Bug 1392862

No, the behavior is correct.  The claims are exclusive.

If a.foo.com is present, *.foo.com can not be claimed.

If *.foo.com is present, then a.foo.com can not be claimed.

The problem here is,
If an user created a route with wildcardpolicy enabled but no host specified. Then it will use the generated route with content <route_name>-<namespace_name>-<router-subdomain-suffix>.

And after that any route created in this env without host specified will be failed since the configured subdomain has been used by the first route.

$ oc get route -n u1p1
NAME         HOST/PORT                                          PATH      SERVICES           PORT      TERMINATION
test-route   test-route-u1p1.router.default.svc.cluster.local             service-unsecure   <all>     

$ oc get route -n u1p2
NAME               HOST/PORT            PATH      SERVICES           PORT      TERMINATION
service-unsecure   HostAlreadyClaimed             service-unsecure   http      

$ oc describe route -n u1p2
Name:                   service-unsecure
Namespace:              u1p2
Created:                5 minutes ago
Labels:                 name=service-unsecure
Annotations:            openshift.io/host.generated=true
Requested Host:         service-unsecure-u1p2.router.default.svc.cluster.local
                          rejected by router router: HostAlreadyClaimed (5 minutes ago)
                            a route in another namespace holds host service-unsecure-u1p2.router.default.svc.cluster.local
Path:                   <none>
TLS Termination:        <none>
Insecure Policy:        <none>
Endpoint Port:          http

Service:        service-unsecure
Weight:         100 (100%)
Endpoints:      10.128.0.40:8080


We should find a way to avoid that the pre-defined subdomain being seized by any user.

Ah, I see.  This is probably just a documentation problem then.

Ram, I think we need to document this case, and the ways to control it.

- Using the --allowed-domains and --denied-domains to restrict it
- Restrict setting the wildcard field with the Role's attributeRestriction field

Or should we forbid the user to set wildcards when the router is forcing a template?  Or if they claim a name that matches the template?

If we use --denied-domains to forbid the router provided subdomain to be created for wildcard route. All the routes with generated host will be affected.

yeah, if its the generated host name - the recommendations would be to use 
--denied-domains  containing that domain.

@bmeng, this will still allow generated names to work even if the domain is denied - that check is done on admission and the generation is done post admission (depending on the router policy - override host names + use the template for generating host names).

I think the fix here though should be to just not allow wildcards to be set if the host name is empty. I'll fix the validation code.

Fix in PR: https://github.com/openshift/origin/pull/11863


One thing though - if you have a router configured to override the host name and use a template, then you should also not allow wildcard hosts (set the router's policy to not allow wildcards). Will add this along w/ the other bits to the documentation tomorrow.

This has been merged into ocp and is in OCP v3.4.0.25 or newer.

Checked on openshift v3.4.0.25 and haproxy-router image d081816be024

The problem still can be reproduced.

# cat route2.json 
{
        "kind": "Route",
        "apiVersion": "v1",
        "metadata": {
                "name": "route"
        },
        "spec": {
                "wildcardPolicy": "Subdomain",
                "to": {
                        "kind": "Service",
                        "name": "service-unsecure"
                }
        }
}
# oc create -f route2.json
route "route" created
# oc get route
NAME      HOST/PORT                               PATH      SERVICES           PORT      TERMINATION
route     route-bmengp1.1114-fx3.qe.rhcloud.com             service-unsecure   <all>
# curl test.1114-fx3.qe.rhcloud.com
Hello-OpenShift-1 http-8080

@bmeng, looks like you are using a hostname-template or override-hostname set? Correct? 
In that case, the recommendation would be to also set ROUTER_ALLOW_WILDCARD_ROUTES to false. 

But that said, there was a check on the api server to reject the route with no host and wildcard policy set to subdomain.
See: https://github.com/openshift/origin/blob/master/pkg/route/api/validation/validation.go#L336

Did you rebuild/use a newer version of the api server as well? Let me recheck as well. Thx

Ok - I can see where the error was - it works for unspecified hosts but fails
for generated host names. 
Fix is in PR: https://github.com/openshift/origin/pull/11924

Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/dcfe5740e9e87ae22af303185ee344169d037bf0
We should not be able to create a route when the host is not specified
and wildcardpolicy is enabled.
Fixes bug 1392862 - https://bugzilla.redhat.com/show_bug.cgi?id=1392862
Rework as per @liggitt review comments.
Fix govet issue.

Issue has been fixed in OCP v3.4.0.27

# oc create -f route2.json
The Route "route" is invalid: spec.wildcardPolicy: Invalid value: "Subdomain": host name not specified for wildcard policy

Move to verified according to Comment#14

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0066