host = "foo.*.bar.com"
+			},
+			expectErrsOnFields: []string{
+				"spec.rules[0].host",
+			},
+		},
+		"invalid wildcard host (*)": {
+			tweakIngress: func(ing *networking.Ingress) {
+				ing.Spec.Rules[0].Host = "*"
+			},
+			expectErrsOnFields: []string{
+				"spec.rules[0].host",
+			},
+		},
 	}
 
 	for name, testCase := range testCases {
@@ -1683,6 +1705,24 @@ func TestValidateIngressTLS(t *testing.T) {
 			}
 		}
 	}
+
+	// Test for wildcard host and wildcard TLS
+	validCases := map[string]networking.Ingress{}
+	wildHost := "*.bar.com"
+	goodWildcardTLS := newValid()
+	goodWildcardTLS.Spec.Rules[0].Host = "*.bar.com"
+	goodWildcardTLS.Spec.TLS = []networking.IngressTLS{
+		{
+			Hosts: []string{wildHost},
+		},
+	}
+	validCases[fmt.Sprintf("spec.tls[0].hosts: Valid value: '%v'", wildHost)] = goodWildcardTLS
+	for k, v := range validCases {
+		errs := validateIngress(&v, IngressValidationOptions{requireRegexPath: true}, networkingv1beta1.SchemeGroupVersion)
+		if len(errs) != 0 {
+			t.Errorf("expected success for %q", k)
+		}
+	}
 }
 
 func TestValidateIngressStatusUpdate(t *testing.T) {
 
@@ -633,18 +633,28 @@ type IngressStatus struct {
 // the related backend services. Incoming requests are first evaluated for a host
 // match, then routed to the backend associated with the matching IngressRuleValue.
 type IngressRule struct {
-	// Host is the fully qualified domain name of a network host, as defined
-	// by RFC 3986. Note the following deviations from the "host" part of the
-	// URI as defined in the RFC:
-	// 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the
-	//	  IP in the Spec of the parent Ingress.
+	// Host is the fully qualified domain name of a network host, as defined by RFC 3986.
+	// Note the following deviations from the "host" part of the
+	// URI as defined in RFC 3986:
+	// 1. IPs are not allowed. Currently an IngressRuleValue can only apply to
+	//    the IP in the Spec of the parent Ingress.
 	// 2. The `:` delimiter is not respected because ports are not allowed.
 	//	  Currently the port of an Ingress is implicitly :80 for http and
 	//	  :443 for https.
 	// Both these may change in the future.
-	// Incoming requests are matched against the host before the IngressRuleValue.
-	// If the host is unspecified, the Ingress routes all traffic based on the
-	// specified IngressRuleValue.
+	// Incoming requests are matched against the host before the
+	// IngressRuleValue. If the host is unspecified, the Ingress routes all
+	// traffic based on the specified IngressRuleValue.
+	//
+	// Host can be "precise" which is a domain name without the terminating dot of
+	// a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name
+	// prefixed with a single wildcard label (e.g. "*.foo.com").
+	// The wildcard character '*' must appear by itself as the first DNS label and
+	// matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*").
+	// Requests will be matched against the Host field in the following way:
+	// 1. If Host is precise, the request matches this rule if the http host header is equal to Host.
+	// 2. If Host is a wildcard, then the request matches this rule if the http host header
+	// is to equal to the suffix (removing the first label) of the wildcard rule.
 	// +optional
 	Host string `json:"host,omitempty" protobuf:"bytes,1,opt,name=host"`
 	// IngressRuleValue represents a rule to route requests for this IngressRule.