Bug 1392395

Summary: [networking_public_222] The host which matches more in the wildcard routes should win the routing
Product: OpenShift Container Platform Reporter: Meng Bo <bmeng>
Component: NetworkingAssignee: Ram Ranganathan <ramr>
Networking sub component: router QA Contact: Meng Bo <bmeng>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: medium CC: aos-bugs, bbennett, tdawson
Version: 3.4.0   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-18 12:50:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Meng Bo 2016-11-07 12:38:50 UTC 
Description of problem:
Given I create a domain with wildcard policy enabled and host is *.test.wildcard.com 
When another user who creates a new route with host is *.wildcard.com
Then the route will always point to the latter one.

Version-Release number of selected component (if applicable):
oc v3.4.0.22+5c56720
kubernetes v1.4.0+776c994
ose-haproxy-router:v3.4.0.22

How reproducible:
always

Steps to Reproduce:
1. Setup the router with wildcard route allowed
2. Create pod and service in user1's project1
$ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker.json
$ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/unsecure/service_unsecure.json
3. Create wildcard route in user1's project1
$ oc create -f route.json
cat route.json
{
        "kind": "Route",
        "apiVersion": "v1",
        "metadata": {
                "name": "route"
        },
        "spec": {
                "wildcardPolicy": "Subdomain",
                "host": "unsecure.test2.wildcard.com",
                "to": {
                        "kind": "Service",
                        "name": "service-unsecure"
                }
        }
}

4. Access the route aaa.test2.wildcard.com

5. Create pod and service in user2's project2
$ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker-2.json
$ oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/unsecure/service_unsecure.json
6. Create wildcard route in user2's project2
$ oc create -f route2.json
cat route2.json
{
        "kind": "Route",
        "apiVersion": "v1",
        "metadata": {
                "name": "route"
        },
        "spec": {
                "wildcardPolicy": "Subdomain",
                "host": "unsecure.wildcard.com",
                "to": {
                        "kind": "Service",
                        "name": "service-unsecure"
                }
        }
}

7. Access the route aaa.test2.wildcard.com


Actual results:
4. Will point to the pod in user1's project1 when accessing the aaa.test2.wildcard.com
7. It will point to the pod in user2's project2 when accessing the aaa.test2.wildcard.com

Expected results:
The host which matches more should win the route. Or the older one should win the route.

Additional info:
Comment 1 Ram Ranganathan 2016-11-08 08:09:10 UTC 
Fixed in PR: https://github.com/openshift/origin/pull/11819
Comment 2 Troy Dawson 2016-11-09 19:51:18 UTC 
This has been merged into ose and is in OSE v3.4.0.24 or newer.
Comment 4 Meng Bo 2016-11-10 03:22:31 UTC 
Checked on ocp build v3.4.0.24, issue has been fixed.

$ curl --resolve www.test.wildcard.com:80:10.66.140.165 http://www.test.wildcard.com
Hello-OpenShift-1 http-8080
$ curl --resolve aaa.test.wildcard.com:80:10.66.140.165 http://aaa.test.wildcard.com
Hello-OpenShift-1 http-8080


$ curl --resolve unsecure.wildcard.com:80:10.66.140.165 http://unsecure.wildcard.com
Hello-OpenShift-2 http-8080
$ curl --resolve xxx.wildcard.com:80:10.66.140.165 http://xxx.wildcard.com 
Hello-OpenShift-2 http-8080
Comment 6 errata-xmlrpc 2017-01-18 12:50:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0066