github.com/projectcontour/contour@v1.28.2/site/content/docs/1.27/config/external-service-routing.md (about)

     1  # External Service Routing
     2  
     3  HTTPProxy supports routing traffic to `ExternalName` service types, but this is disabled by default, as it can lead
     4  to inadvertent exposure of the Envoy Admin UI, allowing remote shutdown and restart of Envoy.
     5  Please see [this security advisory](https://github.com/projectcontour/contour/security/advisories/GHSA-5ph6-qq5x-7jwc) for all the details.
     6  It can also be used to expose services in namespaces a user does not have access to, using an ExternalName of `service.namespace.svc.cluster.local`.
     7  Please see [this Kubernetes security advisory](https://github.com/kubernetes/kubernetes/issues/103675) for more details.
     8  
     9  We do *not* recommend enabling ExternalName Services without a strong use case, and understanding of the security implications.
    10  
    11  However, To enable ExternalName processing, you must set the `enableExternalNameService` configuration file setting to `true`.
    12  This will allow the following configuration to be valid.
    13  
    14  ## ExternalName Support
    15  
    16  Contour looks at the `spec.externalName` field of the service and configures the route to use that DNS name instead of utilizing EDS.
    17  
    18  Note that hostnames of `localhost` or some other synonyms will be rejected (because of the aforementioned security issues).
    19  
    20  There's nothing specific in the HTTPProxy object that needs to be configured other than referencing a service of type `ExternalName`.
    21  HTTPProxy supports the `requestHeadersPolicy` field to rewrite the `Host` header after first handling a request and before proxying to an upstream service.
    22  This field can be used to ensure that the forwarded HTTP request contains the hostname that the external resource is expecting.
    23  
    24  _**Note:** The ports are required to be specified._
    25  
    26  ```yaml
    27  # httpproxy-externalname.yaml
    28  apiVersion: v1
    29  kind: Service
    30  metadata:
    31    labels:
    32      run: externaldns
    33    name: externaldns
    34    namespace: default
    35  spec:
    36    externalName: foo-basic.bar.com
    37    ports:
    38    - name: http
    39      port: 80
    40      protocol: TCP
    41      targetPort: 80
    42    type: ExternalName
    43  ```
    44  
    45  To proxy to another resource outside the cluster (e.g. A hosted object store bucket for example), configure that external resource in a service type `externalName`.
    46  Then define a `requestHeadersPolicy` which replaces the `Host` header with the value of the external name service defined previously.
    47  Finally, if the upstream service is served over TLS, set the `protocol` field on the service to `tls` or annotate the external name service with: `projectcontour.io/upstream-protocol.tls: 443,https`, assuming your service had a port 443 and name `https`.